The Other Big Encryption News Last Week

President Obama’s waving the encryption white flag to Apple wasn’t the only big “going dark” news this week—and it’s not the only bad news for law enforcement. The courts continue to struggle with encryption issues, and last week, a New York magistrate dealt the government a blow.

Magistrate Judge James Orenstein of the U.S. District Court for the Eastern District of New York signaled a certain unwillingness on Friday to sanction a legal maneuver increasingly employed by the federal government to break locked devices. He deferred ruling on the government’s application for an order to compel Apple to disable the security on an Apple device, and directed Apple to submit its views on whether compliance with such an order would be technologically impossible or unduly burdensome. Although he did not deny the application yet, he forewarned that he does not think the government or the courts have the legal authority to compel Apple to unlock its devices.

This is not the first time the government has attempted this argument, and until now, courts have tended to go the other way. Last year, the District Court in Manhattan ordered an unnamed phone manufacturer to unlock a phone and the District Court in Oakland, CA ordered Apple to unlock an iPhone. Magistrate Orenstein seems more skeptical of the maneuver, however. He deferred his ruling on this important, and little-noticed issue, and directed Apple to provide an account of how burdensome the requested order would be.

What is this tactic the government is using? It’s an attempt to use the All Writs Act to compel tech companies to disable security features on their smart devices. The All Writs Act is one of the oldest grants of judicial authority, first passed as part of the 1789 Judiciary Act. It empowers federal courts to “issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.” It is not an independent source of authority; rather it allows federal courts to issue orders to effectuate the exercise of their existing statutory jurisdiction.

So imagine that the government has a valid warrant to search the contents of a locked Apple device in its possession, but it cannot bypass the lock. It can petition a court to compel Apple to unlock the device, claiming the court has the authority to issue this order under the All Writs Act.

But does it?

The Supreme Court has made clear that the All Writs Act empowers federal courts to issue writs that are not otherwise governed by statute. Where a statutory scheme addresses the issue at hand, however, it is that statute that controls the court’s authority. Significantly, the Court has stated that the All Writs Act does not authorize courts to issue writs “whenever compliance with statutory procedures appears inconvenient or less appropriate.” Rather, the power to issue commands extends only so far as is necessary to effectuate orders a court has issued in the exercise of jurisdiction otherwise obtained. The court is empowered to issue writs to persons or entities that are not parties to the suit or engaged in wrongdoing, when they are in a position to frustrate the administration of justice and so long as the order does not impose an unreasonable burden.

Orenstein suspects both that the All Writs Act is inapplicable because Congress has spoken on the issue of whether courts are authorized to order companies like Apple to unlock its devices, and that issuing the requested order may pose an unreasonable commercial burden on Apple.

In support of his reasoning, Orenstein reviewed the legislative history on compelling companies to enable law enforcement to access locked data stored on smart devices. The history clearly shows that Congress is aware of and has considered this dilemma but has not acted to fill the statutory gap. Orenstein noted that the FBI drafted legislation in 2009 to amend the Communications Assistance for Law Enforcement Act (CALEA) to cover companies like Apple, but this draft legislation and a few other proposed bills on the same subject have never gone to a vote. In other words, the absence of statutory authority to compel Apple to unlock a smart device is not attributable to mistake or oversight, but reflects a purposeful choice so far not to give the government that authority. Since law enforcement access to digital communications is governed by a near-comprehensive statutory scheme, it is questionable whether courts may disregard that scheme and issue orders under the All Writs Act that are not otherwise authorized by existing surveillance law, he argues.

Orenstein’s opinion is reminiscent of an influential decision he issued in October 2005 that cell-site data is protected by the Fourth Amendment’s warrant requirement. In that decision, he tersely scolded the government for attempting to use the All Writs Act “as a mechanism for the judiciary to give it the investigative tools that Congress has not.” Giving the matter a few paragraphs attention at the end of a lengthy opinion, he called the resort to the Act a “Hail Mary play” to “grant the executive branch authority to use investigative techniques either explicitly denied it by the legislative branch, or at a minimum omitted from a far-reaching and detailed statutory scheme that has received the legislature's intensive and repeated consideration.” Exactly one decade later, he has expounded this nucleus of an idea into a fully-developed legal decision.

His disapproval of the government’s tactics was also no less on display in last week’s decision. In a footnote, he criticized the government’s apparent hypocrisy for at once encouraging democratic debate on the appropriate balance between liberty and security while simultaneously “using an aggressive interpretation of [the All Writs Act’s] scope to short-circuit public debate on this controversy” by seeking to have the law “decided by the judiciary in sealed, ex parte proceedings.”

In the second half of his decision, Orenstein distinguishes the principle case the government appears to consistently rely on when requesting these types of orders: United States v. New York Tel. Co. In that case, the Supreme Court held that the All Writs Act empowered a court to compel a telephone company to install a pen register at its facilities to effectuate a search warrant. The holding rested in large part on the fact that the telephone company was a public utility “with a duty to serve the public,” the information was located at the company’s facilities, the company regularly used pen registers, and there was not another alternative for acquiring the information. These same facts, he notes, are obviously absent from the current scenario involving Apple: Apple is a private company, the information is located on the user’s device which Apple does not own, Apple does not regularly unlock customers’ devices, and the alternative remains to compel the user to unlock the device instead of involving Apple.

This last point brings up an important caveat: it is not even clear if the alternative of having Apple unlock the phone is technologically possible. The court cannot order Apple or any other company to do something that is impossible to achieve. Therefore, if Apple is unable to unlock or decrypt data stored on devices using its iOS technology, it can avoid the balancing act it has been forced to perform between placating the Department of Justice and appeasing its customers’ demand for privacy.

It is this tightrope walk that most worries Magistrate Judge Orenstein when, at the end of his opinion, he considers the potential burden the requested order might impose on Apple. The burden analysis derives from the Supreme Court’s New York Tel Co. opinion, which stipulates that courts may not issue orders under the All Writs Act that impose “unreasonable burdens” on third parties.

This limit has usually been interpreted to refer to physically or technologically unfeasible orders. It is somewhat unusual, therefore, to recognize that Apple may suffer a marketing burden or competitive commercial disadvantage if it were required to assist the government to access data pursuant to a valid search warrant. But this is the burden Apple would face if compelled to unlock a user’s device at the behest of the government. Especially in the wake of the Snowden disclosures, more customers consider privacy policies when selecting their digital products and services. How device manufacturers and service-providers structure their privacy policies has, in turn, become a strategic business decision. Orenstein seems solicitous of Apple’s reality that aiding the government to access consumer data—even when done coercively, legally, and transparently—has become something of a commercial liability.

Apple is expected to brief the court on the extent of this potential burden on its business by Thursday.