Is Apple Right To Resist The FBI?

The FBI wants Apple to do something no private company has ever been forced to do: break its own technology.

Specifically, the FBI wants Apple to build a new version of its mobile operating system (iOS, or GovOS) so that the contents of an iPhone can be removed from an iPhone used by Syed Farook, one of the gunmen in the San Bernardino shooting.

A magistrate judge recently ordered Apple to comply with this request; Apple in turn filed a Motion to Vacate (MTV) the magistrate’s order. The key point made in the MTV, and the key issue on which this entire case hangs, is that complying with the FBI’s request would weaken a valuable encryption platform at a time when the United States desperately needs stronger, more effective encryption.

There is an arms race to create more-sophisticated, harder-to-crack encryption tools, and if the FBI gets its way, we will be running that race with a self-imposed handicap.

Apple is appearing before Congress to address the issues raised above. For those unable to attend the hearings, I want to explore how Apple is thinking about the FBI’s legal authority to compel the company to create new software to crack Apple’s security measures.

After exploring that legal issue, we’ll consider the broader constitutional stakes involved in this case. After all, it’s not everyday that the US government is asking a private company to undermine a technology platform without providing any concrete evidence that doing so will make Americans safer.

What does the law say?

To understand what the law says, we must first properly frame what the FBI is trying to compel Apple to do. Without a precise understanding of what the FBI is demanding in this case, it is hard to clearly say that the FBI is trying to overstep its bounds.

What is the FBI seeking here? First, the FBI is demanding that Apple make a new software product. Second, that software product would have to be designed in accordance with specifications provided to Apple by the FBI. Third, once Apple created that software product, it would have to test the product to ensure it met Apple’s own quality standards. Fourth and finally, Apple would have to test and validate this software product so that criminal defendants would be able to exercise their constitutional rights to challenge the government’s legal claims as provided by the Federal Rules of Evidence (FRE).

Forcing a company to break its own technology appears to be something a dictatorship might do, not a democracy like the United States.

Simply put, the FBI is demanding that Apple create a new software product that meets specifications provided by the FBI. As Apple clearly articulates in its MTV, the FBI is demanding “the compelled creation of intellectual property.” The legal grounds for the FBI’s demand come from the Communications Assistance for Law Enforcement Act (CALEA) and the All Writs Act (AWA).

With this understanding in mind, what does the law say? Is there any law that allows a government agency such as the FBI to compel private companies to create new software products?

Under CALEA, there is a strong argument that Apple cannot be legally required to create new software of any kind for any department of the federal government. When Congress passed CALEA, it had the opportunity to include device manufacturers like Apple within the scope of the law. Congress decided to require telecommunications companies to ensure that their equipment and facilities are built in a way that allows the government to conduct surveillance on the basis of a lawful surveillance warrant.

In other words, telecommunications companies have to build in a back door. However, under CALEA, Apple is not a telecommunications company; instead, Apple is considered an “information service” to which CALEA does not apply. In short, Congress made it clear they did not intend for CALEA to even apply to companies like Apple.

Even if CALEA applied to Apple, the FBI would not be entitled under CALEA to force the company to break its encryption protocol. The statute in section 1002(b)(3) states that telecommunications companies are not responsible for decrypting communications “unless the encryption (1) was provided by the carrier and (2) the carrier possesses the information necessary to decrypt the communication.”

Because Apple does not currently possess that information, even an improperly broad interpretation of CALEA would not compel Apple to create GovOS in this case. The FBI can ask, but under CALEA it cannot compel.

In a nation of laws, the FBI’s attempt to expand the AWA is dangerous. The FBI’s interpretation of the AWA transforms the law into something it was never meant to be: a tool granting government agencies boundless powers not authorized under the Constitution or in existing federal law.

Fortunately, a Brooklyn judge recently ruled, in a separate but similar case involving a demand from the Department of Justice to unlock an iPhone, that the AWA only empowers courts with “residual authority to issue orders that are consistent with the usages and principles of law.” Judge Orenstein explicitly condemned the government’s overreach in that case, echoing the exact concerns explored above: “The implications of the government’s position are so far-reaching, both in terms of what it would allow today and what it implies about Congressional intent in 1789, as to produce impermissibly absurd results.”

What should Apple do?

Apple should do what is necessary to preserve our enduring constitutional values, including life, liberty and the pursuit of happiness. Those values also include the privacy and speech rights protected by the Constitution. The First Amendment famously protects an individual’s right to say what he or she thinks or feels, and the Fourth Amendment guarantees that Americans shall be free of unreasonable searches and seizure.

