Is Forcing Apple to Bypass Its Own Security Technology “Unreasonably Burdensome”?

Bloomberg Law®, an integrated legal research and business intelligence solution, combines trusted news and analysis with cutting-edge technology to provide legal professionals tools to be...

By Fernando M. Pinguelo and Mason A. Barney

Fernando M. Pinguelo (CIPP/US), a Partner and Chair of Scarinci Hollenbeck, LLC's Cyber Security & Data Protection group, is a trial lawyer who devotes his practice to complex business disputes with an emphasis on cyber and data privacy law. He serves as national coordinating counsel for Brazil's premier cyberlaw firm where he handles Brazilian-based matters in the U.S. To learn more, visit http://www.scarincihollenbeck.com.

Mason A. Barney is an associate at Olshan Frome Wolosky LLP whose practice focuses on complex commercial litigation with a concentration on cyber law and technology issues. To learn more, visit http://www.olshanlaw.com/.

For the last several years, Apple Inc. (“Apple”) and the FBI have been locked in a disagreement regarding encrypted data.

Roots in Snowden Affair

In 2014, Apple introduced iOS 8 in the wake of the Edward Snowden affair. Apple chose to offer its customers the ability to automatically encrypt all of the data on their iPhones. Apple has made this feature a selling point for its phones, asserting that it protects customers from hackers.

However, the FBI has argued that the new security and encryption protocols threaten its ability to investigate crime and terrorism.

The FBI's concern has been simmering in political circles, but Congress has chosen not to act. In the absence of Congressional action, the FBI has turned to the courts, asserting that courts can use the centuries old All Writs Act to compel Apple to circumvent its encryption features.

One such case that has been playing out in recent months in the Eastern District of New York is In re Order Requiring Apple, Inc. to Assist in the Execution of a Search Warrant Issued by this Court, No. 15MISC1902 (E.D.N.Y.). There the court sua sponte raised a number of concerns regarding the FBI's use of the All Writs Act to effect a policy change that Congress has so far not seen fit to address.

Ideal Test Case?

But now the FBI may have the ideal test case on encryption. On December 3, 2015, the government obtained a warrant to search the contents of Syed Farook's car, which included his iPhone 5C. Farook had just died after perpetrating the heinous shootings in San Bernardino, California.

On February 16, 2016, the FBI asked the court to order Apple to assist it in circumventing the encryption on Farook's phone. As reported in numerous media outlets, that same day U.S. Magistrate Judge Sheri Pym signed an order, pursuant to the All Writs Act, that ordered Apple to comply with the government's request. Matter of Search of an Apple Iphone Seized During Execution of a Search Warrant on a Black Lexus IS300, California License Plate 35KGD203, No. ED 15-0451M, 2016 BL 48408, at *1 (C.D. Cal. Feb. 16, 2016) (the “Order” and generally the “San Bernardino Case”).

A Unique Order

The San Bernardino Case has garnered substantial attention, not only because of the terrorism aspect, but also because it is the first time that a court has ordered Apple to assist with bypassing the security on a phone running the iOS 8 or later operating system.

Apple immediately stated publicly that it will oppose the Order, asserting that the Order will dramatically affect the security of its iPhones and the public's perception of Apple's products.

In response, on Feb. 19, the government filed a motion to compel Apple's compliance with the Order. It argued that Apple's concerns about its marketing and the public policy implications of the Order are not valid objections to an order under the All Writs Act. But the government cites no case that expressly supported this argument.

Further, as the Eastern District case shows, Apple may have some support for its claim that the Order's wider implications on Apple's business and the public generally should be considered.


The government is asking Apple to create software that allows it to unlock the phone through a “brute force” attack, something that Apple has up to now intentionally tried to prevent
hackers from doing.


Background

In its Feb. 16 filing, the government claimed that despite its warrant and significant efforts to access the contents of the iPhone, it has been unable to do so because the phone's operating system is impenetrable due to encryption.

Typically, FBI techniques to penetrate encryption include the use of “brute force” attacks, where it uses a computer to impute all 10,000 possible combinations for the passcode. This is a common hacking technique, and one against which Apple has created safeguards. For example, an iPhone automatically erases its contents if the user were to input the wrong passcode 10 times in a row.

