Cybersecurity & Tech Surveillance & Privacy

A Primer on Apple's Brief in the San Bernadino iPhone Fight

Robert Chesney
Friday, February 26, 2016, 1:00 PM

Do you need to get up to speed on the latest developments in the Apple vs FBI iPhone dispute, but either lack the time to read the brief Apple filed yesterday or the context to decode it? I’m here to help, in FAQ format:

1. I need some context. How does this litigation relate to the larger “going dark” debate?

Published by The Lawfare Institute
in Cooperation With
Brookings

Do you need to get up to speed on the latest developments in the Apple vs FBI iPhone dispute, but either lack the time to read the brief Apple filed yesterday or the context to decode it? I’m here to help, in FAQ format:

1. I need some context. How does this litigation relate to the larger “going dark” debate?

When trying to understand both Apple’s brief and the public statements by Tim Cook relating to the San Bernadino situation, you have to bear in mind that there are two distinct (though related) battles underway.

Most obviously, there is the immediate legal battle presented by the FBI’s motion to compel Apple to help it crack the passcode on this particular phone, in a very particular way. On its face, that’s what Apple’s brief is all about. But the litigation is not taking place in a vacuum, and it won’t be decided in the abstract. Instead, it is taking place against the backdrop of a long-running policy dispute, one that will influence how the litigation gets resolved and that will in turn be influenced by that resolution.

What is this background policy dispute? It concerns the inherent tension between (i) the compelling investigative interests that many government entities have and (ii) the compelling interest in maximizing data security and privacy championed not only by the tech industry and advocacy groups, but also by government entities (including some of the same ones that have investigative interests). This tension is, at a certain level, unresolvable. It just is, and has to be managed as well as it can be, including by crafting the relevant legal architectures as wisely as possible. But note that this task—crafting the legal architectures that regulate government investigative powers—is never finished. Technological change constantly disrupts the status quo, sometimes through slow erosion and other times through dramatic shifts. At any rate, it is inevitable that this disruption periodically will give rise to proposals for tweaking the current legal architecture. Sometimes this pressure will find expression in subtle ways, as when parties advocate for a novel interpretation or application of an existing statute in light of new technological facts, and other times it is expressed very visibly, as with proposals for new statutes.

As it happens, we are in the thick of such a moment now, with law enforcement entities invoking the “going dark” narrative (in which security is at risk), and data security/privacy advocates responding with a “golden age of surveillance” narrative (in which privacy and data security are at risk). And by and large that debate has been directed towards the possibility of legislative change. In that context, the critical battlefields—that is, the places where the key decisions will be made—are Congress and the White House.

The San Bernadino iPhone litigation must be understood as a part of that larger dynamic. But notice that it takes place on a different battlefield: the court system. For those previously focused on the effort to sway Congress and the White House one way or the other, this presents both challenges and opportunities. You have to bear this larger context in mind if you want to fully grasp the arguments that are flying about in relation to the San Bernadino iPhone.

2. Look, I really just want a condensed review of the legal arguments in the brief Apple filed yesterday.

I hear your, and I’m getting to that. But my point is that (i) the brief is not just a vehicle for legal arguments (it’s also speaking to a much broader audience for broader reasons), and (ii) the legal arguments in the brief are not themselves sealed off from the larger policy contest (on the contrary, they leverage concerns about that larger policy contest).

3. Ok, fine. What does the brief actually say in terms of particular policy arguments?

Apple argues that there are four significant costs that will follow if the government prevails, and that there will be little actual benefit to set in the scales against those costs.

The asserted costs:

1. Increased Attack Surface: Picking up on Tim Cook’s public statements, Apple argues that if it is forced to create code that can override the security features meant to prevent brute force attacks on the passcode, this results in a new vulnerability that others can also exploit. Of course, this depends very much on how hard it would be for anyone outside Apple to acquire the new code (see here for a bit more on that point).

2. Do you want us to do this for China, too? Apple argues that if the court forces it to write custom code to help the US government defeat security features in the iPhone, it will be that much harder to resist demands from foreign governments that it do the same for them. (Note that this argument draws attention to important questions about just what steps Apple may already have taken to accommodate Chinese government investigative interests in order to ensure access to the Chinese market).

3. This is about all the iPhones, not just this one: Quite correctly, in my view, Apple points out that if the courts ultimately accept that it can be compelled to help in the case of this one phone, there is certain to be an avalanche of similar requests from FBI and other entities. This underscores an important point: This case is as much or more about the precedent and principle at issue as it is about the particular (and compelling) San Bernadino fact pattern.

4. Next up on the slippery slope: cameras, microphones, and location trackers? It’s not just that the precedent will be used to circumvent passcode protections. It might pave the way towards compelled support for other actions, including surreptitious activation of the camera, the mike, or the location-tracking option.

