from the uh,-that's-not-how-this-works dept
Support our crowdfunding campaign to help us keep covering stories like these!
The Justice Department has now
filed its response to Apple's motion to vacate being forced to undermine the security features of Syed Farook's work iPhone. It's... quite a piece of work. The DOJ is pulling out all the stops in this one, and it seems to be going deeper and deeper into the ridiculous as it does so. Of course, it repeats many of the arguments in its earlier filings (both its
original application for the All Writs Order as well as its
Motion to Compel -- which even the judge told the DOJ she didn't think it should file). For example, it continues to assert that this should be judged on the
"three factor test" that it made up from a Supreme Court decision that doesn't actually have a three factor test.
But the crux of the DOJ's argument is basically "how dare Apple make a warrant-proof phone" and thus it's
Apple's fault that they haven't made it easy for the FBI to get what it wants. This argument is bonkers on many levels. Let's dig in:
By Apple’s own reckoning, the corporation—which grosses hundreds of billions of dollars a year—would need to set aside as few as six of its 100,000 employees for perhaps as little as two weeks. This burden, which is not unreasonable, is the direct result of Apple’s deliberate marketing decision to engineer its products so that the government cannot search them, even with a warrant.
This is a purposeful misrepresentation. The issue here is that the judge has made it clear that the key issue that she's concerned with is whether or not the request from the DOJ represents an "unreasonable burden" on Apple -- as the "burden" is the only actual test laid out in the US v. NY Telephone case the DOJ keeps pointing to. But Apple didn't present the time and manpower to show that it's the
resources that are the unreasonable burden, but the potential impact on the safety and security of its customers. Focusing on the time is not the issue, but of course, the DOJ pretends it is.
Second, the DOJ's continued its ridiculous insistence that
making your products safe and secure is a "deliberate marketing decision" -- which somehow makes it offensive in some way. Apple didn't engineer its products "so that the government cannot search them," it's so that
your information is safe and secure from anyone, including criminals. You would
think that law enforcement people in the FBI and DOJ would
appreciate more secure devices that reduce crime. There was a time that
they did. To sneeringly suggest that better protecting the public is nothing more than a "marketing decision" is ridiculous. Hell, even if it was a "marketing decision," a big part of the reason that "the market" wanted such features so badly was because the US government itself overstepped its bounds with mass surveillance.
The Court’s Order is modest. It applies to a single iPhone, and it allows Apple to decide the least burdensome means of complying. As Apple well knows, the Order does not compel it to unlock other iPhones or to give the government a universal “master key” or “back door.” It is a narrow, targeted order that will produce a narrow, targeted piece of software capable of running on just one iPhone, in the security of Apple’s corporate headquarters.
It has been explained -- at length -- by both Apple and various amicus briefs, how ridiculous this is. Everyone -- including the FBI -- has now admitted that this case is almost entirely about the precedent, and that a win for the DOJ will inevitably mean a long line of law local and federal law enforcement lining up outside Apple's headquarters in Cupertino with court orders in their hands, demanding that Apple help them crack into iPhones. That's a big deal. It also sets a precedent even beyond Apple, that companies can be forced to deliberately (1) weaken security on their devices and services and (2) lie to the public about it by "signing" the devices as legit.
The government and the community need to know what is on the terrorist’s phone, and the government needs Apple’s assistance to find out.
No it does not need to know and
no it does not need Apple's assistance. Again, there is always evidence that is off-limits in criminal investigations, and there are ways in which the FBI can likely get into this particular phone.
Instead of complying, Apple attacked the All Writs Act as archaic, the Court’s Order as leading to a “police state,” and the FBI’s investigation as shoddy, while extolling itself as the primary guardian of Americans’ privacy.... Apple’s rhetoric is not only false, but also corrosive of the very institutions that are best able to safeguard our liberty and our rights: the courts, the Fourth Amendment, longstanding precedent and venerable laws, and the democratically elected branches of government.
Apple didn't attack the AWA as "archaic" so much as
inapplicable in this situation. Once again, the DOJ is doing some serious misrepresentation in this filing (and we're just three paragraphs in).
