Is Apple Right To Resist The FBI?

The FBI wants Apple to do something no private company has ever been forced to do: break its own technology.

Specifically, the FBI wants Apple to build a new version of its mobile operating system (iOS, or GovOS) so that the contents of an iPhone can be removed from an iPhone used by Syed Farook, one of the gunmen in the San Bernardino shooting.

A magistrate judge recently ordered Apple to comply with this request; Apple in turn filed a Motion to Vacate (MTV) the magistrate’s order. The key point made in the MTV, and the key issue on which this entire case hangs, is that complying with the FBI’s request would weaken a valuable encryption platform at a time when the United States desperately needs stronger, more effective encryption.

There is an arms race to create more-sophisticated, harder-to-crack encryption tools, and if the FBI gets its way, we will be running that race with a self-imposed handicap.

Apple is appearing before Congress to address the issues raised above. For those unable to attend the hearings, I want to explore how Apple is thinking about the FBI’s legal authority to compel the company to create new software to crack Apple’s security measures.

After exploring that legal issue, we’ll consider the broader constitutional stakes involved in this case. After all, it’s not everyday that the US government is asking a private company to undermine a technology platform without providing any concrete evidence that doing so will make Americans safer.

What does the law say?

To understand what the law says, we must first properly frame what the FBI is trying to compel Apple to do. Without a precise understanding of what the FBI is demanding in this case, it is hard to clearly say that the FBI is trying to overstep its bounds.

What is the FBI seeking here? First, the FBI is demanding that Apple make a new software product. Second, that software product would have to be designed in accordance with specifications provided to Apple by the FBI. Third, once Apple created that software product, it would have to test the product to ensure it met Apple’s own quality standards. Fourth and finally, Apple would have to test and validate this software product so that criminal defendants would be able to exercise their constitutional rights to challenge the government’s legal claims as provided by the Federal Rules of Evidence (FRE).

Forcing a company to break its own technology appears to be something a dictatorship might do, not a democracy like the United States.

Simply put, the FBI is demanding that Apple create a new software product that meets specifications provided by the FBI. As Apple clearly articulates in its MTV, the FBI is demanding “the compelled creation of intellectual property.” The legal grounds for the FBI’s demand come from the Communications Assistance for Law Enforcement Act (CALEA) and the All Writs Act (AWA).

With this understanding in mind, what does the law say? Is there any law that allows a government agency such as the FBI to compel private companies to create new software products?

Under CALEA, there is a strong argument that Apple cannot be legally required to create new software of any kind for any department of the federal government. When Congress passed CALEA, it had the opportunity to include device manufacturers like Apple within the scope of the law. Congress decided to require telecommunications companies to ensure that their equipment and facilities are built in a way that allows the government to conduct surveillance on the basis of a lawful surveillance warrant.

In other words, telecommunications companies have to build in a back door. However, under CALEA, Apple is not a telecommunications company; instead, Apple is considered an “information service” to which CALEA does not apply. In short, Congress made it clear they did not intend for CALEA to even apply to companies like Apple.

Even if CALEA applied to Apple, the FBI would not be entitled under CALEA to force the company to break its encryption protocol. The statute in section 1002(b)(3) states that telecommunications companies are not responsible for decrypting communications “unless the encryption (1) was provided by the carrier and (2) the carrier possesses the information necessary to decrypt the communication.”

Because Apple does not currently possess that information, even an improperly broad interpretation of CALEA would not compel Apple to create GovOS in this case. The FBI can ask, but under CALEA it cannot compel.

In a nation of laws, the FBI’s attempt to expand the AWA is dangerous. The FBI’s interpretation of the AWA transforms the law into something it was never meant to be: a tool granting government agencies boundless powers not authorized under the Constitution or in existing federal law.

Fortunately, a Brooklyn judge recently ruled, in a separate but similar case involving a demand from the Department of Justice to unlock an iPhone, that the AWA only empowers courts with “residual authority to issue orders that are consistent with the usages and principles of law.” Judge Orenstein explicitly condemned the government’s overreach in that case, echoing the exact concerns explored above: “The implications of the government’s position are so far-reaching, both in terms of what it would allow today and what it implies about Congressional intent in 1789, as to produce impermissibly absurd results.”

What should Apple do?

Apple should do what is necessary to preserve our enduring constitutional values, including life, liberty and the pursuit of happiness. Those values also include the privacy and speech rights protected by the Constitution. The First Amendment famously protects an individual’s right to say what he or she thinks or feels, and the Fourth Amendment guarantees that Americans shall be free of unreasonable searches and seizure.

