Here’s the latest in the encryption case we’ve been writing about in which the Justice Department is asking Magistrate Judge James Orenstein to order Apple to unlock a criminal defendant’s passcode-protected iPhone. The government seized and has authority to search the phone pursuant to a search warrant. Rather than promptly grant the request (as other magistrates have done), Judge Orenstein expressed doubt that the law the government is relying on, the All Writs Act of 1789 (AWA), in fact authorizes him to enter such an order. After receiving briefing from Apple and the DOJ, Judge Orenstein heard oral arguments from both sides on Monday. He then invited them to submit additional briefing to address issues raised during the hearing.
On Wednesday, Apple and the government each submitted a brief. Their filings analyzed prior cases involving when and whether private actors who are not parties to a case can be subjected to orders compelling them to assist law enforcement. Apple argued that none of the cases discussed at the hearing support “the notion that a non-party can be conscripted into providing services for the government.” By contrast, the DOJ stated that “there is … no impropriety in requiring civilian assistance [to law enforcement] under the All Writs Act.” It said that the AWA is so expansive in scope that a court can impose an order on anyone over whom it has properly exercised jurisdiction, and that Apple satisfies that standard here because it made and provided the iPhone, iOS software, and related services to the defendant.
The parties’ briefs also discussed whether Apple qualifies as an “information services provider” under a federal law called the Communications Assistance for Law Enforcement Act, more commonly known as CALEA. This matters because CALEA requires telecommunications carriers — but explicitly exempts information services providers — from having to build “backdoors” for law enforcement access into their equipment. (“Information services” allow customers to create, store, and retrieve information via telecommunications, including things like instant messaging services and cloud storage providers.) Judge Orenstein previously suggested that CALEA would effectively preclude an unlocking order to Apple under the AWA. That’s because the AWA operates as a “gap-filling” statute that comes into play only where no other statute applies. Judge Orenstein’s earlier order reasoned that CALEA applies, and the AWA cannot force Apple to give the government access to the defendant’s iPhone if Congress didn’t say so in CALEA.
In Wednesday’s briefs, both Apple and the DOJ agree that a single provider, like Apple, “can provide [some] services that are covered by CALEA and other services that are not.” However, they disagreed on CALEA’s consequences for this case. Apple argued that because so many of its offerings are “information services,” it is an information services provider. It agreed with Judge Orenstein’s analysis of CALEA and the AWA. The government maintained that CALEA does not apply to this case at all, and that regardless of how Apple’s products and services are classified, CALEA’s information services exemption does not impair other laws that do apply to information services providers (such as wiretap orders).
Finally, Apple and the DOJ addressed the government’s technical abilities to unlock the iPhone by itself without Apple’s assistance. At the hearing, Judge Orenstein distributed materials from another criminal case pending in the same court, United States v. Djibo. In that case, the government has claimed it has technology that can allow it to bypass the passcode on a pre-iOS 8 iPhone like the one at issue in this case. An agent of the Homeland Security Investigations agency testified that he has never bypassed a device running iOS 8 or higher, but that depending on the particular device’s hardware and software, the government has had some success with an unnamed tool “which serially tests various passcodes until detecting the correct one.”
According to Apple, this tool’s availability renders an order compelling Apple’s assistance in the instant case unnecessary. However, the DOJ argues that Apple alone can safely bypass the device’s passcode. Its brief states that it has looked into “various third-party technologies, including the hacking tool referenced in Djibo,” and concluded that there is “a non-trivial risk of data destruction” in this case because too many failed passcode attempts could trigger the iPhone’s “erase data” feature.
Judge Orenstein is expected to render a decision soon. By raising the Djibo case in the case before him, he provided a glimpse into a federal agency’s device-unlocking capabilities that is of particular interest to us and our colleagues. We at the Center for Internet and Society are working with Stanford Computer Science Professor Dan Boneh to research how US law and policy affect cryptographic security. For example: when does the US government have the legal authority to force a company to provide decryption services, and at what cost to the company? Does a search warrant overcome a user’s right to resist decryption? Can global Internet companies provide decryption functionality just to the US government and other democracies and not to oppressive regimes? And what would that mean for user security worldwide?