FBI and Federal Court Use 18th Century Law to Force Apple to Circumvent iPhone Security

February 22, 2016

Cell phone iphone smartphoneA federal judge in California has used the All Writs Act of 1789 as the basis for requiring Apple to circumvent some of the security measures built in to the iPhone used by San Bernadino terror suspect, Syed Rizwan Farook.  The case has significant potential implications for data privacy in the United States and around the world.

The FBI possesses an iPhone apparently used by the suspect, and the Bureau would like to access data stored on the device, in support of its ongoing investigation.  The device is owned by the suspect’s employer, the San Bernadino County Department of Public Health, and its content is password protected.  The device owner granted permission to the FBI to search the content, but the FBI does not have access to the appropriate PIN.

The iPhone has several built in security measures.  They include software that impedes the ability of a party to engage in “brute force” methods to guess the PIN.  Security for the device also includes software that deletes all content stored on the phone after ten incorrect efforts to input the PIN.

The FBI asked the court to order Apple to create computer code which will override the two security measures identified above for this particular device.  The court issued the order requested by the FBI, using the All Writs Act as the basis for that action.  The All Writs Act grants federal courts broad power to compel specific conduct when the court determines that some action is necessary in order to ensure justice, even when there is no specific statutory authority to support the order.

Although generally obscure, the All Writs Act has been used periodically in a variety of contexts, including some involving access to communications and information.  Critics of the Act object to its extremely broad potential reach, and contend that its use should be dramatically limited.  Supporters of the Act argue that this type of broad general court authority continues to be essential, at times.  Apple is contesting the court order.

Matsuura Blakeley BannerSupporters of the court’s action in this case note that the data stored in the device is important to the criminal investigation.  They argue that the only reasonable way to access that data successfully is through cooperation by Apple.

Opponents of the action argue that Apple does not own or control the device in question, and that it should therefore not be compelled to be involved in this case.  They also note that the action the court requires of Apple (creating and using customized computer code to override the security measures) is unduly burdensome for Apple.  Finally, critics suggest that this action sets a precedent which undermines personal privacy and civil liberties and is likely to be used frequently in the future by the U.S. government and other governments around the world.

The U.S. government and supporters of the court’s action argue that this case is directed toward a single device and thus has limited scope.  This assertion seems to be misleading.  Although it is true that the government’s case in this instance is directed toward a specific phone, the access and search process being created in this single case will certainly be used again and again by the U.S. government and by other governments in the context of other devices.

If Apple can be compelled by the U.S. government to create customized code to override data security measures for the specific device in question in this case, then it can be compelled to take similar action for other devices in the future, with no obvious limit in sight.  Surely other governments around the world will recognize the potential utility of this process, and they too will issue legal orders compelling Apple and other device-makers to override built-in data security measures for specific devices.

Note that this is not a simple case of a court order compelling disclosure of data owned or controlled by Apple.  Instead, this case involves a court order that Apple create new code, presumably at its own expense, which will deliberately circumvent key security measures that Apple created and installs in its products.

The court in this case is ordering Apple to create new code which facilitates circumvention of existing Apple security and to use that new code on a device which Apple does not own or control.  Through its order, the court is also establishing a process through which government authorities can compel data security overrides for any device.  It is an extraordinary and unreasonable order.  Apple should continue to contest it, and Apple’s effort should be supported by the technology industry and by all who value their own privacy and civil liberties.