CALEA Limits the All Writs Act and Protects the Security of Apple's Phones

The government filed a brief today to compel Apple to circumvent its standard security features on the iPhone the government recovered from San Bernadino terrorist Syed Farook.  The government argued that the All Writs Act (AWA) authorized the court to require Apple to provide such technical assistance because the AWA has not been limited by Congress and “there is no statute that specifically addresses the issue of Apple’s assistance.”  Motion, p. 22.  The government questioned Apple's motives for refusing to cooperate and stated that it was not burdensome for Apple to do even if it had to write some software to do comply.

The case has generated tremendous interest and there are many legal and policy points to be made on both sides, but the primary assertion of the government that there is no statute limiting the AWA is not so.  The Communications Assistance for Law Enforcement Act (CALEA) is exactly that statute. The government acknowledges that CALEA exists, but it says: “Put simply, CALEA is entirely inapplicable to the present dispute [because] Apple is not acting as a telecommunications carrier, and the Order concerns access to stored data rather than real time interceptions and call-identifying information.”  Id., at 23.  

Put simply, this is entirely wrong.  CALEA is not limited in its applicability to telecommunications carriers at all as the government has represented to the court.  It applies to manufacturers and providers of telecommunications support services as well.  Apple is a manufacturer of telecommunications equipment, namely the S5 phone in the government’s possession.  Apple is entitled to the protections and limitations of CALEA just as it must comply with manufacturer requirements in the statute.

Second, those protections and limitations in CALEA are important and the government leaves out of its brief the most important section. Specifically, CALEA limits the government’s authority to dictate to carriers or manufacturers any specific equipment design or software configuration, including device security.   Section 1002(b)(1) provides:

(1) Design of features and systems configurations. This subchapter does not authorize any law enforcement agency or office

(a) to require any specific design of equipment, facilities, services, features, or system configurations to be adopted by any provider of a wire or electronic communication service, any manufacturer of telecommunications equipment, or any provider of telecommunications support services;

(b) to prohibit the adoption of any equipment, facility, service, or feature by any provider of a wire or electronic communication service, any manufacturer of telecommunications equipment, or any provider of telecommunications support services.

If CALEA doesn’t allow the government “to require any specific design of equipment, facilities, services, features or system configurations” from any manufacturer, then by definition, CALEA limits by statute what a court can order by fiat or writ under the AWA.  Therefore, the February 16th Order the government procured from the court cannot circumvent CALEA by relying on the AWA.  CALEA is not just about "interceptions" as the government suggests; it is about protecting the design and deployment of secure technologies and forbidding the government from dictating how, among other things, phones are made.

While arguing on one hand that CALEA doesn’t apply, the government then says that CALEA's encryption limitation actually supports it position because Congress required any telecommunications carrier that provides an encryption service and holds the decryption keys to decrypt communications if able to do so. Motion, p. 23, n.9.  In other words, CALEA itself contemplates some technical assistance. Here again the government has it backwards.

Section 1002(b)(3) of CALEA provides:

(3) Encryption. A telecommunications carrier shall not be responsible for decrypting, or ensuring the government’s ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication.

CALEA actually permits the strongest encryption (or any other security feature or configuration) to be deployed by equipment manufacturers or carriers and it precludes the government from dictating that such encryption contain a “back door.”  CALEA relieves providers of any obligation to be able to decrypt anything unless a telecommunications carrier itself provides the encryption service and holds the keys.  In other words, Congress specified the ONLY assistance that would be required in regard to any encryption-based security features deployed by a manufacturer or provider and precluded the government from dictating any other design change or configuration.  

The threshold question here is whether CALEA means what it says and therefore is a limitation on the AWA. CALEA should preclude the government from requiring Apple to change a standard security feature in its phones to accommodate government access to the device.  If CALEA is such a limitation on the AWA, then the court will not need to address the many other difficult constitutional and policy questions being raised, nor will the court have to examine or define the limitations of the burden Apple can be required to bear in providing technical assistance.  Those can be left for another day and another phone.  

In the end, the government’s snark in its brief that  “Apple has attempted to design and market its products to allow technology, rather than the law, to control access to data” is too clever by half because it is the law as Congress wrote it that permitted Apple to deploy secure phone technology in the first place and that precludes the government from requiring Apple to undermine it.  

Comments

Dang! Apparently the DOJ's case is based on a lot of hand waving that convinced a low level magistrate judge. Hopefully, a higher level court will see through this BS.

I wonder if the DOJ's original intention was to try Apple in the court of public opinion. There are indications that this is a well planned campaign to discredit Apple for daring to design better security into their products. It could be that the DOJ wants to damage Apple as a warning to other U.S. tech companies.

Maybe i missed it, but not clear to me how § 1002(b)(1)'s "not authoriz[ing]" X means it actually forbids X. not authorized ≠ prohibited.

As characterized above (and of course, I'm not a lawyer to know one way or the other), this is an open-and-shut case in Apple's favor.

What other provisions allow the FBI to so brazenly claim these restrictions don't apply?

Walt, they can always claim national security. Many heinous and awful things have been done and defended on those grounds. If they really wanted to play hard ball they could threaten Apple executives with treason charges.