The government made its Feb. 16 motion ex parte. It asked Judge Pym for an order pursuant to the All Writs Act, 28 U.S.C. §1651 compelling Apple to (1) “bypass or disable the auto-erase function”; (2) “enable the FBI to submit passcodes” to the iPhone automatically (i.e., without physically typing in the passcode); and (3) remove the delay that the iPhone requires between passcode attempts.

In short, the government is asking Apple to create software that allows it to unlock the phone through a “brute force” attack, something that Apple has up to now intentionally tried to prevent hackers from doing.

Judge Pym signed the government's three-page proposed order without hearing from Apple. But she gave Apple five days within which to object to the order.

All Writs Act Factors

1. Targeted company not “so far removed from the underlying controversy that its assistance could not be permissibly compelled.”

2. Order does not place “unreasonable burdens” on the targeted company.

3. Company's involvementis “essential to the fulfillment of the purpose … for which … [the] order had been issued.”

The Government's Legal Arguments

The All Writs Act provides: “The Supreme Court and all courts established by Act of Congress may issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.” 28 U.S.C. §1651(a).

In its brief to Judge Pym, the government relied on United States v. New York Tel. Co., 434 U.S. 159, 171 (1977), where the Supreme Court held the Act allowed the district court to compel the New York Telephone Company to install a pen register to effectuate a search warrant. That case set out a three-factor test for when a court can issue an order under the All Writs Act.

First, the court must find that the targeted company is not “so far removed from the underlying controversy that its assistance could not be permissibly compelled.” New York Tel. Co., 434 U.S. at 175. The government argued that Apple, as the manufacturer of both the hardware and software on the phone, and as the licensor of the operating system, falls within this factor.

Second, the court's order may not place “unreasonable burdens” on the targeted company. Id. at 172. On this point, the government cited Application of U. S. of Am. for an Order Authorizing an In-Progress Trace of Wire Communications over Tel. Facilities, 616 F.2d 1122 (9th Cir. 1980), in which the Ninth Circuit affirmed an order that required a telephone company to trace certain calls, finding that the order was not unduly burdensome because it was “extremely narrow in scope” and could be implemented “with a minimum of interference to the telephone service.” Id. at 1132 (internal quotations omitted). According to the government, because Apple writes software code as part of its regular business, and its request is limited to a single iPhone, it will not be an unreasonable burden for Apple to accommodate the government's request.

Third, the targeted company's involvement must be “essential to the fulfillment of the purpose … for which … [the] order had been issued.” New York Tel. Co., 434 U.S. at 175. The government argued that it has been unable to otherwise obtain the critical information held on the iPhone.

The government asserted that neither it nor Apple knew of any way to access the information on the iPhone without Apple creating the kind of workaround the government is seeking.

Apple's Response

As noted, in a letter issued the same day as the court's Order, Apple stated that it intends to challenge it.1

Apple acknowledged that it has cooperated with the government in the investigation and conceded that the “FBI's intentions are good.”

But Apple's CEO Tim Cook wrote that the company felt it needed to challenge the order because “[t]he government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers[.]” Cook said that “[i]n the wrong hands, th[e] software the government is asking Apple to create--which does not exist today--would have the potential to unlock any iPhone in someone's physical possession.”

Cook asserted that this type of “backdoor” to an iPhone's data represented a threat to all of its customer's data security. “Once created, the technique could be used over and over again, on any number of devices.” As a result, “[t]he implications of the government's demands are chilling” and in Apple's view the Order could set a “[d]angerous [p]recedent” if it is not reversed.

The Government's Motion to Compel

In response to Apple's public letter, the government moved Feb. 19 to compel Apple's compliance with Magistrate Judge Pym's Order. The government focused most of its argument on refuting Apple's assertion that the Order created an unreasonable burden and a “chilling” effect.

In contrast to Apple's letter, which casts the Order as potentially affecting security on all of its iPhones, the government stressed the Order affects only Farook's iPhone.

Apple's assertion that the Order will create a “backdoor” or a “hack” are “unwarranted and inaccurate characterizations” because “Apple may maintain custody of the software [it creates to bypass the security features], destroy it after its purpose under the Order has been served, refuse to disseminate it outside of Apple, and make clear to the world that it does not apply to other devices or users without lawful court orders.”


