22 Feb 2016

An End Run Around Encryption?

If the FBI want to expand U.S. surveillance law to defeat strong encryption, using the All Writs Act is the wrong way to do it.

The world is talking about the heated and very public battle between Apple and the FBI over the government’s demand that Apple create special company-signed software that bypasses security measures preventing “brute force attacking” an iPhone.

Tim Cook, Apple’s CEO, has written a passionate letter explaining why he believes that Apple cannot comply with the order obtained by the FBI, given the unprecedented nature of the government’s request. The Department of Justice (DOJ is the FBI’s parent department) has fired its own public salvo in the form of an aggressive motion to compel that slams Apple’s public stance as “based on its concern for its business model and public brand marketing strategy.” Even Donald Trump has gotten into the mix, calling for the boycott of Apple products until the company complies with the order, and effectively bringing the debate about strong encryption into the Presidential election as a campaign issue.

Regarding the technical feasibility of what the government is asking for, suffice it to say that it is possible for Apple to do what the government wants. This is true for any iPhone, not just the San Bernadino shooter’s phone, which runs an older version of iOS.

Whether or not what the government is demanding is a “backdoor” depends on which side of the debate one is on. DOJ argues that because the requested software only circumvents non-encryption security features and would specifically be written to only work with the San Bernadino device, what the government seeks is not a “backdoor” into iPhone. Apple argues, to the contrary, that because the order requests a modification to iOS that does nothing other than weaken security by allowing brute force attempts, and because there is nothing stopping the requested software from being applied to any iPhone, the FBI is indeed trying to get a “backdoor.”

Regardless of whether or not the requirements of the order constitute a software backdoor, it is hard to argue that they do not constitute an official “hack” to circumvent core security features that have been purposefully built into iOS. Thus, this request does indeed appear to be unprecedented. Never before has the FBI asked Apple to re-write or hack its OS in a way that rolls back security features.

It is the unprecedented nature of the request plus the legal authority relied on by DOJ that makes this situation so disturbing, in my opinion. Essentially, DOJ is attempting to use the All Writs Act — originally enacted in 1789 as part of the Judiciary Act, which constituted and gave power to the U.S. federal courts — to generate a court-created legal solution that squares with DOJ’s views on strong encryption and its effect on law enforcement’s information gathering capabilities.

In other words, the Executive branch is asking the Judicial branch to step in and fill holes in surveillance law that Congress — the People’s branch — really should be addressing after a robust public debate.

This is very smart impact litigation by DOJ that takes advantage of case-specific facts that will naturally generate sympathy for law enforcement’s views on encryption. The problem is that, as the old legal adage goes, hard cases make for bad law. (Especially during the Presidential election cycle, I might add.)

The All Writs Act simply should not be wielded in a way that allows DOJ to legislate through the courts. And while the ultimate effect and goal of DOJ’s strategy may be to force Congress to act on strong encryption and the so-called “going dark” problem, it is worrisome that DOJ has picked this time to force Congress’ hand, during a Presidential election cycle that could lead to less than reasoned results.

Encryption: “Going Dark” versus a “Golden Age of Surveillance”

Here’s how the FBI describes its problem with strong encryption:

Law enforcement at all levels has the legal authority to intercept and access communications and information pursuant to court orders, but it often lacks the technical ability to carry out those orders because of a fundamental shift in communications services and technologies. This scenario is often called the “Going Dark” problem.

Law enforcement faces two distinct Going Dark challenges. The first concerns real-time court-ordered interception of data in motion, such as phone calls, e-mail, text messages, and chat sessions. The second challenge concerns “data at rest” — court-ordered access to data stored on devices, like e-mail, text messages, photos, and videos. Both real-time communications and stored data are increasingly difficult for law enforcement to obtain with a court order or warrant. This is eroding law enforcement’s ability to quickly obtain valuable information that may be used to identity and save victims, reveal evidence to convict perpetrators, or exonerate the innocent.

In short, DOJ is concerned that its investigative ability, as well as that of law enforcement generally, is being eroded by the spread of strong encryption technologies.

