In a discussion with Apple executives today, TechCrunch was informed that Apple had filed a motion to vacate in the case of the FBI compelling Apple to assist in unlocking an iPhone belonging to Syed Farook.
The executive said that “within hours” Apple had provided the information requested by the government on December 6 and again on December 16, and that it cooperated again on January 22 (responded to on the 26).
Apple says that it would have to create a ‘Government OS’ or GovtOS, for the FBI in order to cooperate with the FBI. It would also need to create an FBI forensics lab on site that Apple says could likely be used to unlock iPhones in the future, which law enforcement officials have already indicated in public statements.
In the motion, Apple hinges its argument on the fact that the FBI is attempting to greatly expand the use of the All Writs Act:
No court has ever granted the government power to force companies like Apple to weaken its security systems to facilitate the government’s access to private individuals’ information. The All Writs Act does not support such sweeping use of judicial power, and the First and Fifth Amendments to the Constitution forbid it.
On February 16, Apple says that the FBI filed an order with the court that required Apple to create this software and within hours the court had granted the request. Apple re-stated that it had no warning or communication from the government before the order was published.
“In order to comply with the Gov’t demands, Apple would need to create a new ‘GovtOS’ and FBI forensics lab on site that has the potential to be used on hundreds of phones now in law enforcements possession in conflict with existing law as well as the First and Fifth Amendment of the United States Constitution,” says Apple in the act.
Apple also states that the request violates Apple’s constitutional rights.
The demand violates Apple’s First Amendment rights against compelled speech and viewpoint discrimination. Apple wrote code for its operating system that reflects Apple’s strong view about consumer security and privacy. By forcing Apple to write software that would undermine those values, the government seeks to compel Apple’s speech and to force Apple to express the government’s viewpoint on security and privacy instead of its own.
The government’s demand also violates Apple’s Fifth Amendment right to be free from arbitrary deprivation of its liberties in that it would conscript Apple to develop software that undermines the security mechanisms of its own products.
Microsoft said today that it will file an amicus brief with the courts to support Apple in its battle with the government. At a congressional hearing today, its Chief Legal Officer Brad Smith said that the case has implications for others.
Apple says that it expects more companies to file amicus support for its efforts to oppose the order. Hearings on the order and rebuttal are set to be heard on March 22 at 1pm.
The defense
Apple’s reasoning in the brief rests on three pillars. First, that forcing Apple to write code that weakens its devices and the security of its customers constitutes a violation of free speech as protected by the Constitution.
Second, that the burden the FBI is putting on it by requesting that Apple write the software and assist in unlocking the device is too large. Apple argues that it would have to create the new version of iOS, called GovtOS, which requires coding, signing, verification and testing. It would then have to create an FBI forensics laboratory on site at its headquarters and staff it. The burden would then extend to what Apple views is the inevitable onslaught of additional devices that would follow after the precedent was set.
In addition to free speech, Apple argues that the Fifth Amendment’s Due Process clause prohibits the government from compelling Apple to create the new version of iOS. Apple argues that there is no court precedent for forcing a company to create something new, like GovtOS.
“But compelling minimal assistance to surveil or apprehend a criminal (as in most of the cases the government cites), or demanding testimony or production of things that already exist (akin to exercising subpoena power), is vastly different, and significantly less intrusive, than conscripting a private company to create something entirely new and dangerous. There is simply no parallel or precedent for it,” reads the filing.
The filing
Apple argues that if it complies, a litany of requests (it says hundreds) would come in within “a matter of days.” It’s establishing that there is a precedent being set here, that this is not about an isolated case alone:
“The government says: “Just this once” and “Just this phone.” But the government knows those statements are not true; indeed the government has filed multiple other applications for similar orders, some of which are pending in other courts. And as news of this Court’s order broke last week, state and local officials publicly declared their intent to use the proposed operating system to open hundreds of other seized devices—in cases having nothing to do with terrorism. If this order is permitted to stand, it will only be a matter of days before some other prosecutor, insome other important case, before some other judge, seeks a similar order using this case as precedent.”
Here, Apple brings up the international angle while broadening the discussion to encryption. If it complies with the order, then U.S. encryption would be weakened, and encryption created by foreign companies would be utilized instead. This is a common defense used by proponents of strong encryption. Basically, if you outlaw good encryption, the only people that will suffer are the law-abiding. Everyone else, including bad actors, will be just fine.
“Despite the context of this particular action, no legal principle would limit the use of this technology to domestic terrorism cases—but even if such limitations could be imposed, it would only drive our adversaries further underground, using encryption technology made by foreign companies that cannot be conscripted into U.S. government service. Indeed, the FBI’s repeated — leaving law-abiding individuals shouldering all of the burdens on liberty, without any offsetting benefit to public safety. Indeed, the FBI’s Repeated warnings that criminals and terrorists are able to “go dark” behind end-to-end encryption methods proves this very point.”
Then, Apple goes into a lengthy description of what it would need to do in order to comply with the government’s demands. In short, it would need to fire up a whole team dedicated to creating what is essentially a brand-new version of iOS, maintain a lab on site and facilitate what would undoubtedly be hundreds of additional requests for unlocking. This is key to its “undue burden” defense.
