Updated - The FBI’s Battle with Apple over the San Bernardino iPhone: The agency’s request from the technology giant could have long-reaching implications

Thursday, February 25, 2016 - 19:03

Updated on March 4, 2016

Since this interview there have been four new significant events. 

First, Apple filed it’s opposition brief to the FBI’s motion to compel and the Court’s issuance of the All Writs Act (“AWA”) order requiring Apple to assist in the unlocking of Seyd Farook’s 5c iPhone. In that brief, Apple raises 1st and 5th amendment objections, asserts that it’s assistance is not without significant current and ongoing burden, and that this will not, cannot, be the only phone at issue since hundreds of similarly situated phones are already waiting. The 1st Amendment argument cites case law that (a) the Supreme Court has ruled that programming is equivalent to speech, (b) you cannot compel someone to say something against their will, hence Apple cannot be compelled to program that which has not been programmed.

Second, in a separate case with a similar FBI request, an Eastern District of New York  federal magistrate, Judge James Orenstein, issued a 50 page opinion the FBI's AWA request to compel Apple to unlock an iPhone. He largely critiques the use of AWA in this manner as exceeding what was intended by the Constitution and circumventing what was considered and not adopted by Congress. 

Third, Apple and the FBI appeared before Congress to discuss this impasse. Apple offered no new alternative solutions or legislative solutions, and the FBI admitted that there are other phones and other writs awaiting a decision, or a framework, for accessing this information. In other words – it was a lot of words, but no decisions have been made.

Fourth, interested parties have filed Amicus Briefs in favor of Apple’s position in the Central District Eastern Division California Federal Court. These include Intel, AT&T, the ACLU, Amazon, Cisco, Box, Facebook, Google, and many, many more. 

The next significant event in the California case will be a March 22 hearing at which both sides will argue their positions. 

 

-----------------------------------------                                                            

 

A nationally recognized electronic evidence and case management expert with 20 years experience in consulting to legal and corporate entities, Dan Regard applies his expertise in this explanation of the FBI’s request for Apple’s assistance in unlocking the iPhone of a suspect. His remarks have been edited for length and style.

MCC: Let’s start with a little background on the case. Most readers know that Apple is battling the FBI over the iPhone of one of the San Bernardino shooters, but bring us up to date.

Regard: The FBI is in possession of an iPhone that was issued to Syed Farook in his role as an employee at the San Bernardino Department of Public Health. Syed Farook and his wife are the suspects in the mass murder that took place last December. The FBI has been working with Apple to access information on that phone and have accessed some of the information, specifically a backup to iCloud in October 2015, but the agency has not been able to access the information that remains on the physical device. This includes information that may have been deleted prior to that backup yet could still be recoverable from the device, and information created after the backup.

From my understanding of what Apple and the government have published – I have read the pleadings and the statements – Apple has been willing to assist the government in acquiring data from any of their phones to the extent that there are already weaknesses, or avenues of access, in the phone’s current operating system and infrastructure. In other words, if there is an existing way to bypass security or access information in the cloud, Apple has helped the government pursue those methods. Where Apple seems to have drawn the line is in saying that if a weakness does not exist, it will not create a weakness. Their stated goal is to make security stronger, not actively work to weaken it, which they’ve defined as the equivalent of building a backdoor to the device.

That’s where we are today. The FBI has applied to the court for a writ – an order – directing Apple to assist the FBI in recovering this data by creating an alternative version of their newest operating system that would allow the government to weaken or circumvent three of its security protocols by: 1) removing the auto destruction of data if 10 passcode attempts in a row fail; 2) removing the automatic delay triggered by the entry of an incorrect passcode; and 3) allowing the government to input passcodes by computer rather than manually. Both the FBI and Apple believe these three changes would allow the government to mount a “brute force” attack on Farook’s phone by rapidly applying millions of passcode combinations in an attempt to open up the phone.

MCC: Let’s talk about the procedural path pursued by the government. The writ directing Apple to help the FBI has been getting a lot of attention from legal scholars and other observers. Is there any significance to the government’s choice?

