Encryption

A Coherent Middle Ground in the Apple-FBI All Writs Act Dispute?

By Robert Chesney, Steve Vladeck
Monday, March 21, 2016, 7:00 AM

The very public fight between Apple and the FBI over the last six weeks has not only reinvigorated the broader debate over the “going dark” concern (and the larger, age-old tension between privacy and security) but has also drawn attention to the specific legal question of just how much power current federal law (in the form of the All Writs Act) confers upon judges to compel private persons and companies to take affirmative steps to help the government execute a duly-issued search warrant.

As readers know, there are now a pair of dueling magistrate judge orders in similar cases raising this issue: one from Judge Pym in the Central District of California ordering Apple to devise new software to help the government unlock the iPhone of one of the San Bernardino shooters (Apple’s objections to which are the subject of a hearing before Judge Pym tomorrow afternoon), and one from Judge Orenstein in the Eastern District of New York refusing to order Apple to help the government unlock the iPhone of a convicted drug trafficker. Not surprisingly, there are plenty of folks who think one of these two rulings is wrong (either because the government should never be able to obtain such an order, or because the government more than carried its burden in both cases).

We disagree.  In our view, both of these rulings are wrong. Below, we stake out a moderate position on the scope of the All Writs Act—and one that we hope provides a more analytically coherent framework through which to examine not only these cases but also those that have arisen elsewhere and those that are bound to arise in the future. To cut to the chase, our view is that, properly understood, the All Writs Act should be read to authorize the kind of order the government has sought in these cases only when the recipient is compelled to help the government utilize existing vulnerabilities in its software, and not when the order instead directs the recipient to devote its resources to creating material new software vulnerabilities which can then be exploited by the government. That is to say, we propose to have the test focus on the extent to which the underlying vulnerability already exists, as opposed to, say, a categorical ban on orders compelling coding or other specific types of conduct. Applying that logic to the Brooklyn and San Bernardino cases, we conclude that both magistrate judges erred on the question of whether the All Writs Act authorizes such relief. If the All Writs Act should be read to draw the line that we propose, the correct answer is “yes” in the Brooklyn case, and “no” in the San Bernardino case.

Of course, Congress could choose to strike a different balance on this question, and might well do so in the future.  We take no position here on that question.  Nor do we address the authority courts may have to compel assistance from private persons and companies under color of other statutes that specifically contemplate the provision of technical assistance (indeed, we think the Apple cases stand in marked contrast to scenarios like the Lavabit case in the Fourth Circuit, which involved a technical-assistance order under the far-more-specific terms of 18 U.S.C. § 3123(a)(1), part of the PR/TT statute). Until such time as there is legislation expressly addressing the scenario presented by passcodes and encryption, however, the generic language of the All Writs Act will remain the only game in town for disputes like the contretemps between Apple and the FBI.  Our aim is to provide a principled way to apply the All Writs Act in these cases until and unless Congress decides to provide more specific authority.


I.  The Legal Question: “Reasonable Technical Assistance” Under the All Writs Act

Ever since the Supreme Court’s 1977 decision in United States v. New York Telephone Co., the All Writs Act has been understood to authorize a federal court, in conjunction with a validly obtained search warrant, to issue writs to non-parties directing the recipient to provide “reasonable technical assistance” to the government in the execution of the warrant. As Justice White explained in New York Telephone,

The power conferred by the Act extends, under appropriate circumstances, to persons who, though not parties to the original action or engaged in wrongdoing, are in a position to frustrate the implementation of a court order or the proper administration of justice, and encompasses even those who have not taken any affirmative action to hinder justice.

Although the test for what constitutes “appropriate circumstances” in this context has varied across jurisdictions, the basic gist includes an assessment of the third-party’s relationship to the underlying case; the burden the requested assistance would impose upon the recipient; and the necessity to the government of receiving the recipient’s assistance.

Most of the difficult cases will look very similar on the first and third of these considerations.  The third-party will have at best an indirect connection to the underlying investigation (as, perhaps, the manufacturer of the hardware/software, but nothing more), and the government will have a strong argument of necessity (where other methods for executing the warrant may be unavailable, and where the potential value of the evidence sought by the warrant, whether in the case at hand or otherwise, is significant). Needless to say, of course, if the third-party has a closer nexus to the underlying criminality, or if the government has less of a claim to necessity (for example, if it could easily obtain the same evidence through other means), the case should be far easier to resolve. Cases like the two we are considering here, however, will instead turn ultimately on the second factor noted above: the degree of burden on the recipient of the assistance order. 

