Yep, Apple finally submitted it’s response to the FBI today…
So, I’ve done you all a huge favor and read Apple’s entire Motion (and supporting brief) to Vacate the Ex Parte Order issued last week. For those of you who don’t know, here are the basics:
Note: This is my summary of the situation, so it is not free of bias. I am now and have long been a supporter of strong security measures in mobile devices, and a strong supporter of Apple in this case. If you wish to debate the relative merits, we can do that elsewhere.
Last week, a federal magistrate judge for the United States District Court, Central District of California, Eastern Division, issued an ex parte order requiring Apple to assist the FBI in unlocking an iPhone 5c owned and used by Syed Rizwan Farook, one of the two San Bernadino shooters, including the creation and installation of a new operating system that would:
- Disable the “anti-brute force” security that deletes all data on the phone after 10 consecutive incorrect passwords are entered;
- Allow passwords to be entered via computer, instead of by hand; and
- Eliminate the forced delay after incorrect passwords are entered.
Famously, Apple refused. Despite being granted an extension to file their response, the Department of Justice filed a motion to compel Apple’s compliance with the order last Thursday (before even the original 5 day response window had ended). Today, Apple filed their motion to vacate.
I have summarized Apple’s arguments as best I can:
The motion to vacate rests on a few basic themes: the unprecedented nature of the FBI’s request; a thorough debunking of the FBI’s justification for the motion; a striking demonstration of how the FBI and DOJ appear to have proceeded in bad faith; a detailed analysis of why the All Writs Act should not apply; and an argument that the ex parte order violated Apple’s due process rights.
1) The unprecedented nature of the request
This is not a case about one isolated iPhone. Rather, this case is about the Department of Justice and the FBI seeking through the courts a dangerous power that Congress and the American people have withheld: the ability to force companies like Apple to undermine the basic security and privacy interests of hundreds of millions of individuals around the globe… In fact, no court has ever authorized what the government now seeks, no law supports such unlimited and sweeping use of the judicial process, and the Constitution forbids it.
(Apple’s Brief, at 1).
That’s just how Apple started. The opening salvo of the brief is even more powerful, in my opinion, when combined with the methods the government used in making the request:
There are two important and legitimate interests in this case: the needs of law enforcement and the privacy and personal safety interests of the public… by invoking “terrorism” and moving ex parte behind closed courtroom doors, the government sought to cut off debate and circumvent thoughtful analysis.
(Id. at 2).
The enormous nature of the request is further highlighted by a strong statement describing exactly what the ex parte order would require Apple to do:
The order demanded by the government compels Apple to create a new operating system—effectively a “back door” to the iPhone—that Apple believes is too dangerous to build. Specifically, the government would force Apple to create new software with functions to remove security features and add a new capability to the operating system to attack iPhone encryption, allowing a passcode to be input electronically.
Basically, what Apple argues is that in order to comply, they would need to create a key that would make it easier to unlock any iPhone using “brute force” attacks. Defenses against such attacks are basically Device Security 101, and the removal of such protections causes serious concerns among those who deal regularly with mobile device security, including myself.
The ex parte order is requiring quite a lot of Apple, much of which is incorporated into their subsequent arguments. The first and most direct being…
2) The false premise that this is a one-time-only request
Apple’s motion pulls no punches in its shift to this attack:
The government says: “Just this once” and “Just this phone.” But the government knows those statements are not true; indeed the government has filed multiple other applications for similar orders, some of which are pending in other courts.
(Id. at 3).
As the Wall Street Journal reported, there are currently 12 pending requests in federal courts regarding iPhone access, but that’s just the tip of the iceberg. Describing some of the state and local officials that currently want Apple’s assistance, the brief cites to reports that:
Cyrus Vance, Manhattan District Attorney… has ‘155 to 160’ devices that he would like to access, while officials in Sacramento have ‘well over 100’ devices for which they would like Apple to produce unique software so that they can access the devices’ contents.
(Id. at 3 n. 3) (internal citations omitted). Of course, the real elephant in the room is this last one:
And once developed for our government, it is only a matter of time before foreign governments demand the same tool.
(Id. at 2).
