The Director of the FBI has made an emotional appeal to get support to compel Apple to crack its own security to provide access to the locked phone it seized from the deceased San Bernadino terrorist. He wants the American people to decide whether the FBI should have access to just this one phone, and to believe that the power it seeks to use against Apple is not a precedent to be used in the future against manufacturer of any device the government can’t access due to encryption or other security measures. Here’s what he says:
Although this case is about the innocents attacked in San Bernardino, it does highlight that we have awesome new technology that creates a serious tension between two values we all treasure: privacy and safety. That tension should not be resolved by corporations that sell stuff for a living. It also should not be resolved by the FBI, which investigates for a living. It should be resolved by the American people deciding how we want to govern ourselves in a world we have never seen before.
The problem with his logic is that the American people already decided the question more than 20 years ago when Congress enacted the Communications Assistance for Law Enforcement Act (CALEA). In this post last week, I pointed out that CALEA prohibited the government from ordering Apple to change its security features on the iPhone. My logic was that if CALEA prohibited the government from dictating a change in the security configuration or features of the iPhone, then the All Writs Act (AWA) did not provide an alternative means for the government to get what it wanted by means of a court order to Apple. In short, CALEA trumped the AWA.
The government argued in its brief last week that CALEA was wholly inapplicable to the technical assistance it wants from Apple. As I said in my post, it was disingenuous for the government to tell the court that CALEA was just about the interception of communications by phone companies when the law plainly permits manufacturers to market secure products and services that can’t be wiretapped or accessed.
It would have been more honest for the government to argue that while CALEA might limit what the government can require of manufacturers under that statute, it left open the possibility that other authorities might exist that would permit exactly that. It could then have said that the AWA was one such law, which in turn would mean that a court could order certain technical assistance even if such assistance would amount to a particular design or technical change in a product or service that the government could not dictate under CALEA in the first instance.
But that argument is circular and ignores the history and larger purpose of CALEA. The law was passed in 1994 in response to law enforcement’s concerns that it was then “going dark” with the advent of digital telephony and the Internet. The Director of the FBI at that time testified that CALEA was necessary to preserve the capabilities it always had to intercept all communications. But in the end, CALEA was a compromise, giving law enforcement a narrowly focused capability to carry out lawfully authorized surveillance on public switched and cellular networks, but imposing certain privacy protections and limitations on law enforcement’s ability to “imped[e] the development of new communications services and technologies.” In short, the FBI did not get a future-proof legislative mandate to gain access to evidence it all new technologies or the ability to block introduction of secure technologies.
Indeed, Congress outright rejected the government’s initial CALEA proposal to actually prevent deployment of new technologies that didn’t have a wiretap back door. As Congress noted, “[t]his is the exact opposite of the original versions of the legislation, which would have barred introduction of services or features that could not be tapped.” In other words, Congress accepted the fact that some new technologies would put some evidence that law enforcement wanted, needed, and may have had access to in the past, beyond its reach in some cases.
Congress also determined that carriers would have no responsibility to decrypt encrypted communications unless the carrier provided the encryption and could in fact decrypt it. CALEA did not prohibit a carrier from deploying an encryption service for which it did not retain the ability to decrypt communications for law enforcement access, period. Here again, CALEA recognized that some evidence that may be necessary to an investigation will not be available to the government because it is encrypted and the provider lacks the key to access it.
So while CALEA provided law enforcement with some surveillance capabilities on phone networks (which the Federal Communications Commission later extended to broadband Internet access and two-way Voice over IP), it precluded the government from requiring “any specific design of equipment, facilities, services, features, or system configurations to be adopted by any manufacturer of telecommunications equipment.” Requiring Apple by court order to create and implement a work-around for the iPhone’s security features is, in fact, doing what CALEA prohibited.
There would have been no need for CALEA at all if the AWA already empowered law enforcement to get a court order to compel a provider or manufacturer to build in a back door for access to communications. What is the sense of passing a law that makes it clear that a manufacturer can develop the most secure product in the world if a court can order the manufacturer to redesign the product to make it insecure whenever the government decides it needs access? Build the security work around once, use it on all iPhones. That is a design change even if applied to only one phone this time and that is what CALEA prohibits. Inadvertently, Director Comey gets it right in his appeal -- it is up to the American people to decide and that would be through Congress amending CALEA, not a court issuing a writ under a statute more than 200 years old.