Is Apple Right To Resist The FBI?

Uploaded on 2016-03-23 in GOVERNMENT-Law Enforcement, FREE TO VIEW, BUSINESS-Services-IT & Telecoms, NEWS-Cybersecurity News

The FBI wants Apple to do something no private company has ever been forced to do: break its own technology.

Specifically, the FBI wants Apple to build a new version of its mobile operating system (iOS, or GovOS) so that the contents of an iPhone can be removed from an iPhone used by Syed Farook, one of the gunmen in the San Bernardino shooting.

A magistrate judge recently ordered Apple to comply with this request; Apple in turn filed a Motion to Vacate (MTV) the magistrate’s order. The key point made in the MTV, and the key issue on which this entire case hangs, is that complying with the FBI’s request would weaken a valuable encryption platform at a time when the United States desperately needs stronger, more effective encryption.

There is an arms race to create more-sophisticated, harder-to-crack encryption tools, and if the FBI gets its way, we will be running that race with a self-imposed handicap.

Apple is appearing before Congress to address the issues raised above. For those unable to attend the hearings, I want to explore how Apple is thinking about the FBI’s legal authority to compel the company to create new software to crack Apple’s security measures.

After exploring that legal issue, we’ll consider the broader constitutional stakes involved in this case. After all, it’s not everyday that the US government is asking a private company to undermine a technology platform without providing any concrete evidence that doing so will make Americans safer.

What does the law say?

To understand what the law says, we must first properly frame what the FBI is trying to compel Apple to do. Without a precise understanding of what the FBI is demanding in this case, it is hard to clearly say that the FBI is trying to overstep its bounds.

What is the FBI seeking here? First, the FBI is demanding that Apple make a new software product. Second, that software product would have to be designed in accordance with specifications provided to Apple by the FBI. Third, once Apple created that software product, it would have to test the product to ensure it met Apple’s own quality standards. Fourth and finally, Apple would have to test and validate this software product so that criminal defendants would be able to exercise their constitutional rights to challenge the government’s legal claims as provided by the Federal Rules of Evidence (FRE).

Forcing a company to break its own technology appears to be something a dictatorship might do, not a democracy like the United States.

Simply put, the FBI is demanding that Apple create a new software product that meets specifications provided by the FBI. As Apple clearly articulates in its MTV, the FBI is demanding “the compelled creation of intellectual property.” The legal grounds for the FBI’s demand come from the Communications Assistance for Law Enforcement Act (CALEA) and the All Writs Act (AWA).

With this understanding in mind, what does the law say? Is there any law that allows a government agency such as the FBI to compel private companies to create new software products?

Under CALEA, there is a strong argument that Apple cannot be legally required to create new software of any kind for any department of the federal government. When Congress passed CALEA, it had the opportunity to include device manufacturers like Apple within the scope of the law. Congress decided to require telecommunications companies to ensure that their equipment and facilities are built in a way that allows the government to conduct surveillance on the basis of a lawful surveillance warrant.

In other words, telecommunications companies have to build in a back door. However, under CALEA, Apple is not a telecommunications company; instead, Apple is considered an “information service” to which CALEA does not apply. In short, Congress made it clear they did not intend for CALEA to even apply to companies like Apple.

Even if CALEA applied to Apple, the FBI would not be entitled under CALEA to force the company to break its encryption protocol. The statute in section 1002(b)(3) states that telecommunications companies are not responsible for decrypting communications “unless the encryption (1) was provided by the carrier and (2) the carrier possesses the information necessary to decrypt the communication.”

Because Apple does not currently possess that information, even an improperly broad interpretation of CALEA would not compel Apple to create GovOS in this case. The FBI can ask, but under CALEA it cannot compel.

In a nation of laws, the FBI’s attempt to expand the AWA is dangerous. The FBI’s interpretation of the AWA transforms the law into something it was never meant to be: a tool granting government agencies boundless powers not authorized under the Constitution or in existing federal law.

Fortunately, a Brooklyn judge recently ruled, in a separate but similar case involving a demand from the Department of Justice to unlock an iPhone, that the AWA only empowers courts with “residual authority to issue orders that are consistent with the usages and principles of law.” Judge Orenstein explicitly condemned the government’s overreach in that case, echoing the exact concerns explored above: “The implications of the government’s position are so far-reaching, both in terms of what it would allow today and what it implies about Congressional intent in 1789, as to produce impermissibly absurd results.”

What should Apple do?

Apple should do what is necessary to preserve our enduring constitutional values, including life, liberty and the pursuit of happiness. Those values also include the privacy and speech rights protected by the Constitution. The First Amendment famously protects an individual’s right to say what he or she thinks or feels, and the Fourth Amendment guarantees that Americans shall be free of unreasonable searches and seizure.