Furthermore, the brief argues, even the FBI acknowledges that creating access to Apple’s encryption will only result in criminals going further into encryption, especially from companies located abroad and not subject to the court’s authority. As the brief brilliantly postulates:
Despite the context of this particular action, no legal principle would limit the use of this technology to domestic terrorism cases—but even if such limitations could be imposed, it would only drive our adversaries further underground, using encryption technology made by foreign companies that cannot be conscripted into U.S. government service — leaving law-abiding individuals shouldering all of the burdens on liberty, without any offsetting benefit to public safety.
(Id. at 3-4).
Disagree with that argument? Where do you stand on gun laws not deterring criminals from getting guns?
3) The DOJ’s Motion to Compel – and the original order – were basically filed in bad faith
This part might have actually been the part that blew me away the most. I have routinely and regularly criticized the ineptitude of the DOJ when it comes to arguing why they need encryption backdoors. They’re terrible at it. But at least this time they seemed to get off to the right start.
They were certainly ahead of Apple. Turns out there’s a reason, and it makes them look like SHIT.
Note: Before you all start jumping up and down about my use of the phrase “bad faith,” no, I’m not making any argument that they’ve violated any specific “bad faith” prohibitions (although, judge for yourself), but rather that their moves are shady, underhanded, and should in no way be the type of conduct our government representatives use against a non-party in a straight forward criminal matter.
a) The original ex parte order
That first thing that started all of this, the ex parte order, well, here’s something you might already know:
The government obtained the Order without notice to Apple and without allowing Apple an opportunity to be heard.
(Id. at 11, n. 22).
Sure, it’s an ex parte order, after all. The government routinely does this type of thing to make sure that when it pursues criminals, they don’t have a “heads up” that the FBI is coming. Such would be ridiculous.
But this was not a case where the government needed to proceed in secret to safeguard its investigation; indeed, Apple understands that the government alerted reporters before filing its ex parte application, and then, immediately after it was signed and confirmed to be on the docket, distributed the application and Order to the public at about the same time it notified Apple. Moreover, this is the only case in counsel’s memory in which an FBI Director has blogged in real-time about pending litigation, suggesting that the government does not believe the data on the phone will yield critical evidence about other suspects.
Well then, that changes things slightly. The FBI didn’t want Apple to know about it, but they sure wanted the press to be there when the ex parte order was released. You see, there’s a reason why ex parte communications are frowned upon. Or, as Apple puts it:
Because the government proceeded ex parte, Apple had no opportunity to weigh in on whether such assistance was “reasonable,” and thus the government’s request was assumed to be.
(Id. at 12).
In my limited time studying and practicing law, I’ve learned that it’s never a good thing when the government says “just trust me” when looking to violate someone’s constitutional rights.
b) The DOJ’s Motion to Compel Apple’s compliance with the ex parte order
The shady conduct continued with the Motion to Compel filed by the DOJ:
The government filed its motion to compel notwithstanding the Court allowing an eight-day period within which Apple could challenge the order compelling assistance, Apple’s express indication during the parties’ February 18 status conference that it intended to seek relief from the order, the Court’s entry of a briefing schedule to permit the parties to address the validity of the order, and the Court’s own skepticism about the utility of such a motion.
(Id. at 5, n. 5).
So the motion was filed despite the fact that the court had already told Apple that it would be allowed to respond to the original ex parte order. Anything else? Oh yeah, this:
Only three pages into the government’s 25-page motion, it concedes the motion is ‘not legally necessary’ […] [T]he motion—substantial portions of which appear to have been cut and pasted from the government’s ex parte application—seeks no relief beyond that contemplated by the order compelling assistance. Because the government’s motion serves no legal purpose, and the issues it raises will be fully briefed and addressed in Apple’s motion to vacate and the government’s opposition thereto, it should be denied.
In fact, it appears that the only actual reason for filing the motion in the first place was as a vehicle to allege that Apple was only objecting due to its “concern for its business model and public brand marketing strategy.”
A word of advice, if you’re going to demand a non-party do something, and the law states that the “something” cannot be an undue burden on the non-party, maybe arguing that the non-party’s objections are based on its “business model” and “marketing strategy” aren’t the best ways to argue?
