The hot topic of the day is the decision of United States Magistrate Judge Sheri Pym to order Apple to assist the FBI in accessing the data on an iPhone 5C owned by one of the San Bernardino terrorists. Whether on social media or news reports, much of the information surrounding this order is misunderstood.
On December 2, 2015, Syed Rizwan Farook and his wife, Tashfeen Malik, murdered 14 people in a shooting spree in San Bernardino, California. The criminal act was as shocking as it was disgusting.
As part of its investigation, the FBI has zeroed in on Syed Farook’s iPhone. Specifically, an iPhone 5C, Model A1532 with Verizon service. As an Apple product, the phone has certain encryption features to protect data from hackers.
The FBI Position
The FBI desires to access the phone data. The Bureau has been unable to hack the phone. The FBI is out of ideas and intends to use a “brute force attack” to hack the phone. However, the Bureau is concerned the brute force attack will trigger the security on the phone to erase the data. To prevent this, the Bureau has petitioned Magistrate Judge Pym for assistance.
The Proposed Hack
Various reports suggest Apple has been ordered to hack its encryption. These reports are not entirely correct. The proposed hack involves disabling a few aspects of the security, but not the encryption, itself. If Apple complies with the order, the FBI will not be able to just turn on the phone and see the data. The Bureau will still need to break the passwords, but can have at it without risking data loss.
Apple argues disabling even part of the security for the iPhone is effectively compromising the encryption. The company further claims doing so creates a methodology for other third-parties to hack iPhones and other Apple products in the future. Apple also argues Judge Pym has no authority to force a company to affirmatively create software to disable encryption in its own products.
There is no law requiring a company to provide a backdoor to law enforcement for its encrypted products. How then did the FBI argue there was authority for compelling Apple’s assistance in this matter? By citing an antiquated catch-all law…
…wait for it…
The All Writs Act of 1789.
Yes. A law enacted in 1789.
The All Writs Act of 1789 gives a judge the authority to issue an order when four factors are met:
- No statute, law, or regulation addresses the issue in question.
- The company has some connection to the event.
- Extraordinary circumstances exist.
- Compliance is not unduly burdensome.
In this matter, the FBI has argued:
- There is no statute on the issue [correct].
- The phone is an Apple product and only accessible by Apple [correct].
- Extraordinary circumstances exist because there is no other way to access the phone, and the data could prevent future attacks [questionable].
- Apple writes code all the time and should be able to breach the security for its phone [possibly].
The Judge and Her Ruling
Sheri Pym was appointed a magistrate judge in 2011. Before her appointment, she served as an Assistant U.S. Attorney and Chief of the Riverside branch office of the United States Attorney’s Office – the same Office seeking the order in this matter!
As we now know, Pym sided with the FBI. The order reads as follows:
For good cause shown, IT IS HEREBY ORDERED that:
1. Apple shall assist in enabling the search of a cellular telephone, Apple make: iPhone 5C [“SUBJECT DEVICE”]…pursuant to a warrant of this Court by providing reasonable technical assistance to assist law enforcement agents in obtaining access to the data of the SUBJECT DEVICE.
2. Apple’s reasonable technical assistance shall accomplish the following three important functions: (1) it will bypass or disable the auto-erase function whether or not it has been enabled; (2) it will enable the FBI to submit passcodes to the SUBJECT DEVICE for testing electronically via the physical device port, Bluetooth, Wi-Fi, or other protocol available on the SUBJECT DEVICE and (3) it will ensure that when the FBI submits passcodes to the SUBJECT DEVICE, software running on the device will not purposefully introduce any additional delay between passcode attempts beyond what is incurred by Apple hardware.
3. Apple’s reasonable technical assistance may include, but is not limited to: providing the FBI with a signed iPhone Software file, recovery bundle, or other Software Image File (“SIF”) that can be loaded onto the SUBJECT DEVICE. The SIF will load and run from Random Access Memory and will not modify the iOS on the actual phone, the user data partition or system partition on the device’s flash memory. The SIF will be coded by Apple with a unique identifier of the phone so that the SIF would only load and execute on the SUBJECT DEVICE. The SIF will be loaded via Device Firmware Upgrade (“DFU”) mode, recovery mode, or other applicable mode available to the FBI. Once active on the SUBJECT DEVICE, the SIF will accomplish the three functions specified in paragraph 2. The SIF will be loaded on the SUBJECT DEVICE at either a government facility, or alternatively, at an Apple facility; if the latter, Apple shall provide the government with remote access to the SUBJECT DEVICE through a computer allowing the government to conduct passcode recovery analysis.
4. If Apple determines that it can achieve the three functions stated above in paragraph 2, as well as the functionality set forth in paragraph 3, using an alternate technological means from that recommended by the government, and the government concurs, Apple may comply with this Order in that way.
The order also sets out that:
6. To the extent that Apple believes that compliance with this Order would be unreasonably burdensome, it may make an application to this Court for relief within five business days of receipt of the Order.
Bad Facts Make Bad Law
Legal professionals have a saying – bad facts make bad law – that applies to this case. The encryption debate is vigorous. Tech companies hate the idea of backdoors. Government agencies consider access a must. The Assistant United States Attorneys know this full well and have carefully forum shopped this case to set a precedent in federal court. After all, what federal judge located in San Bernardino wants to be viewed as protecting the data of one of the terrorists?
Encryption is a tricky subject. Tech companies and law enforcement agencies both have credible arguments for and against allowing backdoor access to programs. A federal courtroom is not the proper place to decide this issue. Congress needs to address what legal limits, if any, will be placed on encrypted products and needs to do so quickly.
For better of for worse, Judge Pym is setting a precedent by compelling Apple to assist the FBI. Apple will undoubtedly appeal immediately, putting the case before an appellate court that might be less inclined to use a law from 1789 to address modern digital encryption issues.
Richard A. Chapo, Esq.