This case—like the three-factor Supreme Court test on which it must be decided—is about specific facts, not broad generalities. Here, Apple deliberately raised technological barriers that now stand between a lawful warrant and an iPhone containing evidence related to the terrorist mass murder of 14 Americans. Apple alone can remove those barriers so that the FBI can search the phone, and it can do so without undue burden. Under those specific circumstances, Apple can be compelled to give aid. That is not lawless tyranny. Rather, it is ordered liberty vindicating the rule of law. This Court can, and should, stand by the Order. Apple can, and should, comply with it.
Three factors! Drink! And, yes, Apple put in place these "barriers,"
but not as barriers to the government, but as security for everyone -- and there's a very big question, which the DOJ so desperately wishes to avoid with the mumble jumble above, which is whether or not a company can be forced to purposely write and sign code that deliberately undermines security features.
In deciding New York Telephone, the Supreme Court directly confronted and expressly rejected the policy arguments Apple raises now. Like Apple, the telephone company argued: that Congress had not given courts the power to issue such an order in its prior legislation; that the AWA could not be read so broadly; that it was for Congress to decide whether to provide such authority; and that relying on the AWA was a dangerous step down a slippery slope ending in arbitrary police powers.
Once again, the DOJ is misrepresenting the issues at play both in this case and in NY Telephone. In that case, a key part of the SCOTUS decision was based on the fact that NY Telephone
was a public utility and therefore had certain responsibilities. That's not true of Apple. The DOJ also misrepresents the Congressional situation, which is different here, in that Congress did pass a specific law in this area, CALEA, which explicitly says that Apple
need not help in this situation. The All Writs Act is a "gap filling" law, for when Congress has not spoken. But on this issue, it has.
The Supreme Court’s approach to the AWA does not create an unlimited source of judicial power, as Apple contends. The Act is self-limiting because it can only be invoked in aid of a court’s jurisdiction. Here, that jurisdiction rests on a lawful warrant, issued by a neutral magistrate pursuant to Rule 41. And New York Telephone provides a further safeguard, not through bright-line rules but rather through three factors courts must consider before exercising their discretion: (1) how far removed a party is from the investigative need; (2) how unreasonable a burden would be placed on that party; and (3) how necessary the party’s assistance is to the government. This three-factor analysis respects Congress’s mandate that the Act be flexible and adaptable, while eliminating the concern that random citizens will be forcibly deputized.
Three factors! Drink!
The DOJ insists that even with CALEA not saying it can do this, that doesn't matter, because CALEA is all about what companies can be forced to do
prior to a warrant, not after.
CALEA, passed in 1994, does not “meticulously,” “intricately,” or “specifically” address when a court may order a smartphone manufacturer to remove barriers to accessing stored data on a particular smartphone. Rather, it governs what steps telecommunications carriers involved in transmission and switching must take in advance of court orders to ensure their systems can isolate information to allow for the real-time interception of network communications
But of course, under that interpretation, then the All Writs Act grants tremendous powers -- exactly the kinds of powers the DOJ insists elsewhere in this brief that isn't at issue in this case. I don't see how the DOJ can have it both ways.
As Apple recognizes, this Court must consider three equitable factors: (1) how “far removed” Apple is “from the underlying controversy”; (2) how “unreasonable [a] burden” the Order would place on Apple; and (3) how “necessary” its assistance is to searching Farook’s iPhone.
Three factors! Drink!
Apple is not so far removed from the underlying controversy that it should be excused from assisting in the execution of the search warrant. In New York Telephone, the phone company was sufficiently close to the controversy because the criminals used its phone lines. See 434 U.S. at 174. The Court did not require that the phone company know criminals were using its phone lines, or that it be involved in the crime. See id. Here, as a neutral magistrate found, there is probable cause to believe that Farook’s iPhone contains evidence related to his crimes. That alone would be sufficient proximity under the AWA and New York Telephone, even if Apple did not also own and control the software on Farook’s iPhone.
But again, under such an interpretation, the AWA can be used to force basically any tech company to figure out ways to spy on users if the FBI comes calling and gets a magistrate judge to rubber stamp an order. That's... crazy. Just because they use your technology
does not mean that you're somehow legally on the hook for helping the FBI investigate their usage.
