DoJ Misleads Court on CALEA in the Apple Case

The Department of Justice (DoJ) filed its response yesterday to Apple's motion to vacate the court’s order that directed Apple to write new code and certify it to circumvent a security feature configured to prevent access to a device.  Reaction to the tone and DoJ analysis was swift, and it highlights the stakes of the case for both sides.  Not surprising, DoJ asserts largely unconstrained power under the All Writs Act to have a court compel a third party to do whatever needs to be done to facilitate an authorized search.  DoJ pretends that the Communications Assistance for Law Enforcement Act (CALEA) is altogether inapplicable to the case, as if this very debate had not occurred in 1994 and Congress had not spoken to relieve manufacturers of any such obligations.  DoJ’s position is understandable because if CALEA applies, then the order is improper.  But DoJ's position is indefensible, and worse, DoJ actively misleads the court on CALEA in its brief.  

As I’ve noted before, CALEA precludes the government from requiring “any specific design of equipment, facilities, services, features, or system configurations to be adopted by any provider of a wire or electronic communication service, any manufacturer of telecommunications equipment, or any provider of telecommunications support services.”  47 U.S.C. 1002(b)(1)(emphasis added).  It also prohibits the government from requiring “the adoption of any equipment, facility, service, or feature by any provider of a wire or electronic communication service, any manufacturer of telecommunications equipment, or any provider of telecommunications support services.” Id., at 1002(b)(2).  The government dismisses CALEA by saying that the provision is a limitation on law enforcement, not the courts, and so it can achieve its goal merely by having the court do what it is prohibited from doing directly.  As I noted here, that argument is circular and ignores the fact that CALEA specifically addressed the obligations of manufacturers and crafted a very narrow law to define precisely which parties had an obligation to design equipment and services to facilitate surveillance, and which ones did not.

DoJ next asserts that Apple is not an exempt information service under CALEA in any case, and even if it were, it is not a manufacturer of telecommunications equipment.  It doesn’t matter if Apple is or isn’t an information service under CALEA.  It is a manufacturer and as such cannot be ordered by the government to change the configuration of its equipment.  But here is where DoJ most actively misleads the court -- it argues in footnote 3 of its brief that a manufacturer of telecommunications equipment under Section 1002(b) is limited to a “manufacturer[] of [] telecommunications transmissions and switching equipment,” citing 47 U.S.C. 1005, and doesn't include manufacturers of telephones.

Section 1005, however, is limited specifically to a manufacturer’s obligation to cooperate with a telecommunications provider in designing CALEA solutions for wiretaps.  Of course Section 1005 speaks to telecommunications transmissions and switching equipment, which is where the CALEA software resides. But in no way does Section 1005 define or limit the prohibitions in Section 1002 that preclude government from otherwise dictating or requiring changes in “any specific design of equipment, facilities, services, features, or system configurations” by a "any telecommunications manufacturer," not just a manufacturer of switching equipment.  

To the collective chortle of the telecommunications industry, DoJ asserts that in any event telecommunications equipment does not include telephones.  The term is not defined in CALEA and there is no indication that Congress meant anything other than the plain words in the statute so it is a long reach to say that a phone is not a piece of telecommunications equipment.  But let's make the stretch for DoJ.  Is DoJ serious in arguing that it can compel manufacturers like Apple to create handset-enabled surveillance equipment; that is, to require that phones rather than central office switches contain wiretap capabilities?  That is the result of its logic and argument, and that really is the result of its demand in this case.

Taking another step, I also noted here that DoJ’s CALEA argument also would permit it to obtain a court order to require a system redesign of routing and switching telecommunications equipment despite the language of Section 1002.  All it need show, under its theory, is that a peer-to-peer network, for example, is being used by particular criminals and terrorists and failure of the router manufacturer or VPN provider to design a back door for access to the communication stream frustrates a court-ordered wiretap.  Peer-to-peer communications are exempt from CALEA, as are encrypted messaging services, or VPNs, but that doesn’t matter to DoJ, because CALEA is only a restriction on them, not a court and the New York Telephone standard is a low bar to achieve its goals.  

DoJ would have been more honest to argue that two years after the passage of CALEA, Congress passed the Communications Act of 1996 and carved “customer premises equipment” or "CPE" out of the definition of "telecommunications equipment."  See 47 U.S.C. 153(16).  CPE is understood to include customer-owned handsets or phones.  But that argument would require DoJ to admit that CALEA applied in the first instance and that the term “telecommunications equipment” is ambiguous and should be interpreted by how Congress later, in a separate statute, applied it.  Such an approach would be too risky because the legislative history of CALEA makes it very clear that Congress defined the collective telecommunications universe of obligations to assist law enforcement -- it is after all called the Communications Assistance for Law Enforcement Act.  

The stakes of this case certainly are high.  It may be that a future Congress decides that the technical assistance the government wants here is necessary and desirable to assist law enforcement in its mission.  But CALEA left no gaps for a court to fill with the All Writs Act today and DoJ knows it.  

