Friday, February 19, 2016

Apple, the FBI, and the All Writs Act

by Michael Dorf

Apple's resistance to the order directing it to develop software that could circumvent the encryption* on the iPhone of deceased San Bernardino killer Syed Farook cites two main objections. First, on policy grounds, Apple argues that orders such as this--that Apple "hack" one of its customers' phones--will, in the long run, do more harm than good. Apple and its various defenders across the tech and civil liberties world argue that a technology developed for the laudable purpose of breaking encryption on a terrorist's phone could leak into the hands of hackers and other bad actors (including other terrorists). In other words, Apple is not simply saying that privacy should prevail over security (although it is certainly saying that pretty loudly), but also that this sort of order would undermine security. I don't have a well-informed view about the merits of this argument, so I will leave it to others.

Apple's second argument is more legal in nature, and so I will focus on it. Apple argues that Congress has not legislated a requirement that makers of phones, computers, and other electronic devices that use encryption build in a "back door" that allows the government to circumvent encryption. Under the circumstances, Apple contends, reliance on the All Writs Act (part of the Judiciary Act of 1789) is an overreach. Is that right?

The short answer is no. As a general matter, it is perilous to infer anything about the state of the law from congressional inaction, but here we do not need to rely on that general proposition. There is case law on point.

The leading SCOTUS precedent is United States v. New York Telephone Co., decided in 1977. There, the FBI sought the assistance of a telephone company in installing a pen register--a device that records the phone numbers called and from which calls are received--on the line of a suspect under investigation. The phone company provided some but not all of the assistance the FBI requested, resisting primarily on the ground that the demand for assistance violated another federal statute limiting wiretapping. The Supreme Court rejected this argument.

But where did the government even get the affirmative power to compel the assistance of the telephone company? The Court cited two sources. First, Federal Rule of Criminal Procedure 41 authorized a search warrant based on probable cause, so the government was entitled to attempt to install the pen register. (The Rule linked above has been amended since 1977, but not in a way that would render it inapplicable to the government's proposed "search" of Farook's iPhone.) What gave the government the power (after successful application for a court order) to compel a third party not itself suspected of criminal activity to provide affirmative assistance? The Court said that this power was conferred by the All Writs Act:
The power conferred by the Act extends, under appropriate circumstances, to persons who, though not parties to the original action or engaged in wrongdoing, are in a position to frustrate the implementation of a court order or the proper administration of justice . . . and encompasses even those who have not taken any affirmative action to hinder justice.
Note that Apple could be said to fall within the core of that statement if one regards the encryption of iPhones as an "affirmative action" that hinders the FBI's efforts, but even if not, the language makes clear that Apple--like New York Telephone before it--could be compelled to assist the FBI. Apple's argument that Congress needs new authority to require it to assist the FBI thus appears to be wrong.

New York Telephone recognized that there could be limits to the government's authority under the All Writs Act to compel complete strangers to a case to assist the government. Presumably, if the San Bernardino killer had owned an Android phone, the FBI couldn't have compelled Apple to provide assistance hacking it simply because it thought that the Apple engineers were better than those employed by Google. But the case involves an iPhone, and so what the Court said about New York Telephone nearly forty years ago seems equally applicable to Apple: "we do not think that the Company was a third party so far removed from the underlying controversy that its assistance could not be permissibly compelled."

Magistrate Judge Pym's order provides Apple with one possible out. She gives Apple the opportunity to demonstrate that compliance would be "unreasonably burdensome," which is pretty much standard language for escaping a disclosure duty. As I understand the technological issues, Apple is being asked to create a special-purpose iOS that removes the password protection upon installation. Apple's public statement does not claim that this is an especially difficult engineering task for its programmers. Rather, Apple's concerns are, as noted above, for the privacy and security of the users of its products more generally.

Does that count as a burden? I very much doubt that the courts will say so, but maybe Apple's argument here is not quite as bad as it at first appears. Apple says that its customers depend on the built-in security features of the iPhone for their security, adding that under the order, "[t]he same engineers who built strong encryption into the iPhone to protect our users would, ironically, be ordered to weaken those protections and make our users less safe."

One might read this objection as invoking something akin to a smartphone maker-customer privilege. Suppose that instead of seeking assistance from Apple in decrypting an iPhone, the FBI were seeking the assistance of a doctor in performing an execution or in developing some mechanism for defeating a patient's interests. Then we would say that the government should not be permitted to impose on a doctor an obligation that is fundamentally inconsistent with her professional medical duty to her patients--at least absent a demonstration by the government of a truly compelling need.

There is a key difference here, of course. State and federal law generally recognize a doctor-patient privilege, whereas there is no manufacturer-customer privilege. But maybe that oughtn't to be controlling. After all, under federal law, the courts can recognize new privileges without any new legislation (as when the SCOTUS recognized a therapist-patient privilege in Jaffee v. Redmond). And Apple wouldn't even be asking for a full privilege against turning over existing information--just the right not to be made to develop a new tool for undermining its customers' privacy and security.

To be clear, I think Apple will likely lose this fight--at least given the case law we have. A functional Congress could well decide that permitting the sort of court order at issue in this case does more harm than good, but then, a functional Congress would do a lot of other useful things too.

* Throughout the foregoing post, I refer to "encryption," but the feature at issue is a very primitive version of encryption. After ten unsuccessful attempts at entering a password, iOS wipes the iPhone's memory. The FBI is seeking code from Apple that will eliminate the ten-attempt limit, so that it can unlock Farook's iPhone by guessing all 10,000 possible 4-number passwords. (It's an iPhone 5c, which lacks fingerprint recognition.)