Reflections on Apple vs. the F.B.I.

Introduction

The face-off between Apple Inc. and the U.S. Federal Bureau of Investigation (“F.B.I.”) is over for now.[1] The U.S. Department of Justice dropped its legal effort to force Apple to create a method of accessing data on a locked iPhone 5C used by Syed Rizwan Farook (“Farook”)—one of the perpetrators of the terrorist attack which took place last December in San Bernardino, California—after the Bureau was able to successfully hack the phone without Apple’s assistance. However, the broader issues of digital privacy and national security raised by the case cannot be ignored. This article defers analysis of the legal arguments used by both sides to constitutional law experts; rather, the purpose of this discussion is to reflect on the issues raised by the case and to remark on some of the steps being taken in the aftermath.

Summary of the case

Since 2015, Apple has received and objected to or challenged at least 11 orders issued by United States district courts under the All Writs Act of 1789.[2] A majority of these seek to compel Apple “to use its existing capabilities to extract data like contacts, photos and calls from locked iPhones running on operating systems iOS 7 and older” in order to assist in criminal investigations and prosecutions.[3] A few requests, however, involve phones “with more extensive encryption, which Apple cannot break with its current capabilities.” These court orders seek to compel Apple to “design new software to let the government circumvent the device’s security protocols and unlock the phone.” The most well-known instance of the latter category is the subject of this article.

On 2 December 2015, 14 people were killed and 22 were seriously injured in a terrorist attack at the Inland Regional Center in San Bernardino, California, which consisted of a mass shooting and an attempted bombing. The perpetrators, Farook and his wife, Tashfeen Malik, targeted a San Bernardino County Department of Public Health training event and holiday party. The two attackers later died in a shootout with police. After the attack, an iPhone, issued to Farook by his employer, was recovered intact.[4] 

On 9 February 2016, the F.B.I. announced that it was unable to unlock the iPhone because of its advanced security features, including encryption of user data. Because the accessible iCloud backup data from the phone did not include Farook’s recent online activities, the F.B.I. asked Apple to create a new version of the phone’s iOS operating system that could be installed and run in the phone’s random access memory to disable certain security features. Apple declined because of its policy to never undermine the security features of its products.

In response, the F.B.I. successfully requested a federal judge to issue a court order under the All Writs Act of 1789, [5] mandating Apple to create and electronically sign new software that would enable the Bureau to unlock the iPhone.[6]

Apple announced its decision to oppose the order, citing the security risks that the creation of a “backdoor” would pose towards its customers.[7] Apple was given until 26 February 2016 to formally respond to the court order.[8]

On 16 February 2016, Apple chief executive officer Tim Cook released an online statement to Apple customers, explaining the company’s motives for opposing the court order. Cook also stated that while they respect the F.B.I., the request they made threatens data security by establishing a precedent that the U.S. government could use to force any technology company to create software that could undermine the security of its products.

A hearing before Magistrate Judge Sheri Pym was scheduled for 22 March 2016.[9] However, on 21 March, the government requested and was granted a delay, saying a third-party, later identified in news outlets citing anonymous sources as Israeli company Cellebrite, had demonstrated a possible way to unlock the iPhone in question and the F.B.I. needed more time to determine if it will work.[10] On 28 March, the F.B.I. said it unlocked the iPhone with the third-party’s assistance and an official, who spoke on the condition of anonymity, said its applications were limited. The U.S. Department of Justice then dropped the case.[11] 

Reflections

The reason the Apple vs. F.B.I. case was so contentious was that, at first glance, the two parties appeared to be defending principles that were both compelling and irreconcilable.

From one perspective, Americans have reason to be concerned about the surveillance opportunities offered by digital technology, and the possibility that big tech companies are complicit in this spying. Modern smartphones contain all kinds of personal information, from saved emails to financial records to intimate pictures. Accordingly, Apple, as a leading supplier of smartphones, has every reason to respond to the privacy concerns of its customers. And that is exactly what it did when it incorporated code in iOS which wipes the hard drive when someone enters an incorrect passcode ten times in a row.

Of course, from another perspective, law-enforcement agencies—in seeking to protect the public—also have a vital job to carry out. To do so, under certain conditions, they have long had the right to violate an individual’s personal privacy. For example, in searching for incriminating evidence, law-enforcement can, given a suitably tailored warrant, break down the front door of a person’s home, tear apart walls and floors, and search through their personal possessions. Police can also make landlords assist them in gaining entry to the home. In the San Bernardino case, the F.B.I. effectively argued that an iPhone is not much different from an apartment, and that Apple is not much different from a landlord. Apple offered a number of legal arguments to the contrary, arguing that it should not be compelled to write new code that would override the security features it had designed into a product. Obviously, this issue was not resolved in court. However, the legal arguments, and media attention surrounding the case, did illuminate some other important aspects of the issues involved.