These values and constitutional ideals are not mere commodities to be traded away, but are instead regulative ideals that capture and define who we are. Such ideals must remain unmolested by the temporary whims of each and every government agency. That’s what it means to be a nation of laws that is guided by a constitution.

In this particular case, Apple has a responsibility to resist the FBI’s efforts to force the company to undermine the security measures in its mobile operating system. To understand what is at stake here, one has to think deeply about what the world would be like if Apple were to comply with the FBI’s demands.

The FBI, then, is asking Apple to build a technology that destroys the value of the key security mechanisms built into its mobile operating system: The FBI wants to force a private company to build a tool that completely breaks the security technology for what is arguably the world’s gold-standard for mobile operating systems, iOS.

On this narrow issue, the FBI has to agree and concede this critical point. For the FBI cannot say that (1) it needs Apple’s assistance to crack an iPhone but (2) Apple’s assistance would not break a world-class encryption product. Once the FBI says that it needs Apple’s help, the FBI can’t honestly challenge the fact that the help it seeks would utterly break a security suite that Apple has spent years developing.

Final thoughts

Perhaps this is the right time to share Franklin’s adage about the moral quality, or lack thereof, of folks who want to trade privacy for a little temporary security. Franklin wrote the following to the Pennsylvania Assembly in 1755: “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.”

I truly wish Franklin’s quote sufficed to describe the constitutional predicament we are in today. But matters are far worse than that. Franklin’s quote imagines a scenario where “temporary safety” can indeed be purchased by giving up liberty. That’s not the bargain the FBI is offering.

Instead, the FBI is offering what some people have called a grand bargain, where A gives something of concrete value to B, but B is not required to clearly specify what A will receive in return. In this case, Apple is being asked to give something of concrete value to the FBI (e.g. the time of its engineers) but it is totally unclear what the FBI is giving back to

Apple or to the American people

In a nutshell, here’s where we are: A government agency is trying to force the world’s most valuable technology company to break its encryption technology despite (1) having no legal authority to do so and (2) being unable to articulate what they hope to achieve on behalf of the American people. Sounds like a grand bargain to me.

TechCrunch:

« China Wants FBI’s Help With Internet Security
Former CIA Director Calls Out The FBI Over iPhone Backdoor »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Snow Software

Snow Software

Snow Software is changing the way organizations think about their technology investments, empowering IT and business leaders to drive transformation with precision and agility.

Optimal IdM

Optimal IdM

Optimal IdM is a leading global provider of identity management solutions and services.

BlueID

BlueID

BlueID is an IDaaS technology product which enables your objects to securely connect and interact with your users’ smart phones and smart watches.

Vector InfoTech

Vector InfoTech

Vector InfoTech is a leader in Industrial Security, Networks, IT and Telecommunications.

National Cyber Security Centre (NCSC) - Switzerland

National Cyber Security Centre (NCSC) - Switzerland

The National Cyber Security Centre is Swizerland's competence centre for cybersecurity and the first contact point for businesses, public administrations, and the public for cyber issues.

OpenText

OpenText

OpenText is a leader in Enterprise Information Management software and a portfolio of related solutions for Information Governance, Compliance, Information Security and Privacy.

Pathway Forensics

Pathway Forensics

Pathway Forensics is a leading provider of computer forensics, e-discovery services and digital investigations.

T-REX

T-REX

T-REX is a coworking space, technology incubator, and entrepreneur resource center for technology startups.

Parameter Security

Parameter Security

Parameter Security is a provider of ethical hacking and information security services.

United Network Technologies

United Network Technologies

United Network Technologies is a leading Managed Services Provider, distributor and developer of specialised cyber security components and technologies.

Onevinn

Onevinn

Onevinn's goal is to create a transparent, cost-effective security that is noticed as little as possible by the users. We simply call it "intelligent security."

Appsec Phoenix

Appsec Phoenix

Appsec Phoenix is an end to end vulnerability management platform that focuses on workflows, threat feed, and real time data.

Triaxiom Security

Triaxiom Security

Triaxiom Security offers penetration testing, security audits, and strategic consulting customized to meet your needs.

SecurityStudio

SecurityStudio

SecurityStudio is a continuous cybersecurity risk management platform that allows decision-makers to quickly identify the most immediate threats and make confident risk informed decisions.

Minorities in Cybersecurity (MiC)

Minorities in Cybersecurity (MiC)

MiC was developed out of a unique passion to help fill the gap that exists in the support and development of women and minority leaders in the cybersecurity field.

Red Maple Technologies

Red Maple Technologies

Started and run by engineers from the UK Intelligence and Defence communities, Red Maple is a technical consultancy and product company.