Speaking of which, Apple then turns its attention to the All Writs Act…
4) The All Writs Act is improper in this case
The All Writs Act, a legislative relic rarely used (for reasons that will become obvious), is at the heart of this case. To begin, Apple describes what will be necessary to accomplish what the ex parte order seeks:
The software envisioned by the government simply does not exist today. Thus, at bottom, the Order would compel Apple to create a new version of the iPhone operating system designed to defeat the critical security features noted previously for the specific purpose of accessing the device’s contents in unencrypted form—in other words, to write new software to create a back door to the device’s encrypted data.
No operating system currently exists that can accomplish what the government wants, and any effort to create one will require that Apple write new code, not just disable existing code functionality.
(Id. at 12-13).
The basics? They’d have to create a new product. Why is that so onerous under the All Writs Act?
a) The All Writs Act is not intended to allow circumvention of legislative process
First, Apple states (in clear, unequivocal terms) that the All Writs Act has always been held only to apply to extending authority that already exists:
The Act is intended to enable the federal courts to fill in gaps in the law so they can exercise the authority they already possess by virtue of the express powers granted to them by the Constitution and Congress; it does not grant the courts free-wheeling authority to change the substantive law, resolve policy disputes, or exercise new powers that Congress has not afforded them. Accordingly, the Ninth Circuit has squarely rejected the notion that ‘the district court has such wide-ranging inherent powers that it can impose a duty on a private party when Congress has failed to impose one.’
(Id. at 14) (emphasis original).
Seems fairly clear, but has Congress failed to impose one? It turns out, much to the FBI’s chagrin, yes:
[The Communications Assistance for Law Enforcement Act (“CALEA”), 47 U.S.C. § 1001 et seq.] precludes the government from using the All Writs Act to require Apple to do that which Congress eschewed. But even if Apple were covered by CALEA, the law does not require covered telecommunication carriers (which Apple is not) to be responsible for ‘decrypting, or ensuring the government’s ability to decrypt, any communication encrypted by a subscriber or customer unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication.’
(Id. at 17).
Yeah, so it turns out that Congress has actually had several opportunities to create this exact requirement, and has refused to do so – sometimes through specific legislation like CALEA, or through refusal to enact specific legislation, like CALEA II.
Yeah, I hate sequels too.
Regardless, even if the All Writs Act covered actions like this…
b) This case does not meet the applicable standard for application of the All Writs Act
Yep, certain things are required before the All Writs Act can be applied to require non-parties to perform an action for the government in a criminal matter. And Apple has arguments for all three!
1) Apple has no involvement in the underlying criminal action
In order for the All Writs Act to apply, the US Supreme Court, in U.S. v. New York Telephone Co., 434 U.S. 159 (1979) held that in order for the AWA to apply, the non-party must not be “so far removed from the underlying controversy.” To that, Apple says:
The All Writs Act does not allow the government to compel a manufacturer’s assistance merely because it has placed a good into the stream of commerce. Apple is no more connected to this phone than General Motors is to a company car used by a fraudster on his daily commute.
(Id. at 22).
Oh, and it has case law, just in case support is needed.
2) The order adversely affects the interests of the third-party (Apple), and creates an undue burden
This, to me, is the big one – a non-party cannot be compelled to act if its action either adversely affects the non-party or creates an undue burden. This is important, I believe, in a country that (unlike former East Germany), the citizens are not agents of the state.
The government’s request violates the first requirement—that the Act “must not adversely affect the basic interests of the third party”—because Apple has a strong interest in safeguarding its data protection systems that ensure the security of hundreds of millions of customers who depend on and store their most confidential data on their iPhones.
(Id. at 23).
Touché Apple, adversely affecting the interests of anyone on Earth who uses an iPhone. Hyperbolic? I don’t think so, but even if it is:
The government’s request violates the second requirement—that the Act “must not… impose an undue burden” — because the government’s unprecedented demand forces Apple to develop new software that destroys the security features that Apple has spent years building.
See, here’s where that whole pesky “business model” thing I was talking about earlier comes into play. If a company has a lawful business, and expands based on that lawful business, then suddenly making that lawful business unlawful will cause the business tremendous burden. When there’s a reason for doing so, fine. But when it’s to get a non-party to become an agent of the state for limited purpose and has far-reaching, damaging consequences, I say “undue.”