As Apple’s business model and its representations to its investors and customers make clear, Apple intentionally and for commercial advantage retains exclusive control over the software that can be used on iPhones, giving it monopoly-like control over the means of distributing software to the phones. As detailed below, Apple does so by: (1) firmly controlling iPhones’ operating systems and first-party software; (2) carefully managing and vetting third-party software before authenticating it for use on iPhones; and (3) continually receiving information from devices running its licensed software and its proprietary services, and retaining continued access to data from those devices about how its customers are using them. Having established suzerainty over its users’ phones—and control over the precise features of the phones necessary for unlocking them—Apple cannot now pretend to be a bystander, watching this investigation from afar.
This is kind of an incredible argument when you think about it: because Apple makes sure that its devices have updated software to keep it safe from vulnerabilities, that means that Apple is somehow connected to any use of the phone and responsible for helping the FBI crack into the phone. Does the FBI really want to encourage companies to stop offering any follow on support for software? Because that's the argument they're making here.
Thus, by its own design, Apple remains close to its iPhones through careful management and constant vigil over what software is on an iPhone and how that software is used. Indeed, Apple is much less “removed from the controversy”—in this case, the government’s inability to search Farook’s iPhone—than was the New York Telephone company because that company did not deliberately place its phone lines to prevent inconspicuous government access.... Here, Apple has deliberately used its control over its software to block law-enforcement requests for access to the contents of its devices, and it has advertised that feature to sell its products.
This argument is particularly maddening: basically continuing the ridiculous line of thinking that
protecting user privacy is some sort of deliberate marketing strategy
against the government, rather than in favor of protecting customers' own security and privacy.
And then we get even more maddening. In discussing the "burden" the DOJ literally tries to argue that
if there is a burden, it's Apple's fault for designing a system so secure.
Apple is one of the richest and most tech-savvy companies in the world, and it is more than able to comply with the AWA order. Indeed, it concedes it can do so with relatively little effort. Even this modest burden is largely a result of Apple’s own decision to design and market a nearly warrant-proof phone.
This is monumentally misleading. The whole DOJ premise is that Apple deliberately is trying to
interfere with legal investigations. But that's bonkers. Apple is just trying to build a secure phone for its users -- and a
natural and unavoidable consequence of that is that it makes it more difficult for law enforcement to get access to that info. But that's because the whole point of such security is to make it more difficult for
everyone who is not the phone's owner to get access, because
that's how you protect them.
The DOJ is so vain it thinks Apple's security is all about them.
Then we get back to the lying:
Apple’s primary argument regarding undue burden appears to be that it should not be required to write any amount of code to assist the government.
Not really. Its primary argument is that the burden is in
writing any amount of code that undermines the safety and security of its customers. That last part is kind of the important part. No wonder the DOJ ignores it.
Apple asserts that it would take six to ten employees two to four weeks to develop new code in order to carry out the Court’s Order.... Even taking Apple at its word, this is not an undue burden, especially given Apple’s vast resources and the government’s willingness to find reasonable compromises and provide reasonable reimbursement.
Apple is a Fortune 5 corporation with tremendous power and means: it has more than 100,000 full-time-equivalent employees and had an annual income of over $200 billion dollars in fiscal year 2015—more than the operating budget for California.... Indeed, Apple’s revenues exceed the nominal GDPs of two thirds of the world’s nations. To build the ordered software, no more than ten employees would be required to work for no more than four weeks, perhaps as little as two weeks.
Again, this is misleading (sense a theme?). First, as noted above, the "burden" is not so much in the time or engineers allotted to this issue. Second, even if we accept the DOJ's assertions here, it's misleading. The Apple filing noted that it would take that much effort just to create the initial code and to test it, but then noted -- quite rightly -- that if in the testing any problems arose, as they almost certainly would, it would need to basically redo the process. Part of the point, which can slip by non-technical people who have no experience developing and deploying code, is that this process could take a long, long time, and involve a lot of effort before it's actually safe to use on the actual phone.
Next up, the DOJ continues to insist that there can't possibly be any danger in creating this code, because Apple surely knows how to guard it, and further, that even if the code got out, that it wouldn't matter because it's asking for code that will only run on the Farook phone.
Next, contrary to Apple’s stated fears, there is no reason to think that the code Apple writes in compliance with the Order will ever leave Apple’s possession. Nothing in the Order requires Apple to provide that code to the government or to explain to the government how it works. And Apple has shown it is amply capable of protecting code that could compromise its security. For example, Apple currently protects (1) the source code to iOS and other core Apple software and (2) Apple’s electronic signature, which as described above allows software to be run on Apple hardware.... Those —which the government has not requested—are the keys to the kingdom. If Apple can guard them, it can guard this.