DOJ is probably correct that the growing use of strong encryption will make it more difficult than it has been in recent years for law enforcement to obtain the content (as opposed to the metadata) of some real-time communications and stored data. But whether DOJ’s investigative ability is being eroded, generally, is by no means clear. It is very important to consider that in today’s age, technology has greatly expanded the information gathering capabilities of law enforcement. Some even call today a golden age for surveillance.

After all, in the context of today’s investigations, law enforcement has far greater access to information about us than ever before, including our immediate whereabouts, the extent of our social networks, our personal proclivities and behaviors, and the huge volumes of electronic communications and metadata that likely will continue to remain unencrypted. This treasure trove of personal data directly results from the exponentially growing usage of Internet-connected devices and things and remote computing and storage (i.e., “the cloud”).

And we aren’t just creating data about our lives from our personal computers and mobile computing devices. Increasingly, we are filling our homes with Internet-connected appliances and sensors that constantly generate data and that could easily be co-opted as surveillance devices. Wearables are becoming more and more popular, especially those that keep track of sensitive personal health data. The connected car is finally becoming a reality. Public spaces, both physical and virtual, are increasingly filled with sensors and trackers that capture data not just for the benefit of law enforcement but also for commercial actors who hold and often sell data about us.

The volume of communications and information (i.e., data) that law enforcement may potentially access with a court order is incredible and will continue to grow. Importantly, this data may be accessible not just to law enforcement, but also to malicious actors such as cybercriminals and foreign governments. Data mining/analysis capabilities are also becoming more and more sophisticated, and law enforcement will inevitably develop such expertise that makes use of the volumes of data now available to them.

It is in this context of “going dark” vs. a “golden age of surveillance” where we as a society must ask ourselves the following questions:

  • What is the scope of information gathering activity that we think is reasonable for law enforcement to do its duty?

  • What should the rules be for signing off on such investigation or surveillance as lawful?

  • What risks may be associated with designing surveillance into our technological systems, and to what extent should we engage in such design?

The way to come up with acceptable answers for the questions above is to have a public debate that ultimately results in legislation enacted by Congress. We should not let law enforcement’s investigatory/surveillance capabilities be expanded on a case-by-case basis through the court system.

Expanding Surveillance Law Using the All Writs Act

So, finally, we get to DOJ’s use of the All Writs Act in the San Bernadino iPhone case and why this could set a terrible precedent for how surveillance law develops going forward.

The All Writs Act states that federal courts may issue all writs (i.e., orders) “necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.” This is broad language, but the U.S. Supreme Court has explained that the Act is really a residual source of authority that is limited in nature and applies only when “extraordinary remedies” are necessary:

The All Writs Act is a residual source of authority to issue writs that are not otherwise covered by statute. Where a statute specifically addresses the particular issue at hand, it is that authority, and not the All Writs Act, that is controlling. Although that Act empowers federal courts to fashion extraordinary remedies when the need arises, it does not authorize them to issue ad hoc writs whenever compliance with statutory procedures appears inconvenient or less appropriate.

The Supreme Court has also indicated that the issuance of writs under the Act is primarily intended to “effectuate and prevent the frustration of orders it has previously issued in its exercise of jurisdiction otherwise obtained.” In the investigatory/surveillance context, for example, federal courts have issued orders under the Act compelling third parties to furnish facilities and provide technical assistance to effectuate the execution of valid warrants.

As I see it, there is a fundamental problem with using the All Writs Act in the investigatory/surveillance context, where “extraordinary remedies” may be particularly common given the rapid technological changes that increase law enforcement’s information gathering capabilities. This fundamental problem stems from the current state of the case law, which leaves room for the Act to be used to fill statutory gaps in surveillance law on a case-by-case basis — even where Congress appears to have considered a particular issue at hand but has, for whatever reason, failed to address it explicitly by statute.

Take the FBI’s demands in the San Bernadino iPhone case. DOJ has obtained an order that requires Apple to develop security circumvention software for use with a particular iPhone. However, unlike changes to physical telecom facilities, modifying the requested software to be used with any iPhone would likely be a trivial exercise for Apple (and possibly malicious third parties).

Thus, the extraordinary remedy DOJ seeks is not really particularized in nature, but results in a programmatic change to Apple’s responsibilities. If the order stands, Apple’s iPhones are effectively being re-designed with prospective technical assistance for investigation and surveillance in mind.