“In the wrong hands, the software the government is asking Apple to create--which does not exist today--would have the potential to unlock any iPhone in someone's physical possession.”
--Tim Cook, Apple CEO


The government further asserted that Apple's claims that the court order would affect the company's “marketing strategies” or would subject the company to criticism “do not establish an undue burden.”

In this regard it claims that “the burden associated with compliance with legal process is measured based on the direct costs of compliance, not on other more general considerations about reputation or the ramifications of compliance.”

Asking a software company to modify its own software does not involve much direct cost from a technical or man-power standpoint, and thus, the Order is not unreasonably burdensome, according to the government.

The government cited to two cases to support this point. In re XXX, Inc., No. 14 MAG. 2258, 2014 BL 308860 (S.D.N.Y. Oct. 31, 2014), is another iPhone encryption case--though there the iPhone was running an earlier version of the iOS that did not have the same encryption technology present on Mr. Farook's iPhone. The Southern District of New York stated that “[c]ase law reflects that orders providing technical assistance of the kind sought here are often not deemed to be burdensome.” Id. (citing several cases from the late 1970s and early 1980s dealing with the production of credit card records and installation of wire tracing equipment for land-line phones).

United States v. Li, 55 F.3d 325, 329 (7th Cir. 1995), is the other case relied on by the government. There, the Fifth Circuit upheld the use of the All Writs Act to compel a defendant to produce handwriting samples, even though doing so could subject him to criminal sanctions.

These cases, however, do not address the government's assertion that “marketing or general policy concerns are not legally cognizable objections to the Order.” In fact, the government cited no cases that directly address either of these concerns.

Prior Cases

The FBI's interest in gaining access to Farook's iPhone is not an isolated request. Up until 2015, Apple cooperated with law enforcement officials to unlock iPhones.

In many of these cases the government obtained orders under the All Writs Act without Apple's objection. See, e.g., In re XXX, Inc., No. 14 MAG. 2258, 2014 BL 308860 (S.D.N.Y. Oct. 31, 2014); United States v. Navarro, No. 13-CR-5525 (W.D. Wa. 2013); United States v. Jansen, No. 08-CR-753 (N.D.N.Y. 2010). But, in each of those cases, the phone was running an older version the iOS operating system.

Despite this history, in October 2015, Magistrate Judge Orenstein in the Eastern District of New York sua sponte raised a number of concerns about the government's request for Apple's help to unlock an iPhone belonging to a drug dealer. Judge Orenstein refused to grant the request without first hearing from Apple. In re Order Requiring Apple, Inc. to Assist in the Execution of a Search Warrant Issued by this Court, No. 15MISC1902, 2015 BL 335164, at *1 (E.D.N.Y. Oct. 9, 2015).

Judge Orenstein disagreed with the government's assertion that its request was not an unreasonable burden because it was limited to a single iPhone. Id. at *4. He expressly disagreed with the conclusion reached in In re XXX, Inc. “that the burden of compliance for the private actor at issue was limited to the physical demands and immediate monetary costs of compliance.” 2015 BL 335164, at *7.

Judge Orenstein pointed out that “[t]he decision to allow consumers to encrypt their devices in such a way that would be resistant to ready law enforcement access was likely one that Apple did not make in haste, or without significant consideration[.]” Apple may have been persuaded that it was a better business decision to include such encryptions. Judge Orenstein said he “cannot assume that forcing it to modify that decision would not impose an unreasonable burden” without input from Apple on the issue.

Following Judge Orenstein's October 2015 order, the government submitted a “reply” brief where it made many of the same arguments concerning Apple's potential burden that the government would later raise in the San Bernadino Case. The court then held oral argument where, in addition to the burden issue, it raised the question of whether Apple could make a “conscientious objection” to an order under the All Writs Act, analogizing it to death penalty cases where individuals some times refuse to follow court orders based on their sincerely held belief that the death penalty is wrong.

Current Posture

The government's motion is still sub judice before Judge Orenstein. But on Feb. 12, Apple argued that he should still issue an order on the motion, even though the defendant in question has pled guilty, potentially rendering the question moot. In that letter, Apple stated that a ruling would be helpful because it has received additional similar requests, and that the government intends to continue to use the All Writs Act to try to force it to assist in decrypting iPhones.