One tool currently being employed against the legal cannabis industry is civil asset forfeiture, which allows law enforcement officers to legally take someone's property without any proof of wrongdoing and it is up to the owner to prove the innocence of their possessions. In the current case, the federal government could threaten to seize all of Apple's bank accounts or realistically whatever they want.

I highly doubt the federal government would want to go down that road, but it is one of many dirty tricks the government can, and may, still use.

Your CALEA citation is prefaced that its limitation is in respect of the subchapter. I suspect AWA is not codified as part of that subchapter. I read the AWA as a grant of broad power to the courts in respect of the exercise of their jurisdiction. I'd argue this isn't a writ in aid of asserting jurisdiction and for that reason doesn't come under the AWA, or that the FBI is trying to circumvent CALEA.

This is an excellent piece! I did not realize CALEA provided these limits on the AWA.

I do not support the government's efforts and believe they are misusing the All Writs Act. While CALEA can be used to demonstrate that Congress has expressly said decryption cannot be mandated when the provider does not have the key and therefore has rejected the FBI's approach *in other contexts*, I disagree that it can be read to preempt AWA in this case.

Your analysis ignores the fact that the "manufacturers" that are covered by CALEA are manufacturers of "telecommunications equipment" (1002(b)(1)). "Telecommunications equipment" is defined in §153(52), and that definition is consistent with the usage in 1005(b) ("manufacturer of telecommunications transmission or switching equipment"). The equipment (and manufacturers) covered by CALEA is only that which is purchased by carriers for use inside their network.

The device to which the FBI seeks access is not "telecommunications equipment" and it is not used *by a carrier* for transmission or switching. Instead it is "CPE" (§153(16)). CALEA does not apply at all to edge devices owned by the user, or manufacturers of those devices.

Again, I am not an FBI supporter. To the contrary. But we should be careful to not raise clearly incorrect arguments such as the one expressed here.

CALEA says 'the United States Government requires you to be able to help US law enforcement if US law enforcement presents you with a valid court order.' CALEA also says 'we are not going to direct you to a specific solution.' By not directing the solution, the manufacturer is fully responsible for meeting legal requirements. No one believes their home is insecure just because someone can crash a vehicle into it to break in, so we've tacitly agreed that a home is secure even though someone could ram a readily-available and not even a very expensive vehicle into it. Why should anyone feel their phone would be insecure if a very expensive bit of equipment (hundreds of thousands of dollars) is required to access data stored in the phone and if it cannot be achieved remotely? What if all smart-phone data were stored un-encrypted in a non-volatile memory 'chip' surface-mounted with hundreds or thousands of ball-grid connections? Removing and re-mounting to make it accessible would then require such precision that doing so requires an arbitrarily expensive machine. If you deem it not secure enough with 400 BGA joints, then make it 1024 or some other arbitrary number-change the shape or BGA joint positioning to make it even harder. The memory chip could be removed from the phone and emplaced it on a circuit board with read-only USB or read-only SATA and encryption was never a factor. Such a phone would still be vastly more secure than almost any home. Data sent or received by the phone through normal means can be state-of-the-art encrypted while allowing the manufacturer to be in compliance with US law. Arbitrarily high levels of security can be maintained with no back door needed to comply with law. CALEA was on the books more than 10 years before Apple made their first phone. What can the US Government do about a company that designs a product which does not comply with our laws? Force a recall of all illegal devices at the manufacturer's expense and prevent sales of any such future products. Apple is treading far more dangerously than they seem to think. Manufacturers can best safeguard encryption by keeping it out of the debate.

Reading the defintions in 47 U.S. Code § 1001:

(8) The term “telecommunications carrier”—
(A) means a person or entity engaged in the transmission or switching of wire or electronic communications as a common carrier for hire; and
(B) includes—
(i) a person or entity engaged in providing commercial mobile service (as defined in section 332(d) of this title); or
(ii) a person or entity engaged in providing wire or electronic communication switching or transmission service to the extent that the Commission finds that such service is a replacement for a substantial portion of the local telephone exchange service and that it is in the public interest to deem such a person or entity to be a telecommunications carrier for purposes of this subchapter;

Only mentions "service".
Doesn't say anything about manufacturers, so doesn't apply to apple.

Facetime and iMessage are "electronic communication transmission services" provide by Apple on all iPhones which can substantially replace telephone exchanges.

"Capability requirementsExcept as provided in subsections (b), (c), and (d) of this section and sections 1007(a) and 1008(b) and (d) of this title, a telecommunications carrier shall ensure that its equipment, facilities, or services that provide a customer or subscriber with the ability to originate, terminate, or direct communications are capable of—"

Since the Act itself defines the process as being "service" and includes the subscribers' need to have the ability to "originate, terminate, or direct communications", the equipment necessary to facilitate that requirement would include a terminal device of some kind which would have to be manufactured. In this instance, that terminal device is an Apple iPhone which fulfills those functions. The carriers have selected Apple, among others, as a manufacturer of their choice for that necessary piece of equipment in their "service" to provide that customer required ability. As such, it is covered under CALEA and therefore subject to the limitations of 47 U.S. Code § 1002 paragraph (b), (1),(A),(B), and (3).

These comments are a fresh breeze in comparison to the technically and legally uninformed tripe that has surrounded this particular issue from Apple's initial public reaction.

Add new comment