These values and constitutional ideals are not mere commodities to be traded away, but are instead regulative ideals that capture and define who we are. Such ideals must remain unmolested by the temporary whims of each and every government agency. That’s what it means to be a nation of laws that is guided by a constitution.

In this particular case, Apple has a responsibility to resist the FBI’s efforts to force the company to undermine the security measures in its mobile operating system. To understand what is at stake here, one has to think deeply about what the world would be like if Apple were to comply with the FBI’s demands.

The FBI, then, is asking Apple to build a technology that destroys the value of the key security mechanisms built into its mobile operating system: The FBI wants to force a private company to build a tool that completely breaks the security technology for what is arguably the world’s gold-standard for mobile operating systems, iOS.

On this narrow issue, the FBI has to agree and concede this critical point. For the FBI cannot say that (1) it needs Apple’s assistance to crack an iPhone but (2) Apple’s assistance would not break a world-class encryption product. Once the FBI says that it needs Apple’s help, the FBI can’t honestly challenge the fact that the help it seeks would utterly break a security suite that Apple has spent years developing.

Final thoughts

Perhaps this is the right time to share Franklin’s adage about the moral quality, or lack thereof, of folks who want to trade privacy for a little temporary security. Franklin wrote the following to the Pennsylvania Assembly in 1755: “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.”

I truly wish Franklin’s quote sufficed to describe the constitutional predicament we are in today. But matters are far worse than that. Franklin’s quote imagines a scenario where “temporary safety” can indeed be purchased by giving up liberty. That’s not the bargain the FBI is offering.

Instead, the FBI is offering what some people have called a grand bargain, where A gives something of concrete value to B, but B is not required to clearly specify what A will receive in return. In this case, Apple is being asked to give something of concrete value to the FBI (e.g. the time of its engineers) but it is totally unclear what the FBI is giving back to

Apple or to the American people

In a nutshell, here’s where we are: A government agency is trying to force the world’s most valuable technology company to break its encryption technology despite (1) having no legal authority to do so and (2) being unable to articulate what they hope to achieve on behalf of the American people. Sounds like a grand bargain to me.

TechCrunch:

« China Wants FBI’s Help With Internet Security
Former CIA Director Calls Out The FBI Over iPhone Backdoor »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Navista

Navista

Navista's hardware and software modules are especially designed to ease the deployment of secure networks.

HireVergence

HireVergence

HireVergence is a full service IT staffing and recruiting firm with a focus on cyber and information security.

IdenTrust

IdenTrust

IdenTrust enables organizations to effectively manage the risks associated with identity authentication.

SAASPASS

SAASPASS

SAASPASS is a full-stack identity and access management solution, a single product which allows you to manage all your digital and physical access needs securely and conveniently.

FoxGuard Solutions

FoxGuard Solutions

FoxGuard Solutions develops customized cyber security, compliance and industrial computing solutions for critical infrastructure entities and control system vendors.

ThreatAdvice

ThreatAdvice

ThreatAdvice is a provider of cybersecurity education, awareness and threat intelligence.

CSO GmbH

CSO GmbH

CSO GmbH provide specialist consultancy services in the area of IT security.

Langner

Langner

Langner is a software and consulting firm specialized in cyber security for critical infrastructure and large-scale manufacturing.

Infodas

Infodas

Infodas provides Cybersecurity and IT consulting / system integration services as well as a range of innovative Cybersecurity products to public sector and commercial clients.

SimSpace

SimSpace

SimSpace is the visionary yet practical platform for measuring how your security system responds under actual, sustained attack.

Militus

Militus

Militus provides the only information security service available that learns and analyzes your network over time using a custom-built network-based toolset.

US Digital Corps

US Digital Corps

The U.S. Digital Corps is a new two-year fellowship for early-career technologists where you will work every day to make a difference in critical impact areas including cybersecurity.

Pillar Technology Partners

Pillar Technology Partners

Pillar Technology Partners is an Information Security Company with a focus on improving Cyber Risk and optimizing the processes and technology that underpin the security of your information assets.

Systems Engineering

Systems Engineering

Systems Engineering is a SOC 2, Type 2-certified IT strategy and managed technology services provider.

Beaming

Beaming

Beaming is an established Internet Service Provider for businesses across the UK. We deliver reliable voice, data and managed services, including cybersecurity.

Seiber

Seiber

Seiber are a UK based Cyber Security company who provide consultancy and training services. Our objective is to stop bad things happening to good people.