Last week, we wrote about an order from a federal magistrate judge in New York that questioned the government’s ability, under an ancient federal law called the All Writs Act, to compel Apple to decrypt a locked device which the government had seized and is authorized to search pursuant to a warrant. Judge James Orenstein of the Eastern District of New York ordered Apple to file a response addressing the technical feasibility and burden of compliance with a decryption order.
Apple filed its response yesterday evening. Its brief explains that device decryption “would be impossible to perform” on devices running iOS 8 or higher, due to how Apple’s encryption works in those recent iOS versions — which Apple notes now run on 90 percent of Apple’s devices.
However, the device at issue here is running iOS 7, for which Apple’s brief acknowledges it can extract “certain categories of unencrypted data” from passcode-locked devices — but not “email, calendar entries, or any third-party app data.” (Because the search warrant is sealed, we don’t know what kinds of data the government is seeking.)
While the data extraction is not substantially technically burdensome, Apple identifies several other problems with compliance. First, every extraction diverts hardware, software, and personnel resources from Apple’s normal business operations, which add up the more extraction orders Apple receives. (In the past, Apple reportedly received so many decryption requests from law enforcement that it instituted a waiting list.) In other words, it doesn’t scale. Second, forcing Apple to extract data without a strong legal basis for so ordering, even in a single case, risks harming Apple’s reputation and undermining the trust it has built up with its customers. Apple concludes that the government’s requested use of the All Writs Act “imposes a real burden on Apple—commercial and reputational” if not technical.
Whether the All Writs Act in fact provides this authority is a question Orenstein’s initial order discussed, but Apple’s recent brief did not address. Today, the court asked for supplemental briefing from Apple on that question. We joined our colleagues at the ACLU, the New York Civil Liberties Union, and the Electronic Frontier Foundation in a friend-of-the-court brief addressing this issue, but the court declined our request to appear in the case and file the brief. We anticipate that Apple’s supplemental brief will tell the court that absent clear statutory authority (which the All Writs Act does not supply), the government may not force private actors such as Apple to assist it in conducting criminal investigations.
Apple’s brief mentions in a footnote that Apple has received orders in the past to extract data from Apple devices, but that this is the first time a judge has openly doubted that the All Writs Act grants a court authority to so order. Judge Orenstein was one of the magistrates who ignited public debate about cell phone tracking by publishing an opinion criticizing the Justice Department’s now-disfavored argument that it can obtain geo-location data without a search warrant. The judge’s thoughtful public discussion of the encryption issue will be very influential as the public debate about encryption policy goes forward.
These issues are incredibly timely due to ongoing debates about encryption policy, especially in the US. Indeed, we at the Center for Internet and Society are working with Stanford Computer Science Professor Dan Boneh on uncovering and analyzing the ways that courts are allowing the government to use the All Writs Act and provider assistance provisions in the Wiretap Act and the Pen Register/Trap and Trace statute to force decryption, obtain encryption keys, or demand backdoors.