Law-enforcement’s policy agenda

In the aftermath of the case’s resolution, it now appears that the F.B.I. may have used the San Bernardino case as an opportunity to pursue a policy agenda, and that it may have somewhat oversold its case. The Bureau said that it was unable to unlock the iPhone without Apple’s assistance. But as Daniel Kahn Gillmor, a technology fellow at the American Civil Liberties Union, pointed out in a blog post published on 7 March 2016,[12] this claim was not entirely true. In Gillmor’s piece, he described how investigators could work around the auto-erase feature by removing the device’s NAND flash memory and backing it up, then trying every conceivable four-digit passcode combination. “If the FBI doesn’t have the equipment or expertise to do this, they can hire any one of dozens of data recovery firms that specialize in information extraction from digital devices,” he wrote. It is unclear if the F.B.I. used the method that Gillmor recommended to get into Farook’s phone; notwithstanding this, Gillmor’s post suggested that the Bureau had not exhausted all of the technological possibilities for accessing the data. It is possible that this may damage the Bureau’s credibility if it finds itself a similar legal dispute in the future.

Potential overstatement of new “dark zone” argument

There may also be reason to question an argument that James Comey, the director of the F.B.I., has been making in conjunction with the case—that strong encryption protocols, which other technology firms are also deploying, are producing a new “dark zone” that terrorists, criminals, and other bad actors can exploit. Undoubtedly, the encryption measures introduced by Apple and other tech firms since the Edward Snowden revelations have made it easier for people to conceal data in locked iPhones, encrypted WhatsApp messages, and other protected spaces. However, the authorities still have the capacity to collect enormous amounts of information. In the San Bernardino case, for example, the investigators obtained records from Farook’s employer’s cellular provider, which would have included details of all of the calls he placed on the device, and perhaps his saved messages. Cook told Time that Apple itself gave the F.B.I. “a cloud backup on the phone, and some other metadata.”[13] Law-enforcement officials have said that they wanted to look at Farook’s list of contacts and any other remaining data. Apparently, they were concerned that some recent data might have been missing—it emerged a few weeks ago that Farook might have changed his password, turning off automated iCloud backups in the process.[14]

In this connection, rather than a growing “dark zone”, the opposite may be true. In fact, some, like Peter Swire, professor of law and ethics at the Georgia Institute of Technology, argue that we live in a “golden age of surveillance”.[15] Similarly, in a recent report published by Havard’s Berkman Center for Internet and Society, a team of experts pointed out that some powerful trends will continue to “facilitate government access” to personal information.[16] The business models of firms like Facebook and Google depend on their ability to track user data, and new cloud services create yet more unencrypted data.

Even in such a data-rich environment, however, the rise of strong encryption is having an impact and creating some hidden areas. Naturally, there will certainly be instances when legal authorities want access to encrypted information that they cannot get at. Given this, it would seem prudent to start tackling this subject now, rather than on the heels of another terrorist attack.

A proposed commission to discuss the implications for law enforcement, national security, privacy, and personal freedoms

As part of its objection to the court order, Apple had proposed forming “a commission or other panel of experts on intelligence, technology, and civil liberties to discuss the implications for law enforcement, national security, privacy, and personal freedoms.”[17] Generally speaking, there are good reasons to be skeptical of commissions—which are sometimes used to appease the public while, in fact, serving to delay necessary action and preserve the status quo. In this case, however, a public airing of the issues, some of which are technical and complex, may be productive, especially if the commission’s mandate was extended to include other companies and their products, and the broader issue of privacy in the electronic age. 

Unfortunately, it does not appear that such a commission will be organized anytime soon. Interestingly enough though, the idea of a commission does have bipartisan backing in the U.S. Congress. Representative Michael McCaul, a Texas Republican who is chairman of the House Homeland Security Committee, has introduced legislation, H.R. 4651, to establish a 16-member commission to recommend changes to the government’s encryption policy.[18] California Democrats Ted Lieu, Jerry McNerney and Eric Swalwell and Republican Mimi Walters have signed on as co-sponsors of H.R. 4651. Senator Dianne Feinstein of California, former chairwoman of the intelligence committee, supports such a panel, but also wants legislation to make clear that companies must comply with court orders to help law enforcement. Of course, if legislation does emerge, there is no guarantee that Silicon Valley will be pleased with it. For example, many firms, including Apple, have protested against the extent of electronic surveillance permitted by the United Kingdom’s Investigatory Powers bill, which is before parliament.

Conclusion

Although the fact that the U.S. Department of Justice dropped its case against Apple might appear to signal a victory for both Apple and the F.B.I., in the final analysis, there really are no winners here. Federal authorities’ efforts to gain access to private data through a third-party highlights a fast growing market where companies sell information on software vulnerabilities to governments and non-state actors, including the United States. This mighty effort to hack the iPhone was more than just a public relations problem for the F.B.I. It undermined the security of technology that people rely on every day, and it arguably put the public at greater risk of compromise and attack. Lastly, whether intended or not, it sent a signal that the government prioritizes the potential to collect evidence in one case over the cyber-security of the many.

In outlining his Cybersecurity National Action Plan last month,[19] President Barack Obama cited both the need for strengthening the U.S. government’s partnerships with the private sector to deter, detect and disrupt threats, as well as the need to do more to help empower Americans to protect themselves online. The F.B.I.-Apple battle is an unfortunate contradiction which reveals a disconnect in the U.S. government’s approach on the subject. Instead of going to great lengths to break U.S. tech products, the government should be aligned with tech companies to create more secure products. It is almost impossible for U.S. businesses to succeed in a world where public-private partnerships are compelled by court order. As suggested in the president’s comments, the government needs to work on building relationships with the private sector, to encourage a safer and more secure Internet. Otherwise, we all lose.