 

Comments

Mr. Gidari,
Isn't the DOJ arguing exactly what you mention in your closing paragraph? Specifically, that Apple's iPhone, as of 1996, is exempt from CALEA because 47 U.S.C. 153(16) specifically states that CPE is not Telecommunications Equipment.
Is there not an existing precedent which gives the Courts guidance on choosing between conflicting definitions of the same word(s)? Can you choose a definition of a term in a statue not applicable to your argument (other than the differing definition), especially when the definition chosen is more recent and more specific?

So, after all this plays out, should the courts side with the DoJ and order Apple to comply, if Apple just flattly says, "No", what could happen? Fines? If Apple just says, "No" to those as well? What could the DoJ possibly do to them?
I really hope Apple sticks to their moral high ground here. No matter the consequences.
http://www.victoriachristophe.com/

The appeals will take a long time, but in the end, if DoJ prevails after the appeals are exhausted, I would expect Apple to follow the law.

Calea d/n apply because Doj is not asking Apple to reDESIGN its phones in order to permit the govt to listen in on anything, or tap wires, or program a backdoor. Apple can continue to have the features and security that it built in all phones. But it has to remove the barriers it does deploy on this phone in response to a valid court order, the same way you would have to unlock all the deadbolts on your front door in response to a valid warrant. You are not being asked to redesign your home security, you are removing barriers you created and controlled that impede a valid search warrant.
Think of a bank that promises to be the safest, most secure place to keep your money. Safe deposit boxes requiring two keys (bank's and customer's) in a secure room, guarded by password protected gates and giant vault. With a valid warrant, bank has to help open vault, input passwords, key cards etc, and possibly even insert its own key in the box while the government tries to pick the final customer lock. This is not a redesign of bank security, all of which will be put back in place by the bank at conclusion. Customer security from bad guys remains assured.
Issue is whether Apple gets special exception from reach of valid warrants and court orders. Apple has a first Amendment right to design a zero knowledge system which would prevent them from helping law enforcement, and that is a value judgement they will have to make for themselves. But you can't put 30 locks and booby traps on your front door and then claim in the face of a valid warrant that it is either too burdensome to remove, a violation of your right to express pro-security/anti-government sentiments, or constitutes a "redesign" if you have to unlock them.

Sorry, but read the statute. They cannot compel a change in configuration or features. It is exactly what is being demanded. Change the way the security works on the phone.

Jim is right. The language to which you refer is a limitation only on the capability provision right above it. "Read the statute"

Mike is right. The language to which you refer is a limitation only on the capability provision right above it. "Read the statute"

Our difference of opinion is not based on the language of the statute, whose definitions I have accepted as applicable for the sake of argument, but rather what is factually required of Apple by this order. You say it has to "redesign" software. I say the phone's iOS design is not the issue: Apple can continue to design it's iOS for all phones the same way it always has after this case. It is being compelled to unlock a "tamper-proof" feature on this phone, something only it can do, not to redesign all phones such that the government has back door access to all phones. The fact that Apple wanted iOS to be tamper-proof doesn't mean it is "redesigning" that feature by disabling it on this phone in response to a court order.
A bank can deploy Iris scans, biometric readers, and whatever security measures it wishes to protect its clients items in the bank. However, that bank has to disable the same measures in the face of a valid warrant, even if each measure is designed to be tamper-proof, as all likely would be. Even if the equipment is destroyed in the process. Taking those tamper-proof measures down would probably require the designers' assistance, but that constitutes disabling of a feature, not a redesign. Unlocking a lock is not a redesign of the lock, and locking a lock with a passcode or programming code doesn't give it special design protection over a key, or a combo. It's just longer-and Apple will be complete ensnared for its trouble.
To use the safe analogy again, the government is not asking a safe maker to build a vulnerability into its safes so that government can access it anytime it wants in the future.

Our difference of opinion is not based on the language of the statute, whose definitions I have accepted as applicable for the sake of argument, but rather what is factually required of Apple by this order. You say it has to "redesign" software. I say the phone's iOS design is not the issue: Apple can continue to design it's iOS for all phones the same way it always has after this case. It is being compelled to unlock a "tamper-proof" feature on this phone, something only it can do, not to redesign all phones such that the government has back door access to all phones. The fact that Apple wanted iOS to be tamper-proof doesn't mean it is "redesigning" that feature by disabling it on this phone in response to a court order.
A bank can deploy Iris scans, biometric readers, and whatever security measures it wishes to protect its clients items in the bank. However, that bank has to disable the same measures in the face of a valid warrant, even if each measure is designed to be tamper-proof, as all likely would be. Even if the equipment is destroyed in the process. Taking those tamper-proof measures down would probably require the designers' assistance, but that constitutes disabling of a feature, not a redesign. Unlocking a lock is not a redesign of the lock, and locking a lock with a passcode or programming code doesn't give it special design protection over a key, or a combo. It's just longer-and Apple will be complete ensnared for its trouble.
To use the safe analogy again, the government is not asking a safe maker to build a vulnerability into its safes so that government can access it anytime it wants in the future.

Add new comment