Regard: Some of the articles and speakers on this issue have argued that the government is applying an old, obscure and antiquated law. I would agree that the writ, which derives from the All Writs Act of 1789, is certainly old. I would not agree that it’s obscure or antiquated. It happens to be only one year younger than the U.S. Constitution and was part of the Judiciary Act, which established and granted power to the Supreme Court and the federal judiciary. It is fundamental to how our courts operate, and in fact, it’s been used quite a bit in other criminal proceedings for similar access of systems.

The court issuing the writ gave Apple five days to respond, which has been extended to Friday Feb. 25, when Apple must state whether they’re going to comply or not. Instead of responding with a legal statement, at least so far, Apple issued a public statement to its supporters and customers saying they don’t intend to comply with the writ. It’s believed that Apple has not provided information, as the All Writs Act permits, that compliance will be too burdensome or that they lack the ability to do so. I believe Apple, either directly or through conversations with the FBI, has admitted that they have the ability to comply and that they have the people to do it. So it’s not a burden and ability argument; rather, it’s a policy argument.

MCC: Let’s look at the policy issues. The FBI and Apple have taken very different stances on the policy implications of Apple helping the government crack Farook’s iPhone.

Regard: The FBI has said this is a single case involving a single phone in a matter with extremely high consequences – terrorism on U.S. soil – and therefore if an exception is ever going to be made, this is where an exception should be made. It’s an extremely limited, focused and finite circumstance.

That’s the FBI’s stance, but it’s not exactly true. This may be one case, but in fact, Apple has disclosed nine similar requests pending. The attorney for New York City has stated that he has 175 (or 155, depending on which report you believe) phones waiting for exactly the same level of assistance, and Apple has said that there are hundreds more pending in the United States alone. These are not terrorism matters, but they are matters in which law enforcement is asking for help opening iPhones equipped with Apple’s newer, stronger operating system.

Apple has taken the position that this is a slippery slope. Once companies are conscripted into proactively helping the government weaken security, it starts us down a road of weakening all security, and that is the opposite of the direction that we’ve been moving as an industry, both politically and technologically.

MCC: You’ve mentioned other possible ramifications from the Apple-FBI battle, including implications extending beyond U.S. borders. What do you see on the horizon?

Regard: One thing that’s not being discussed is the impact this type of a ruling potentially could have on international relations, in particular the relationship between the European Union and the United States. I spend a lot of time looking at U.S.-EU data relations. My educational background is in international comparative law. A portion of the work that I’ve been doing for the last six or seven years has been developing methodologies for cross-border data transfers between the U.S. and the EU. I’ve worked with a number of data protection authorities and with a U.S. legal think tank, the Sedona Conference, to accomplish those goals.

This matter, if it goes all the way up to the U.S. Supreme Court and the Court enforces the order, which many believe could happen, would trigger grave concerns. The EU has the ability to hold any data transfer from Europe to the U.S. to the higher European standards for privacy and data security. They already have found that the U.S. does not have a sufficient legal infrastructure in place to protect data. This would aggravate that finding, and as we saw recently in the widely publicized Schrems case, in which an Austrian citizen challenged the legitimacy of data transfers from the EU to the U.S. under what was known as the Safe Harbor agreement, the highest EU court agreed that that was open to scrutiny, which resulted in cancellation of the Safe Harbor agreement between the EU and the U.S.

The rulings of the Schrems case have even broader implications. They imply that any mechanism for transferring data from the EU to the U.S., which would include two other well-known mechanisms, binding corporate rules and model contracts, would also be insufficient as long as, in the U.S., there were overriding public and law enforcement concerns that could open up access to this data, despite a company’s or individual’s intent to adhere to the higher EU standards. Under that analysis, anything that weakens our ability to keep data private and secure weakens our relationship with the EU. And anything that weakens our data transfer relationships with the EU, I believe, impacts our economic competitiveness globally. That is a big policy issue, and it’s an issue that I don’t believe has seen enough open dialogue in the public forum as this case heats up and moves toward a crescendo later this week.

MCC: That sounds like we could be between a rock and a hard place when it comes to data transfer with the EU.

