This post is the latest installment of our “Monday Reflections” feature, in which a different Just Security editor examines the big stories from the previous week or looks ahead to key developments on the horizon.
Pending before federal magistrate judge James Orenstein is the government’s request for an order obligating Apple, Inc. to unlock an iPhone and thereby assist prosecutors in decrypting data the government has seized and is authorized to search pursuant to a warrant. In an order questioning the government’s purported legal basis for this request, the All Writs Act of 1789 (AWA), Judge Orenstein asked Apple for a brief informing the court whether the request would be technically feasible and/or burdensome. After Apple filed, the court asked it to file a brief discussing whether the government had legal grounds under the AWA to compel Apple’s assistance. Apple filed that brief and the government filed a reply brief last week in the lead-up to a hearing this morning.
Government to Court: If You’re Not the Owner, You’re Getting Owned
We’ve long been concerned about whether end users own software under the law. Software owners have rights of adaptation and first sale enshrined in copyright law. But software publishers have claimed that end users are merely licensees, and our rights under copyright law can be waived by mass-market end user license agreements, or EULAs. Over the years, Granick has argued that users should retain their rights even if mass-market licenses purport to take them away.
The government’s brief takes advantage of Apple’s EULA for iOS to argue that Apple, the software publisher, is responsible for iPhones around the world. Apple’s EULA states that when you buy an iPhone, you’re not buying the iOS software it runs, you’re just licensing it from Apple. The government argues that having designed a passcode feature into a copy of software which it owns and licenses rather than sells, Apple can be compelled under the All Writs Act to bypass the passcode on a defendant’s iPhone pursuant to a search warrant and thereby access the software owned by Apple.
Apple’s supplemental brief argues that in defining its users’ contractual rights vis-à-vis Apple with regard to Apple’s intellectual property, Apple in no way waived its own due process rights vis-à-vis the government with regard to users’ devices. Apple’s brief compares this argument to forcing a car manufacturer to “provide law enforcement with access to the vehicle or to alter its functionality at the government’s request” merely because the car contains licensed software.
This is an interesting twist on the decades-long EULA versus users’ rights fight. As far as we know, this is the first time that the government has piggybacked on EULAs to try to compel software companies to provide assistance to law enforcement.
Under the government’s interpretation of the All Writs Act, anyone who makes software could be dragooned into assisting the government in investigating users of the software. If the court adopts this view, it would give investigators immense power. The quotidian aspects of our lives increasingly involve software (from our cars to our TVs to our health to our home appliances), and most of that software is arguably licensed, not bought. Conscripting software makers to collect information on us would afford the government access to the most intimate information about us, on the strength of some words in some license agreements that people never read. (And no wonder: The iPhone’s EULA came to over 300 pages when the government filed it as an exhibit to its brief.)
The government’s brief does not acknowledge the sweeping implications of its arguments. It tries to portray its requested unlocking order as narrow and modest, because it “would not require Apple to make any changes to its software or hardware, … [or] to introduce any new ability to access data on its phones. It would simply require Apple to use its existing capability to bypass the passcode on a passcode-locked iOS 7 phone[.]” But that undersells the implications of the legal argument the government is making: that anything a company already can do, it could be compelled to do under the All Writs Act in order to assist law enforcement.
Were that the law, the blow to users’ trust in their encrypted devices, services, and products would be little different than if Apple and other companies were legally required to design backdoors into their encryption mechanisms (an idea the government just can’t seem to drop, its assurances in this brief notwithstanding). Entities around the world won’t buy security software if its makers cannot be trusted not to hand over their users’ secrets to the US government. That’s what makes the encryption in iOS 8 and later versions, which Apple has told the court it “would not have the technical ability” to bypass, so powerful — and so despised by the government: Because no matter how broadly the All Writs Act extends, no court can compel Apple to do the impossible.
What Happens Next?
The government and Apple appeared before Judge Orenstein this morning. According to ACLU attorney Alex Abdo, who attended the hearing, the Assistant United States Attorney informed the court that it estimates Apple has unlocked at least 70 devices for the government. Apple told the court at the hearing that it does not want to be forced to help unlock its customers’ data. Judge Orenstein reserved decision and invited the parties to submit supplemental letters in support of their respective positions by Wednesday, October 28.
According to the government’s brief, Judge Orenstein is the first magistrate judge who has refused to enter an iPhone unlocking order under the All Writs Act. The government’s brief and the underlying search warrant application show, and our own research confirms, that the government has repeatedly filed a boilerplate application asking various courts to enter an unlocking order under the All Writs Act in connection with search warrants, and magistrate judges nationwide have done so.
But it’s not a judge’s job to rubberstamp parties’ proposed orders. When the federal government seeks a court order compelling a private actor to do something, the court has the duty to satisfy itself that the requested order is authorized by law and comports with the Constitution. Judge Orenstein’s challenge to the government’s unlocking request in this case marks the first time a judge has undertaken that inquiry and openly declared himself unsatisfied.
Judge Orenstein was a trendsetter in the magistrates’ revolt against the Justice Department’s now-disfavored argument that the government could obtain cell site data without a warrant. If, following today’s hearing, he rejects the government’s latest argument for broad authority to access electronic evidence, it will prove influential as the current public debate about encryption policy continues. We at the Center for Internet and Society are following this case closely, as we’re working to uncover and analyze the ways that courts are allowing the government to use statutory authority to force decryption, obtain encryption keys, or demand backdoors.