U.S. Government Demands Source Code Access

April 4, 2016

Internet BackgroundThe recent dispute between the FBI and Apple tested the limits of the ability of the United States government to demand that a commercial company create new computer code enabling circumvention of data security measures developed and installed by the company in its products.  There are now reports that the U.S. government has on multiple occasions successfully compelled commercial companies to provide proprietary computer source code to the government for analysis and use.  Compulsory disclosure of proprietary source code to the U.S. government is a troubling action which carries significant adverse consequences for businesses and individual American citizens.

Multiple companies have reportedly acknowledged that they have received legal demands from U.S. government agencies requiring that the companies provide copies of certain proprietary computer source code to the government for inspection, analysis, and use.  These orders have apparently been issued by traditional federal courts as part of sealed civil litigation and by the Federal Intelligence Surveillance Act (FISA) court as part of secret national security cases.

With this background, it appears that the FBI could pursue federal litigation to compel disclosure of Apple’s proprietary source code associated with its iPhone security measures.  After obtaining access to the source code, the authorities can then hack the code, or retain outside parties to hack the code and override the security measures.

Matsuura Blakeley BannerApparently, by seeking a court order to compel Apple to circumvent its own security measures, the FBI was attempting to save time and money.  Given the reports of previous instances of court-ordered source code disclosure, it seems that the FBI could have successfully obtained a similar secret order forcing Apple to disclose its security source code to the government.  However, that process for development of a security system override would have been more costly to the government in terms of both time and money.

If the U.S. government continues to use this secret process for collecting commercial source code, it is possible that the government will eventually create an archive of commercial source code available to support its investigations and prosecutions.  That archive could be used by the government for creation of code and processes that can compromise the security of the commercial code.

This process could undermine the international competitive posture of American companies.  To the extent that their source code is possessed and has been analyzed by the U.S. government, the American companies involved would likely have greater difficulty persuading governments in other countries and major commercial companies to use their products.

In recent years, we have also come to recognize that digital materials in the custody of the U.S. government are not always secured as effectively as one might expect.  A government archive of leading commercial source code would likely become an extremely attractive target for malicious hackers.

Finally, if U.S. government authorities are permitted to create an archive of commercial source code, civil liberties of individual Americans will likely be severely threatened.  In such an environment, each American will presumably begin to assume that the U.S. government has access to source code associated with security measures of all commercial software and online products and services, thus increasing the privacy concerns of all citizens.

Greater transparency should be provided as to the government’s use of court-ordered compulsory disclosure of proprietary source code for commercial software.  The public has a right to be aware of the scope of such mandatory disclosures and the uses made by the government of the source code it obtains.  Public oversight of this process is essential to ensure effective protection of civil liberties and American commercial competitiveness.