Our belief that the heart of the inquiry should focus on the burden is based on a series of interrelated considerations. For starters, there has to be a stopping point somewhere, and focusing on the burden on the third-party seems to make the most sense to us. After all, it cannot be the case that, under the guise of the All Writs Act, the government can compel a third-party firm to go so far as to dramatically restructure its business simply because the government needs capabilities uniquely possessed by the firm. We’re not saying that’s the case with Apple, but if the burden is not the guiding inquiry under the All Writs Act, that would suggest that the burden can be irrelevant in cases in which the necessity is sufficiently clear.

We also see a couple of distinct analytical advantages to focusing the All Writs Act analysis on the “burden” factor.  First, although we disagree with Apple’s more vocal defenders that the All Writs Act has no salience here (thanks largely to New York Telephone, and the absence of any indication that subsequent legislation meant to overrule that decision), we do agree that such a general remedial statute, which has never been materially altered to account for technological change over time, should be read with some hesitation before it can be used to compel third-parties to judicial proceedings to take actions they otherwise had valid business reasons not to, especially in the context of the advanced technologies at issue in this setting. After all, whatever one thinks of Apple’s constitutional objections, if the All Writs Act could be interpreted as capaciously as the government is arguing, then there would have been no need for more specific legislation in other contexts, like the PR/TT statute, CALEA, and so on. These statutes may not displace the All Writs Act, but they do underscore the need to more narrowly construe the more general authority.

Second, having the validity of All Writs Act orders turn on the burden they would impose on the third-party recipient provides a judicially administrable metric, as it should be relatively easy for the court to develop a clear record with regard to the burden the request would impose upon the recipient from the perspective of resources, short- and long-term costs, degree of interference with the company’s business model, and whatever other considerations might be relevant; the government’s ability (and willingness) to help alleviate those burdens; and potential alternatives. The tricky part, instead, is calibrating the boundaries of the acceptable burden (that is, fleshing out the doctrinal test in further detail). But we don’t think the answer can or should boil down to the direct financial cost of the conduct the government seeks to compel. Rather, we believe courts will have to assess both the quantifiable and unquantifiable impact of the vulnerability that the order compels the recipient to develop, and the extent to which such a capability departs in both degree and kind from existing vulnerabilities in the same product. 

For these reasons, we believe focusing the All Writs Act analysis on the degree of the burden the order would impose upon the recipient in the manner we describe above is the optimal way to address the dispute in these cases, at least until and unless Congress decides to pass more specific legislation, much as it did with regard to the telecommunications industry in the PR/TT statute and CALEA.

II.  The Critical Factual Differences Between the Brooklyn and San Bernardino Cases

Let’s now turn to the facts of the two most-publicized pending cases—where the government has sought orders under the All Writs Act against Apple to help it execute search warrants of one of the San Bernardino shooters’ iPhones (well, the iPhone that his employer owned and assigned to him, anyway), and also the iPhone of a man who pled guilty to serious drug offenses in Brooklyn. (According to Judge Orenstein, there are pending requests from the government for similar relief in over a dozen other current cases.)

Critically, in our view, the software involved in the two cases is materially different. The iPhone at issue in San Bernardino is an iPhone 5C, running iOS 9.x (the specific variation of iOS 9 turns out not to matter here). In contrast, the phone at issue in Brooklyn is an iPhone 5S, running iOS 7.x. As Apple represented at the oral argument in the Brooklyn case, and as is well-known within the tech community, Apple already possesses the capability to circumvent passcode security on any iPhone running iOS 7.x or earlier.  Indeed, it has done so at the government’s request routinely in the past. In contrast, Apple appears not to have an existing tool for bypassing certain security features on iPhones running iOS 8.x or later; that is to say, it might be able to design and create such a tool, but it has not done so up to this point.

