Stanford CIS

CIS Files FOIA Request to DOJ for Legal Opinions on Crypto-Defeating Laws

By Riana Pfefferkorn on

Yesterday, the Center for Internet and Society filed a new Freedom of Information Act (FOIA) request to uncover the U.S. government’s legal strategies for defeating encryption in law enforcement investigations. We’re particularly interested in whether law enforcement agencies think they can force the makers of mobile devices and communications systems to decrypt devices or data, bypass passcodes, hand over encryption keys, insert backdoors, or otherwise change their products to be more surveillance-friendly.

At the end of March, the DOJ dropped its high-profile case seeking to force Apple to help it bypass security measures on San Bernardino shooter Syed Farook’s iPhone. Nevertheless, the federal government is pressing on with its appeal from a Brooklyn magistrate judge’s denial of an application to compel Apple to extract data from a different iPhone in a drug case. In addition, the DOJ is also seeking at least a dozen other orders to unlock still more iPhones.

All of these requests have been made under the All Writs Act (AWA). The DOJ argues that under the AWA, companies like Apple can be forced in any number of ways to help law enforcement get around encryption that protects data subject to warrants or other legal authorization to search. We disagree with the DOJ’s views, and filed an amici curiae brief in the San Bernardino “Apple vs. FBI” case on behalf of a group of iPhone security and applied cryptography experts warning of the dangerous implications of the DOJ’s position.

The public deserves to know the thinking behind the government’s aggressive interpretation of the AWA. I’ve researched other AWA cases the DOJ has filed in recent years, and I contributed some of that research to the ACLU’s recent nationwide map of AWA orders to Apple and Google. CIS also joined the ACLU in filing Freedom of Information Act (FOIA) requests to the DOJ seeking information about past cases where Apple has been ordered to unlock iPhones or otherwise render technical assistance to law enforcement.

Now, we’ve expanded our inquiry to find out how the government thinks about other laws available in its anti-crypto toolbox. Today there is no federal statute that mandates that Internet companies provide law enforcement with access to user information in unencrypted form. Device manufacturers and Internet providers are free to design their encryption and other security features so that no one but the user – not even the company itself, much less law enforcement – can access a user’s encrypted data. Nevertheless, the “Apple vs. FBI” iPhone case has opened a window on how the U.S. government may be using existing laws in closed and sealed court proceedings to get around encryption.

To learn more, CIS submitted a FOIA request (PDF attached) to several federal agencies including the DOJ and the Federal Bureau of Investigation, seeking information about the government’s efforts to use technical-assistance provisions to circumvent information security measures. In addition to the AWA, several federal statutes, such as the Wiretap Act and Pen Register Act, can compel third-party providers to give technical assistance to law enforcement in implementing surveillance orders. We want to know whether these federal agencies have interpreted these technical-assistance laws to enable police to force decryption, to bypass passcodes, to reveal encryption keys, or otherwise design products to be more surveillance-friendly.

What the DOJ thinks it can and cannot do is particularly relevant to the policy debate over Senators Dianne Feinstein’s and Richard Burr’s anti-encryption bill, nicknamed the “Compliance with Court Orders Act of 2016,” which has been roundly criticized by technologists and civil liberties advocates alike. The poorly-drafted bill would prohibit American companies from providing encryption in their products and services unless they could render the encrypted data “intelligible” for the government upon receipt of a court order. It is often hard for the public to know how the government will use newly-granted surveillance authorities. One way to figure out what this legislative proposal might mean is to read the DOJ’s legal opinions and find out what the FBI wishes it could do, but currently cannot.

Given pending court cases and legislative proposals, CIS has asked for an expedited response to our FOIA request so that we can share with the public the details of the DOJ’s views of its legal powers for circumventing encryption.

Published in: Blog , Crypto Policy Project , Privacy