But, again, that leaves out the reality of testing this particular code and how that makes it much more likely the code will get out. This argument was presented in
the amicus brief filed by iPhone forensics and security experts.
Next up, the DOJ totally misrepresents Apple's current assistance to government requests for information from the Chinese government. The DOJ is trying to argue, misleadingly, that Apple has no problem doing the same stuff for China, so that its worries about this case, creating a precedent for authoritarian regimes, is nonsense. But it's the DOJ's argument that's truly nonsense:
Apple suggests that, as a practical matter, it will cease to resist foreign governments’ efforts to obtain information on iPhone users if this Court rules against it. It offers no evidence for this proposition, and the evidence in the public record raises questions whether it is even resisting foreign governments now. For example, according to Apple’s own data, China demanded information from Apple regarding over 4,000 iPhones in the first half of 2015, and Apple produced data 74% of the time.... Apple appears to have made special accommodations in China as well: for example, moving Chinese user data to Chinese government servers, and installing a different WiFi protocol for Chinese iPhones.... Such accommodations provide Apple with access to a huge, and growing, market.... This Court’s Order changes neither the carrots nor the sticks that foreign governments can use on Apple. Thus, it does not follow that if America forgoes Apple’s assistance in this terrorism investigation, Apple will refuse to comply with the demands of foreign governments. Nor does it follow that if the Court stands by its Order, Apple must yield to foreign demands, made in different circumstances without the safeguards of American law.
What the DOJ is referring to here is Apple's latest transparency report in which it notes that it complied with 74% of government requests for information from China. You can
see it here:
But again, Apple has
always been willing to respond to legitimate government requests for information
that it has access to. That's why that same chart shows that it complied with 81% of US requests as well. But that says
absolutely nothing about the requirement to build a special system to hack in and access data that it
does not currently have access to.
The rest of the China stuff, about servers and WAPI, is just the DOJ picking up on
Stewart Baker's conspiracy theory that he posted a few weeks back. Lots of countries (stupidly) demand local storage, not necessarily because of surveillance reasons, but because they think it's good for their economy. And the reason Apple used WAPI was because
that was the standard used in China for WiFi-like wireless. And as for the idea that Apple magically gave access to the Chinese, that makes no sense, given that Apple then had to
fight a man in the middle attack against iCloud in China that was claimed to have originated from the Chinese government. If Apple gave it access, why would the government need to run a MiTM attack? The whole argument makes no sense.
In the first half of 2015 alone, Apple handled 27,000 “device requests”—often covering multiple devices—and provided data approximately 60% of the time.... If Apple can provide data from thousands of iPhones and Apple users to China and other countries, it can comply with the AWA in America. (Id.) This is not speculation because, in fact, Apple complied for years with American court orders to extract data from passcode-locked iPhones, dedicating infrastructure and personnel in order to do so.
Again
that's different. That's about supplying the info that Apple had access to and
not about writing code to undermine security features. Apples and oranges.
Finally, the DOJ mocks Apple's constitutional arguments on the First and Fifth Amendments.
Apple’s claim is particularly weak because it does not involve a person being compelled to speak publicly, but a for-profit corporation being asked to modify commercial software that will be seen only by Apple. There is reason to doubt that functional programming is even entitled to traditional speech protections....
To the extent Apple’s software includes expressive elements—such as variable names and comments—the Order permits Apple to express whatever it wants, so long as the software functions.
We're not "compelling" you to say this exactly, we're letting you say whatever you want... so long as it does what we want it to. That still seems like compelled speech, no?
Apple lastly asserts that the Order violates its Fifth Amendment right to due process. Apple is currently availing itself of the considerable process our legal system provides, and it is ludicrous to describe the government’s actions here as “arbitrary.”
Once again, it appears that many of the DOJ's arguments here are misleading in the extreme. Apple's response is due next week, and I imagine it will be quite a read as well.
Support our crowdfunding campaign to help us keep covering stories like these!
Filed Under: all writs act, china, doj, encryption, fbi
Companies: apple
