Stanford CIS

Apple Order Would Permit Vendor-Delivered Wiretap Capability But For CALEA

By Albert Gidari on

Apple filed its brief yesterday to vacate the court’s order to write software to disable the security features of the iPhone so that the government could gain access to the San Bernadino terrorist's phone it seized.  Apple argued, among other things, that the Communications Assistance for Law Enforcement Act or “CALEA” prohibited the government from requiring the software change because Apple was a CALEA-exempt information service provider. I had suggested here and here that CALEA applied and protected Apple because it was a manufacturer of telecommunications equipment (i.e., a phone) and the government was precluded by CALEA, and therefore the All Writs Act (AWA), from “requir[ing] any specific design of equipment, facilities, services, features, or system configurations to be adopted.”  The result is the same - CALEA trumps the AWA - but it is important to understand why CALEA applies to phones and protects manufacturers.

When CALEA was passed in 1994, one of the seminal changes it brought about was to move wiretaps into the central office of the carrier and out of the hands of law enforcement agents in the field. Wiretaps on carrier networks were thereafter to take place with the affirmative assistance of carrier personnel, and rules were adopted to protect against unauthorized surveillance. This was a significant privacy enhancement to the dirty world of electronic surveillance because Congress understood that companies, by and large, comply with the law or risk criminal penalties when they don’t.

CALEA left it to industry to design the technical solution through publicly available industry standards to meet the limited surveillance capabilities defined in the statute. Transparent industry standards was another privacy feature of CALEA. The law required that any standard or solution protect communications not otherwise authorized to be intercepted, and that surveillance capabilities have a minimum impact on carrier services.  As noted in my prior posts, Congress prohibited the government from dictating equipment design or configuration and excluded information services like email completely from any obligation. And for special emphasis, Congress unequivocally decided that encryption services could be offered where the provider did not maintain the key to unlock them -- it rejected the back door.

But here’s the thing - industry isn’t required to use a standardized intercept capability.  It is protected against any claim that it must do something more than comply with the surveillance standard if it does so, but a carrier can, as they say, “roll its own” solution.  One such solution eerily resembles what the government seeks to compel Apple to do here, namely, write software that will trick a phone into allowing access so the government can run its own software on the device.  That software could be a keystroke logger or some other surveillance program just as well as a passcode tumbler. Now is it more clear why CALEA prohibits the government from telling a manufacturer what to build into or do with a phone?

Far-fetched?  To the contrary, the very approach was the subject of a debate with noted technologist Susan Landau just last January in this post.  Here’s what she wrote and you will see where it ended up with another technologist’s suggestion for vendor-delivered surveillance functionality hidden in software updates:

As many Lawfare readers know, several years ago Steve Bellovin, Matt Blaze, Sandy Clark, and I presented the idea of using vulnerabilities already present in devices as a way to facilitate court-authorized wiretaps. As we explained in a technical article, this would involve a two-step process of first using a wiretap order to remotely examine the device to determine what software was on it, and then using a second court order to actually install the wiretap through using a vulnerability present on the device.

Herb Lin suggested that software updates could be used to deliver the wiretap. It's highly likely that security agencies have already done such man-in-the-middle attacks in which they look like the software vendor that delivers a wiretap via a software "update." But that's different from Herb's proposal, which is that instead of the government delivering the wiretap, Microsoft — or Google or Facebook or You-Name-the-Company — would do so.

Apple is the "You-Name-the-Company" in the above list. The Apple order is a vendor-delivered software change in the operating system of a phone.  The power to order it, the government says, stems from the AWA.  The same power would permit installation of handset-based wiretap solutions or logging software, requiring the handset maker to falsely certify the purpose of the software update or even to hide program’s installation.  This is exactly what CALEA prohibited.

But couldn’t a carrier dictate to the handset maker adoption of the feature or change inasmuch as it does have CALEA surveillance obligations?  A manufacturer’s only obligation under CALEA is to consult with a carrier. It has no obligation to build a handset with a backdoor.  True, a carrier might not offer that phone to its users, but if history is any guide, the market has spoken and there is a strong appetite for secure devices.  Which brings me to my last point - DoJ’s criticism that Apple is only taking this stand as a marketing ploy.  Markets are made up of people.  People want secure devices. No one is racing to return their iPhones because they lack a back door.