We have statutes on the books that deal with such technical assistance. One such statute is the Communications Assistance for Law Enforcement Act (CALEA). CALEA requires that telcos, broadband providers, VOIP providers, and their vendors modify and design their equipment, facilities, and services to ensure that law enforcement can wiretap real-time communications. Importantly, CALEA exempts covered persons from providing assistance with decryption where the encryption technology is managed on an end-to-end basis. Also importantly, information service providers (e.g., email, messaging, and other web app providers) are not covered under CALEA. Indeed, the exclusion of information service providers from CALEA was a hard-fought battle that was won by privacy advocates.

Another statute dealing with technical assistance for surveillance is the Electronic Communications Privacy Act (ECPA), which it is widely acknowledged must be updated to deal with advances in technology and to be less confusing and patchwork in nature. Among other things, ECPA allows law enforcement to require the technical assistance of service providers in intercepting “electronic communications” (a very broadly defined term). When it comes to providing such assistance, it is not clear to what extent electronic communications service providers may be required to assist in decryption of encrypted communications. For example, can providers be required to conduct man-in-the-middle attacks to intercept communications? Can they be required to push malware to the client-side apps that are used to access their services?

It should be clear from the above that, while Congress has explicitly addressed technical assistance and encryption in some contexts (see CALEA), it has also failed or refused to explicitly address it in others (see ECPA). But, clearly, Congress appears to have considered the questions surrounding encryption. Should the fact that Congress hasn’t explicitly expanded or restrained law enforcement’s investigatory/surveillance capabilities with respect to encryption give law enforcement the ability to fill in the gaps on encryption via the courts?

I would argue, no.

True, law enforcement has traditionally had broad authority to conduct investigations and come up with new techniques to aid those investigations. But as noted above, we arguably are living in a “golden age of surveillance,” and in such a world, the risks to our personal information from designing systems with surveillance in mind are very real. Thus, the best course of action with respect to expanding investigation and surveillance capabilities is to have Congress consider all the risks entailed before allowing any such expansion.

Courts simply aren’t well situated to deal with the complex issues that arise from the rapid change in technology. Just take a look at the factors considered when determining whether a technical assistance order under the All Writs Act is proper. Under U.S. v. New York Telephone Co., courts are supposed to consider: (1) how far removed the third party is from the underlying controversy; (2) whether the government’s request places an “undue burden” on the third party; and (3) whether the third party’s assistance is necessary to achieve the purpose of the warrant. As one might expect, nowhere do we see any consideration whatsoever of the aggregated systemic effects on individuals that may result from allowing a particular type of investigatory/surveillance technique.

The public may ultimately come out in favor of forcing device manufacturers like Apple to assist in breaking encryption or even to build backdoors into their devices. While I might personally disagree with those results, at least it would be the representative branch of government that will have decided these difficult issues. That would be much better than allowing the expansion of surveillance law using the All Writs Act, where Tim Cook’s laundry list of horribles becomes a very real risk to the public.

Conclusion

Below is an excerpt from Justice John Paul Stevens’ dissent in New York Telephone, the seminal case on the All Writs Act and technical assistance orders:

[T]he history and consistent interpretation of the federal court’s power to issue search warrants conclusively show that, in these areas, the Court’s rush to achieve a logical result must await congressional deliberation. From the beginning of our Nation’s history, we have sought to prevent the accretion of arbitrary police powers in the federal courts; that accretion is no less dangerous and unprecedented because the first step appears to be only minimally intrusive.

Justice Stevens’ warning was prescient, and it may be time to revisit the scope of the courts’ power under the All Writs Act.

More likely, however, Congress will finally kick into gear on the strong encryption debate. Indeed, the FBI and its parent agency may have intended for this to be the ultimate result of the San Bernadino iPhone case. After all, DOJ appears to have wanted to make the dispute public, while Apple did not (understandably). I do worry that in today’s climate, we will get poor decisions made by our legislators on encryption. But that’s democracy and the proper course of action.

Disclosure: I am a lawyer, but I am not your lawyer. This article does not constitute legal advice. If you need legal advice, then please retain your own lawyer.

Note: This article was originally posted on Medium on February 22, 2016.