— IMPORTANT DISCLAIMER: In no way has this piece been endorsed or approved by the “For Dummies” brand or John Wiley & Sons, Inc. While it should be taken as gospel, this is simply an opinion piece with a really catchy title that someone else has kind of trademarked —
On December 2nd, 2015, two assholes did some really shitty things in San Bernardino (I’m not downplaying the magnitude of what happened, I just think it’s best to give these assholes and their actions only as much digital ink as is absolutely necessary, and this article isn’t about them).
Naturally, the FBI wants to dig deeper into these assholes and see what other shitty things they might have known about, and what other assholes they might have been communicating with. The FBI actually has a lot of authority to do that, including searching the contents of an iPhone the two assholes owned, not limited to any and all encrypted data, the state in which useful information often finds itself.
No controversy yet; pretty much everyone agrees the San Bernardino people are assholes and that the FBI has complete legal authority to search the phone.
The problem is, they can’t.
Apple built the iPhone’s security system to optionally erase all encrypted data after ten incorrect password attempts. A brute force attempt to crack someone’s password and get into their phone destroys any of the sensitive info the would-be hacker is after, so everyone’s Tinder conversations stay secret…and their terrorist conversations.
Apparently the best plan the FBI’s tech folks can come up with is a brute force attack, so they asked Apple to help them sidestep one of the most basic yet important security features in, like, ever. Then they got a court order to make it happen. Then Apple CEO Tim Cook went public with a refusal to comply with the court order, and here we are.
The question is, where will we be tomorrow? Or more realistically, next year?
I’m Not a Lawyer, But I Sure Do Like to Argue
The key question at hand isn’t whether or not the FBI has a right to bypass Apple’s security system. The question is whether or not a court can compel Apple to help the FBI bypass Apple’s security system, and the answer is…no one knows.
Everyone sure has an opinion though. There have been some great clickbaity headlines to highlight them, one in particular I’d like to nip in the bud right here and now, while neatly segueing into the real heart of the legal issues: that whole “FBI invokes law passed in 1789!!!” crap and its various incarnations.
All Writs Act
Yes, it’s true, the “All Writs Act” invoked by the court in ordering Apple to help the FBI was initially passed as part of the Judicial Act of 1789, but so was the foundation for most of the federal court system as we know it. The district courts, the circuit courts, the Office of the Attorney General, the US Attorneys and the US Marshals were all created by the same Act, so everyone needs to get over this “two-and-a-half-century-old law” business. Age is not necessarily a sign of inappropriateness or inadequacy, even when it comes to ancient legal concepts and the modern marvels of technology.
The current language of the “All Writs Act” was finalized in 1948, and now resides at 28 U.S. Code § 1651, but its meaning is essentially the same as it was in 1789: courts can issue all writs (orders) needed to carry out their lawful duties. If a court—or law enforcement agency working on a case over which a court has jurisdiction—needs a third party’s cooperation to carry out an investigation or fulfill their duty, they can issue a writ to make it happen.
Far from being arcane and out of place, the All Writs Act is actually fairly important when it comes to giving federal courts any actual authority. If they couldn’t compel cooperation from landlords, banks, law enforcement agencies, and other entities not accused of crimes but tangentially involved in them, conducting investigations and holding criminals to account would be all but impossible.
These writs have been used to compel companies to provide technical assistance in the course of investigations before, too, most famously in United States vs. New York Telephone Co., where the Supreme Court held that a district court could require a telephone company to help install a device for recording numbers dialed on a certain device.
In that case, the telephone company already had the technology and used it internally, and were simply required to share it with the FBI allowing them to educate their own technicians. This set a significant precedent—a precedent that Apple has actually faced before.
Twice (that we know of), courts have issued writs requiring Apple to bypass the lockscreens of iPhones to assist law enforcement in investigations, and Apple has apparently complied.
What’s different about the San Bernardino case, from a technical perspective, has to do with the development of software rather than a simple one-time bypass. For some reason the FBI sees brute force password breaking as their best bet for getting at the encrypted data on the iPhone in question. Rather than asking for Apple to help them bypass the lockscreen, they’ve asked for software that will disable the auto-erase function and allow them to repeatedly enter passwords until they find one that works.
Tim Cook’s Open Letter
Tim Cook’s open letter makes the point that this kind of software could be used to back-door every iPhone out there, and that this could be used by bad governments, hackers, and all manner of nefarious masterminds for all kinds of dastardly deeds. Others have voiced similar concerns; creating such a tool creates a whole lot of risk, and there’s no way to guarantee the software stays contained and only in the hands of “good guys” (not to mention the question of whether the US government currently ranks as a “good guy” in a post-Snowden era).
That’s a good argument for a new limit on the All Writs Act, but that’s something more likely to be achieved through legislation than a court decision. That is, saying “following the law would be dangerous” doesn’t usually give courts the ability to void a law, and in this case the law is actually relatively clear: the FBI has the legal authority to search the cellphone, courts have the ability to compel third party assistance in searches, and Apple has the technical capability to provide assistance.
The danger may exist, but the law doesn’t recognize it yet.
Does Apple Have a Case?
Apple can argue that the amount of assistance required is unreasonable; the decision in the Telephone Co. case established a highly nebulous “reasonable” criteria for writ-compelled assistance. The heightened privacy and security concerns of this request could also sway the Supreme Court to place new limits on the All Writs Act or even to reverse previous decisions. Privacy has become a much bigger issue for the Court since the Telephone days, thanks in no small part to the recently departed Associate Justice Scalia.
As the law currently stands, though, most courts will likely have no choice but to uphold the current order for Apple to get the FBI past the auto-erase feature. If and when the Supreme Court decides to hear the case, we’ll likely have at least one new justice sitting there, appointed by God knows who and with God knows what understanding of passwords and privacy.
So whether you’re feeling the Bern or are all Trumped up—or wondering why the current President’s job seems to be over a year early—keep in mind that whomever occupies that Oval Office when the next justice takes their seat is going to hugely affect cybersecurity for generations to come.
I’ll be in my bunker while we sort this shit out.