These values and constitutional ideals are not mere commodities to be traded away, but are instead regulative ideals that capture and define who we are. Such ideals must remain unmolested by the temporary whims of each and every government agency. That’s what it means to be a nation of laws that is guided by a constitution.

In this particular case, Apple has a responsibility to resist the FBI’s efforts to force the company to undermine the security measures in its mobile operating system. To understand what is at stake here, one has to think deeply about what the world would be like if Apple were to comply with the FBI’s demands.

The FBI, then, is asking Apple to build a technology that destroys the value of the key security mechanisms built into its mobile operating system: The FBI wants to force a private company to build a tool that completely breaks the security technology for what is arguably the world’s gold-standard for mobile operating systems, iOS.

On this narrow issue, the FBI has to agree and concede this critical point. For the FBI cannot say that (1) it needs Apple’s assistance to crack an iPhone but (2) Apple’s assistance would not break a world-class encryption product. Once the FBI says that it needs Apple’s help, the FBI can’t honestly challenge the fact that the help it seeks would utterly break a security suite that Apple has spent years developing.

Final thoughts

Perhaps this is the right time to share Franklin’s adage about the moral quality, or lack thereof, of folks who want to trade privacy for a little temporary security. Franklin wrote the following to the Pennsylvania Assembly in 1755: “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.”

I truly wish Franklin’s quote sufficed to describe the constitutional predicament we are in today. But matters are far worse than that. Franklin’s quote imagines a scenario where “temporary safety” can indeed be purchased by giving up liberty. That’s not the bargain the FBI is offering.

Instead, the FBI is offering what some people have called a grand bargain, where A gives something of concrete value to B, but B is not required to clearly specify what A will receive in return. In this case, Apple is being asked to give something of concrete value to the FBI (e.g. the time of its engineers) but it is totally unclear what the FBI is giving back to

Apple or to the American people

In a nutshell, here’s where we are: A government agency is trying to force the world’s most valuable technology company to break its encryption technology despite (1) having no legal authority to do so and (2) being unable to articulate what they hope to achieve on behalf of the American people. Sounds like a grand bargain to me.

TechCrunch:

« China Wants FBI’s Help With Internet Security
Former CIA Director Calls Out The FBI Over iPhone Backdoor »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Aurec

Aurec

Aurec provides specialist recruitment and contracting services including ICT professionals.

Axial

Axial

Axial Systems is one of the UK’s leading solution providers and systems integrators in network, security and services.

Verve Industrial

Verve Industrial

Verve specialize in providing software and services to help protect and secure critical industrial control systems.

Wibu-Systems

Wibu-Systems

Wibu-Systems is a leading provider of solutions for the Digital Rights Management (DRM) and anti-piracy industry.

Windscribe

Windscribe

Windscribe is a Virtual Private Network services provider offering secure encrypted access to the internet.

CS3STHLM

CS3STHLM

CS3STHLM is the Stockholm international summit on Cyber Security in SCADA and Industrial Control Systems.

Swarmnetics

Swarmnetics

Swarmnetics helps customers discover hard-to-find software vulnerabilities by hacking your system before the bad guys do.

HALOCK Security Labs

HALOCK Security Labs

HALOCK is an information security consultancy providing both strategic and technical security offerings.

Green Radar

Green Radar

Green Radar is a next generation cybersecurity company which combines technologies and services together to deliver Threat Detection for Emails and Deep Threat Analytics and Response.

AMSYS Innovative Solutions

AMSYS Innovative Solutions

AMSYS is a full-service, 24/7/365 IT solutions, Cybersecurity & Managed Service Provider.

Datastream Cyber Insurance

Datastream Cyber Insurance

DataStream Cyber Insurance is designed to give SMB’s across the US greater confidence in the face of increasing cyber attacks against the small and medium business community.

Purple Team

Purple Team

Purple Team is an expert cybersecurity and managed security service provider focused on arming your IT infrastructure with both red team and blue team services.

IDVerse

IDVerse

IDVerse is focused on making user verification effortless through technology. We build intelligent tools that protect users from identity fraud while enabling a seamless user experience.

Intellinexus

Intellinexus

Intellinexus turns data into actionable insights to revolutionise decision-making in your business.

Haiku

Haiku

Haiku stands at the forefront of cybersecurity upskilling, leveraging video games to immerse you in a flow state for accelerated, enduring learning.

RST Cloud

RST Cloud

RST Cloud is a cutting-edge technology company that specialises in threat intelligence solutions for businesses of all sizes.