The compromised operating system that the government demands would require significant resources and effort to develop. Although it is difficult to estimate, because it has never been done before, the design, creation, validation, and deployment of the software likely would necessitate six to ten Apple engineers and employees dedicating a very substantial portion of their time for a minimum of two weeks, and likely as many as four weeks. Members of the team would include engineers from Apple’s core operating system group, a quality assurance engineer, a project manager, and either a document writer or a tool writer.
No operating system currently exists that can accomplish what the government wants, and any effort to create one will require that Apple write new code, not just disable existing code functionality. Rather, Apple will need to design and implement untested functionality in order to allow the capability to enter passcodes into the device electronically in the manner that the government describes. In addition, Apple would need to either develop and prepare detailed documentation for the above protocol to enable the FBI to build a brute-force tool that is able to interface with the device to input passcode attempts, or design, develop and prepare documentation for such a tool itself. Further, if the tool is utilized remotely (rather than at a secure Apple facility), Apple will also have to develop procedures to encrypt, validate, and input into the device communications from the FBI. This entire development process would need to be logged and recorded in case Apple’s methodology is ever questioned, for example in court by a defense lawyer for anyone charged in relation to the crime. Once created, the operating system would need to go through Apple’s quality assurance and security testing process. Apple’s software ecosystem is incredibly complicated, and changing one feature of an operating system often has ancillary or unanticipated consequences.
As a part of its Fifth Amendment defense, Apple argues that being forced to create a version of its software that weakens security is a gross expansion of the All Writs Act and is indeed counter to the Constitution. It argues that the legal case set out here has no practical limits, and could be used to force Apple (or another company) to essentially break any feature and cross any privacy line once a precedent was set.
In addition, compelling Apple to create software in this case will set a dangerous precedent for conscripting Apple and other technology companies to develop technology to do the government’s bidding in untold future criminal investigations. If the government can invoke the All Writs Act to compel Apple to create a special operating system that undermines important security measures on the iPhone, it could argue in future cases that the courts should compel Apple to create a version to track the location of suspects, or secretly use the iPhone’s microphone and camera to record sound and video.
Background
Apple is currently in a war of both court orders and public opinion in the case of a locked iPhone. The FBI wants Apple to build a special version of iOS that would weaken the device’s security and install it on the device. This version of iOS would allow the FBI to “brute force” the device’s pin code by trying it hundreds or thousands of times without delay or the device erasing itself.
The FBI argues that this is a very specific request, for a specific device that is associated with Syed Farook, one of the shooters in the San Bernardino workplace violence incident which left 14 dead. The FBI has deemed Farook and his wife terrorists and says that it needs access to the device in order to pursue leads.
Apple, for its part, argues that the FBI is using the All Writs Act, a 200-year-old law, too broadly in trying to get it to write code that would make the security of its devices worse. Apple plans to argue that the court’s order violates its free speech rights and CEO Tim Cook has given an extensive interview laying out how Apple looks at the case. In his remarks, he expounded on the points which Apple has been talking about to reporters, the most pointed of which is that this is not about just “one iPhone” and any ruling would be used to force Apple to unlock customer phones again and again.
The implications of the case are wide-ranging. The security of customer data in the United States, as well as the millions of Apple devices around the world will hinge on how the court battle turns out. There are solid indications that if the FBI does gain access to the device, it will issue another order to then have Apple decrypt the device’s contents. Law enforcement officials have indicated that they have a long list of devices and would take advantage of a precedent set here to force Apple to unlock.
Reports also indicate that Apple is making plans to improve iPhone and iCloud security to the point at which it will no longer be able to comply with government requests for information. These plans were hinted at in our discussion with Apple executives last week, where we noted that “the executive also indicated that it was fair to anticipate that Apple would continue to harden iPhone security to protect users against this kind of cracking, whether by Apple or otherwise.”
It’s worth noting that Apple has had a long history of cooperating with law enforcement requests for information. While it has not unlocked iPhones, it has extracted data from phones.
Those other cases could include legislation or further orders that weaken or alter the ground rules for encryption on devices from phones to smart home units to pretty much anything with an internet connection. If you use any such device to communicate over the Internet, it is likely that it uses encryption. If advocates are able to pass legislation that weakens encryption by giving the U.S. government a “back door,” then it is a matter of time before foreign countries push for the same from companies that do business there — and before bad actors like hackers discover the door and use it for themselves.
FBI Director James Comey and Apple General Counsel Bruce Sewell are set to testify on encryption at a March 1 Congressional hearing.
Update: The Justice Department has issued the following response to Apple’s filing. We’ve also updated the piece to reflect the hearing date:
The Justice Department’s approach to investigating and prosecuting crimes has remained the same; the change has come in Apple’s recent decision to reverse its long-standing cooperation in complying with All Writs Act orders. Law enforcement has a longstanding practice of asking a court to require the assistance of a third-party in effectuating a search warrant. When such requests concern a technological device, we narrowly target our request to apply to the individual device. In each case, a judge must review the relevant information and agree that a third party’s assistance is both necessary and reasonable to ensure law enforcement can conduct a court-authorized search. Department attorneys are reviewing Apple’s filing and will respond appropriately in court.
The motion to vacate is below:
Apple Motion to Vacate Brief and Supporting Declarations (1)
Comment