Apple's “Unreasonable” Burden

In the wake of Mr. Snowden's revelations of massive government spying, Apple made a business decision to install on its phones strong security and encryption technology that prevents everyone, including Apple and the government, from accessing data on the phone. The government now says that this business decision, and the attendant public policy considerations, are irrelevant to the question of whether a court can issue an Order under the All Writs Act compelling Apple to create a method to bypass this security. But the government could not cite any cases directly supporting this position in either the San Bernardino Case or in the matter before Judge Orenstein, and Judge Orenstein's opinion raises serious doubt about such an assertion. Thus, we must look to whether there is some support for Apple's position beyond Judge Orenstein's opinion.

The Supreme Court in United States v. New York Tel. Co. noted that the order in that case was not an unreasonable burden because it “required minimal effort on the part of the Company and no disruption to its operations.” 434 U.S. at 175. Judge Orenstein noted that in New York Tel. Co., the pen register technology already existed, and thus the phone company did not have to invest substantial resources to create a solution, nor did it have to disrupt its business operations. However, in the case of Apple's encryption on its operating systems, the company says it has purposefully never created the type of encryption bypassing technology that it is now being ordered to create.

The Supreme Court in Gen. Bldg. Contractors Ass'n, Inc. v. Pennsylvania, 458 U.S. 375, 401 (1982), used this very argument to distinguish United States v New York Tel. Co. (and the All Writs Act generally).


Encryption is an all or nothing game, either a customer's data is encrypted and cannot be accessed, or the encryption fails and any claim to security disappears.


The Court noted that in New York Tel. Co. the order had no effect on the subject's business, but in the Gen. Bldg. Contractors case the order required major changes to the subject's hiring practices. The Fifth Circuit then picked up the idea of a business disruption in Williams v. McKeithen, 939 F.2d 1100, 1104 (5th Cir. 1991), holding that the All Writs Act could not be used to order Louisiana sheriffs to make a “substantial, uncompensated change in … existing operations” in state jails. Id. at 1104.

In a related case, In re U.S. for an Order Authorizing Roving Interception of Oral Commc'ns, 349 F.3d 1132 (9th Cir. 2003), the Ninth Circuit ruled that the FBI's actions in shutting down emergency telecommunications services in a car in order to wiretap the car required more than the “minimum of interference” allowed under the wiretapping statute. Id. at 1146 (quoting 18 U.S.C. §2518). In reaching this conclusion, the court pointed to New York Tel. Co. to note that the All Writs Act would prohibit “a complete disruption of a service [a company] offer[ed] to a customer as part of their business.”

Possible Outcomes

Encryption is an all or nothing game, either a customer's data is encrypted and cannot be accessed, or the encryption fails and any claim to security disappears.

If Apple were required to devise a tool to bypass its own security, then it might be unable to tell its customers that its technology is safe from hacks and other prying eyes. In the San Bernardino Case, those prying eyes belong to the FBI and are being used in service of a terrorist investigation.

But as Tim Cook noted, once the technology is created it can be reused. In the future the prying eyes could belong to the Chinese or Russian governments, and there Apple would be unable to say that it has no way to bypass its security. Likewise the threat of malicious hackers stealing the technology cannot be discounted. Even if the technology is never stolen, the threat alone undermines Apple's claim to invulnerability.

To follow this line of argument, losing the ability to tell its customers that their data is safe would represent a shift in Apple's business strategy and could represent a substantial disruption to Apple's business.

The case law suggests that this type of disruption is impermissible under the All Writs Act. As a result, Apple has a legitimate argument that the government is wrong when it says that Apple's “marketing or general policy concerns are not legally cognizable objections to the Order.”

No matter on which side of the encryption debate one falls (and there are strong policy arguments on both sides) it is undeniable that whether the government can have access to mobile devices is currently one of the most consequential policy decisions facing this country's law enforcement establishment. The All Writs Act would seem a strange way to address such a weighty issue, and one that Apple will have a good argument is outside existing precedent surrounding the Act.

Justice Steven's observation in his 1977 dissent in New York Tel. Co. may prove prophetic: “Nevertheless, the order is deeply troubling as a portent of the powers that future courts may find lurking in the arcane language of Rule 41 and the All Writs Act.”

1 A copy of the letter can be found at http://www.apple.com/customer-letter/.

Request Bloomberg Law