The asserted benefits: Apple also attempts to undermine the claim that circumventing the passcode will be especially beneficial to the government, as a general matter. There are at least two such arguments:

1. In most cases iCloud backup will be available for the government to get what it needs. For the time being at least, Apple has the ability to access content stored via iCloud backup, and is willing to use that ability when served with the proper legal process. As Apple is careful to note, this would likely have made the San Bernadino iPhone’s passcode moot in this case, but for the fact that the FBI and the County made a terrible error, changing the iCloud password remotely and thus preventing FBI from doing what it should have done: plug the phone in to a power source in a location (such as the workplace) where there is a wifi option to which the phone would connect automatically, at which point an updated backup to iCloud would occur.

2. The most serious and sophisticated targets will stop using iPhones or otherwise adapt. No doubt this is so for some targets. It is remarkable, though, how often people do not take such steps even when on reasonable notice that they probably should.

4. Can we get to the specific legal questions at stake in this litigation?

The central issue is whether the statute known as the “All Writs Act” can fairly be interpreted as empowering a judge to compel Apple to provide this specific kind of involuntary technical assistance. And then there a pair of fall-back arguments to the effect that it would be unconstitutional to make Apple do this, even if the statute itself did authorize it.

5. Explain Apple’s All Writs Act argument

Apple has two core statutory arguments.

The first goes something like this:

(i) Congress knows how to craft a statute that compels this sort of technical assistance;

(ii) Congress has done precisely this in relation to phone companies and purposefully did not extend the obligation to other industries (citing the 1994 Communications Assistance to Law Enforcement ACT, aka CALEA);

(iii) there is a national debate underway with respect to whether Congress perhaps should revisit that decision (see the “going dark” discussion noted earlier); and

(iv) interpreting the (very) generic language of the All Writs Act as the government requests would short-circuit that entire debate, with the practical effect of improperly amending CALEA via judicial interpretation).

The second argument is a straight-forward All Writs Act analysis. The Supreme Court in 1977’s United States v. New York Telephone Co. had held that the All Writs Act could indeed be used to force a phone company to provide technical assistance to the FBI as it sought to implement a pen register system. In the course of its analysis, the Court emphasized that an All Writs Act order must not impose an unreasonable burden on the company, but thought that this line had not been crossed in that case because (i) the burden in fact was quite “meager,” (ii) the phone company in any event was part of a thoroughly-regulated industry, and (iii) there was nothing about the requested assistance that was antithetical to the company’s business model.

Apple argues that the opposite is true in this case. The “burden” and “antithetical” arguments are particularly interesting:

Burden: Apple explains that it will take up to ten employees between two and four weeks to develop, test, and implement the tweaked operating system and related procedures. This could be a one-time expense were it to then preserve this capacity, though it would in that case incur substantial additional costs in providing top-shelf protection of it. Or if it destroyed the work product upon use in this one case, it would likely have to reconvene the process repeatedly as similar orders arrived in the future.

Antithetical: Apple argues that enhanced security features are central to their business model, and thus the requested assistance is problematic for them in a fundamental way that was not at all true in the 1977 phone company case.

6. You mentioned fall-back constitutional arguments. Are they making a Fourth Amendment argument?

Nope. Instead Apple argues that ordering it to write the requested code would violate both the First and Fifth Amendments.

7. What is the First Amendment argument?

It goes like this:

a) writing code is a form of speech (citing various circuit decisions);

b) the First Amendment limits the government’s ability to compel people to engage in speech, requiring strict scrutiny of any such action; and

c) the government’s interest in this case is too weak to justify such intrusion into First Amendment values.

That last part is awfully tricky, for it requires Apple to minimize the government’s investigative interest in this particular case. Obviously Apple did not want to suggest that a terrorism investigation in general isn’t a compelling interest. So it argues, instead, that “the government has produced nothing more than speculation that this iPhone might contain potentially relevant information.” (p. 33)

For a longer and more interesting analysis of the First Amendment issue, see Andrew Woods’ argument here.

8. How is the Fifth Amendment relevant here?

That's not entirely clear. The argument gets 12 lines at the end of the brief. It's basically just an assertion that application of the All Writs Act in this manner would amount to a substantive due process violation, in the sense of being an “arbitrary deprivation of liberty.” (p.34) The brief does not defend that characterization (beyond implicitly referencing back to its other arguments, I suppose). Perhaps this secton of the brief is best understood as an effort simply to preserve the option of making such an argument later, should a judge show some interest in it.

9. Is that it?

Yep. Let me know if you found this useful (email is rchesney@law.utexas.edu, twitter is @bobbychesney). If I get enough encouragement, I will do a similar write up for future stages in the case.


Robert (Bobby) Chesney is the Dean of the University of Texas School of Law, where he also holds the James A. Baker III Chair in the Rule of Law and World Affairs at UT. He is known internationally for his scholarship relating both to cybersecurity and national security. He is a co-founder of Lawfare, the nation’s leading online source for analysis of national security legal issues, and he co-hosts the popular show The National Security Law Podcast.

Subscribe to Lawfare