Last Friday, a New York federal judge joined in the contentious current debate over whether tech companies should be forced to provide law enforcement the ability to decipher encrypted data stored on smartphones and in the cloud.
In a sealed application, the U.S. Attorney’s office in Brooklyn sought to compel Apple, Inc. to disable the security on a locked Apple device the government had authority to search pursuant to an earlier warrant. The law enforcement agents’ attempts to read data on the phone failed, though the opinion isn’t clear on exactly why that was the case.
Encryption helps human rights workers, activists, journalists, financial institutions, innovative businesses, and governments protect the confidentiality, integrity, and economic value of their activities. However, strong encryption may mean that governments cannot make sense of data they would otherwise be able to lawfully access in a criminal or intelligence investigation.
The law enforcement community calls this the “going dark” problem. Claims of “going dark” aren’t new. In 1994, Congress passed CALEA, a law that requires telecom carriers to ensure that telephone communications are surveillance-friendly. But that law doesn’t require “backdoors” in email, IM, smartphones, or other digital devices and services. Increasingly, service providers are encrypting these, which law enforcement claims hampers its ability to effectively investigate and prosecute crime and terrorism.
In Friday’s order, Magistrate Judge James Orenstein of the U.S. District Court for the Eastern District of New York rejected the government’s arguments, but reserved decision on whether to grant its request. Importantly, he held that the requested order was not authorized under the All Writs Act, 28 U.S.C. § 1651 — an obscure 18th-century law recently favored by the government when seeking court orders to force device manufacturers to unlock smartphones. The court reasoned that the Act cannot give the government “authority that Congress chose not to confer,” and in passing CALEA, Congress did not choose to allow law enforcement to compel providers to decrypt devices.
Judge Orenstein cited several factors distinguishing the present case from prior Supreme Court authority allowing an order to issue under the All Writs Act, including:
● Apple’s status as a private company, rather than a highly-regulated public utility; as such, it “is free to choose to promote its customers’ interest in privacy over the competing interest of law enforcement”;
● The existence of alternative legal means by which the government can obtain the information it seeks (there are technical alternatives, too);
● The court’s questionable ability to order Apple to unlock a device it manufactured, but does not own, particularly where it’s not clear that Apple can unlock the device — as the Washington Post notes, Apple can unlock older-model iPhones, but not recent models, and the record doesn’t clarify which kind this is;
● Congress’s failure to show any intent to force Apple to provide the requested assistance to law enforcement, despite concerns raised by the Justice Department and FBI.
Ultimately, the key factor in the judge’s analysis was the question of the burden on Apple of decrypting the device at issue. Since the record is silent on this issue, Judge Orenstein has ordered Apple to respond to the government’s application by
tomorrow Monday and address the burdensomeness and technical feasibility of compliance with the government’s proposed order. He will rule on the government’s request following oral arguments next Thursday.
Stanford CIS is keeping a close eye on this case. Judge Orenstein was one of the magistrates who ignited public debate about cell phone tracking by publishing an opinion criticizing the Department of Justice’s now-disfavored argument that it can obtain geo-location data without a search warrant. Judge Orenstein is a trendsetter on electronic evidence issues, and his thoughtful public discussion of the encryption issue will be very influential, particularly given the Obama administration’s recent decision to back off from advocating for mandatory crypto backdoors, as well as the multiple bills introduced in Congress that would ban them.
The case is particularly timely for CIS, because we’re partnering with Professor Dan Boneh to research encryption policy. In the 1970s, and again in the 1990s, U.S. government struggled with tradeoffs between its surveillance/law enforcement missions (potentially thwarted by crypto) and its information assurance/crime prevention missions (furthered by crypto). In the main, these debates were resolved in favor of allowing the proliferation of strong crypto.
Today, the crypto policy issue has resurfaced. FBI Director James Comey chides Apple and Google for using cryptography architectures that the companies are unable to decrypt for law enforcement. In secret, the government is invested in breaking popular encryption schemes, stealing encryption keys, and finding ways to circumvent communications security protocols. Together, these and other efforts comprise the third Crypto War.
Our Crypto War III project starts with research on the government’s capabilities under current law, decisions that are often made in ex parte surveillance applications that remain sealed from public review. To that end, we’ve hired a fellow to work specifically on uncovering and analyzing the ways that courts are allowing the government to use the All Writs Act and provider assistance provisions in the Wiretap Act and the Pen Register/Trap and Trace statute to force decryption, obtain encryption keys, or demand backdoors. Riana Pfefferkorn was an associate in the Internet Strategy & Litigation group at Wilson Sonsini, focusing on Internet, copyright, and privacy litigation and counseling. She joined CIS this week as our Cryptography Fellow, made possible through funding from the Stanford Cyber Initiative. We’re pleased to welcome Riana to Stanford and excited that with her help we’ll be able to expand our work on the important privacy and security concerns at stake in the evolving area of encryption law and policy.