But this is my favorite part:
By forcing Apple to write code to compromise its encryption defenses, the Order would impose substantial burdens not just on Apple, but on the public at large. And in the meantime, nimble and technologically savvy criminals will continue to use other encryption technologies, while the law-abiding public endures these threats to their security and personal liberties—an especially perverse form of unilateral disarmament in the war on terror and crime.
(Id. at 25) (emphasis added – out of sheer necessity, I’m sure you agree).
Note: There are plenty of other great arguments that Apple makes in this section, that I highly recommend, including the discussion about criminal defendants having a right to cross-examine the experts… what if the expert planted whatever information they found? Certainly wouldn’t be the first time for U.S. law enforcement!
3) The government has not demonstrated that Apple’s assistance was necessary
This one is actually where it becomes a bit funny – the AWA doesn’t apply unless the compelled assistance is based on the government being authorized to act and the non-party’s participation is imperative.
I’m not sure if you read much about the dazzling clusterf*ckery that was the Twitter battle between the FBI and the County of San Bernadino, but it was ridiculous. As the brief discusses:
Here, by contrast, the government has failed to demonstrate that the requested order was absolutely necessary to effectuate the search warrant, including that it exhausted all other avenues for recovering information. Indeed, the FBI foreclosed one such avenue when, without consulting Apple or reviewing its public guidance regarding iOS, the government changed the iCloud password associated with an attacker’s account, thereby preventing the phone from initiating an automatic iCloud back-up. Moreover, the government has not made any showing that it sought or received technical assistance from other federal agencies with expertise in digital forensics, which assistance might obviate the need to conscript Apple to create the back door it now seeks.
(Id. at 29-30).
Amazing, isn’t it? Instead of waiting to contact Apple for advice – or even consulting a FAQ available on Apple’s freaking website, the FBI decided to mess with the password. And thereby rendered the device inaccessible for iCloud backup.
Note to self – don’t royally f*ck something up, then claim that a non-party should have to write an entire new operating system to cover up my f*ck up. Unless, of course, I’m the FBI.
5) The order violates Apple’s right to due process
Apple’s final argument rests on it’s rights to due process under the 1st and 5th amendment. First, it says that requiring it to write code that violates a core tenet of the company’s beliefs (sorry, Hobby Lobby enthusiasts, it’s your fault we’ve come to this!), and is thus compelled speech, and must meet a compelling state interest.
Here, Apple really goes to town:
Apple does not question the government’s legitimate and worthy interest in investigating and prosecuting terrorists, but here the government has produced nothing more than speculation that this iPhone might contain potentially relevant information.
(Id. at 33).
In a footnote, Apple continues:
If the government did have any leads on additional suspects, it is inconceivable that it would have filed pleadings on the public record, blogged, and issued press releases discussing the details of the situation, thereby thwarting its own efforts to apprehend the criminals.
(Id. at 33, n. 26).
Yep, Apple’s totally calling out the FBI’s bullshit PR campaign!
As far as the 5th Amendment protections, Apple lends a paragraph that is generally unremarkable, but legally sound.
… Apple’s brief states:
[W]hile the government’s desire to maximize security is laudable, the decision of how to do so while also protecting other vital interests, such as personal safety and privacy, is for American citizens to make through the democratic process. Indeed, examples abound of society opting not to pay the price for increased and more efficient enforcement of criminal laws. For example, society does not tolerate violations of the Fifth Amendment privilege against self-incrimination, even though more criminals would be convicted if the government could compel their confessions. Nor does society tolerate violations of the Fourth Amendment, even though the government could more easily obtain critical evidence if given free rein to conduct warrantless searches and seizures. At every level of our legal system—from the Constitution, to our statutes, common law, rules, and even the Department of Justice’s own policies — society has acted to preserve certain rights at the expense of burdening law enforcement’s interest in investigating crimes and bringing criminals to justice.
The government’s desire to leave no stone unturned, however well intentioned, does not authorize it to cut off debate and impose its views on society.
(Id. at 35).
Once again, touché.
Pingback: We Are Dangerously Close to a Dystopian Cyber Security World()
Pingback: What You Need to Learn from the Biggest Cyber Attack in History()