Regard: The issue is that the Data Protection Directive provides for the transfer of personal data to a third country only if that third country ensures an adequate level or protection of the data. In the U.S., we have issues of national security, public interest and law enforcement that can prevail over the Safe Harbor scheme. That was one of the reasons that they struck it down. If we take that same analysis and apply it to other mechanisms, we’ll find that our national security, public interest and law enforcement requirements will continuously prevail. We haven’t developed a scheme yet that overcomes that objection and an enforcement order in the Apple matter would further undermine that goal and enhance those objections.

MCC: Some of the talk about this case has centered on the future of accessibility for law enforcement and building products that law enforcement would be able to access when needed, as opposed to the super lockdown technology that Apple has in this version of the iOS. What’s the rationale, and is it something that you see as viable?

Regard: There are two rationales. On the law enforcement side, this is the first public example of law enforcement hitting a roadblock. Up until now, with increasing levels of difficulty, these phones have been accessible with the cooperation of Apple through existing weaknesses in the security paradigm. But as technology has progressed, we’ve gotten to the point where the prior techniques no longer work. Law enforcement recognizes that going forward this will continue to be a problem. So they need a way to compel companies to provide a method for access, whether it’s a technique that we own or a technique that we can apply or a technique that can be used under controlled circumstances. They can’t operate in a world where access to information that they’ve gotten so accustomed to using, and is recognized as a rich source of evidence, cannot be had.

On the Apple side, and I think on the public side, the problem is that there have been so many stories about the government not demonstrating restraint nor an affinity for narrow applications. Instead, we hear of techniques approved under the Patriot Act, and secret courts that have oversight, of which the public has no knowledge. One could argue, and I think it is correct, that the disclosures of government behavior, including the Snowden disclosures, are actually accelerating the rush toward encryption and increased data privacy. It’s not strictly an issue of protecting against hackers and criminals. People are legitimately concerned about protecting themselves against the government. At the same time, the government itself has been hacked, and numerous agencies have had their data compromised. The government’s own expertise on security is, in these circumstances, in question. Finally, we continue to see reports – I saw one this morning – about indiscriminate collection of data from cell phones and Internet traffic off those phones. These types of sweep-it-all-up programs by the government are undermining the public’s confidence that the government can put in place a narrowly constrained access protocol. The trust just isn’t there right now.

MCC: Moving beyond Apple, what are the implications for other companies in terms of security and data retention policies?

Regard: Companies will continue to evolve encryption technologies that cannot be unwound. Once data is encrypted, it will not be accessible to anybody without a piece of information that cannot be technologically accessed without the owner of the data – not by the government, the hosting company or the equipment manufacturer – unless the government is successful in getting a court order or Congress is convinced to legislate that these companies must build in access methodologies and are prohibited from creating data security protocols that are so enclosed that nobody can get to the data. I believe that’s the slippery slope that Apple, and the other companies that have spoken out in support of Apple, are concerned about. They worry that there are individuals who would like companies to build in permanent weaknesses to their data security and data encryption so the data can always be accessed, and that however many hoops and warrants and writs have to be issued, there will always be a way to get to this data.

The implications for U.S. companies is that they’ll be forced to create these access points, and companies in countries that don’t require that will become more competitive, and people will choose to use them for private security purposes. That’s a different type of economic competitiveness than the EU-U.S. problem, affecting not only technology companies, but any company that seeks to have a footprint in both places.

MCC: Is there anything else that our readers should know about this case and the potential impacts and implications?

Regard: This is a very difficult case because the facts are undeniably a tragedy. This attack by two individuals who affiliate themselves with terrorism and perpetuating this horrible attack is something that is an abomination to all of us. Still, we cannot forget the larger policy implications that arise from these horrific facts, and the global competitive impact that I can foresee.

I think you can expect to see a lot more rhetoric in the public domain because in the instant case, in front of the district court, the writ appears, on its face, to be enforceable. That’s my interpretation of the way it was written and the way Apple has not yet responded. In a recent action not related to the Syed Farook phone, a judge in the Eastern District of New York denied a similar writ. So we may see these two federal districts collide if, in fact, the judge in the Farook case does enforce the order and require Apple to comply. I predict this will land before the U.S. Supreme Court before it’s over.

 

Daniel L. Regard, CEO and co-founder of Washington, D.C.-based iDiscovery Solutions, Inc., can be reached at dregard@idiscoverysolutions.com.