If that’s true, then what that means is that the order the government sought in the Brooklyn case—to have Apple help the government unlock an iPhone running iOS 7.x—requires far less from Apple than the order the government received in the San Bernardino case, which instructs Apple to help the government unlock an iPhone running iOS 9.x by, among other things, devising new software that would disable the security feature that automatically deletes stored data after 10 unsuccessful login attempts (and which would then presumably allow a successful “brute-force” attempt to unlock the iPhone). Simply put, the order the government sought in the Brooklyn case only asks Apple to help it take advantage of an existing vulnerability in iOS 7.x. The order in the San Bernardino case asks Apple to create a new vulnerability in iOS 9.x.

III.  Why Both Courts Incorrectly Applied the All Writs Act

Notwithstanding the above analysis, on February 16, Judge Pym issued a three-page order to Apple compelling it to devise such software to help the government unlock the iPhone at issue in the San Bernardino case. Less than two weeks later, Judge Orenstein denied the government’s request for an order to Apple in the Brooklyn case, penning a lengthy opinion in defense of his conclusion.

In a world in which the burden on the third-party recipient is (and should be) the heart of the All Writs Act analysis, both of these rulings are incorrect. The burden Apple faces in the Brooklyn case is modest at best—to simply help the government exploit a vulnerability that, by all accounts, Apple has helped it exploit on dozens of prior occasions. No new software is required; no new vulnerability needs to be created; no significant resources need to be devoted to providing such assistance. To us, at least, if the New York Telephone decision is good law, then this is fairly within the realm of the kind of relief it contemplates.

The burden Apple faces in the San Bernardino case, in contrast, is substantially greater. Not only does Judge Pym’s order require Apple to devote significant personnel and financial resources to the creation of new software that does not currently exist (which the government could certainly help to mitigate), but—and this is critical—once created, considerable effort would have to be expended for an indeterminate (but no doubt substantial) length of time either to protect the tool (if kept) or to destroy and recreate it again and again (as a wave of similar applications inevitably would follow). Failure to incur such burdens would not be an option; the tool would amount to a significant new vulnerability in iOS 9.x were it to escape into the wild, as everyone seems to agree. Moreover, Apple has not only expressly engineered iOS 9.x to not include such a vulnerability, but it did so for reasons that, whatever their motive, are facially lawful (at least until and unless Congress provides to the contrary). Thus, the burden in the San Bernardino case transcends logistics, insofar as the government is asking Apple to effectively defeat one of the central technological and entrepreneurial advancements of the operating system.

As such, if one were to draw the All Writs Act line where we propose—between judicial orders to companies to utilize existing capabilities or software vulnerabilities versus orders to companies to design and create materially new ones—then it seems to us that these are both relatively easy cases cutting in the exact opposite direction from how they’ve been decided so far. The district court in the Brooklyn case should reverse Judge Orenstein and order the relief the government there has sought; and Judge Pym in the San Bernardino case should sustain Apple’s objections to her original order—and reject the government’s application. Such rulings, in our view, would not only mitigate the need for subsequent appellate review in either case, but they would also create a stable line for forward-looking application of the All Writs Act in similar cases, unless and until such time as Congress intervenes with bespoke legislation.

Of course, we don’t deny that the line we propose—between utilization of existing vulnerabilities and compelled creation of materially new vulnerabilities—could prove elusive in at least some cases. Critically for present purposes, though, we don’t believe these two cases pose that problem, and, in any event, that is exactly why we believe the analysis should focus on the burden the government’s requested relief would impose upon the third-party recipient; under our approach, the nub of the dispute would be the creation of a detailed record that would allow a magistrate judge to have as much information as possible before placing the particular request on one side of that line or the other.

In addition, we freely concede that the upshot of our analysis would leave firms generally free to create truly “dark” software and/or hardware, insofar as the All Writs Act is concerned, so long as there is some lawful business purpose for creating such products. This is, in our view, as it should be—not because we are unsympathetic to the “going dark” concern, or to the very real possibility that such products may complicate, if not frustrate, law enforcement and intelligence activities, but because, given the competing interests, that possibility is not one we believe courts should address through the generic language of a general statute. 

*                          *                          *

The above post sets out what, in our view, is the best way to understand what the All Writs Act should (and should not) authorize in this context. Of course, ours is by no means a perfect solution, and Congress may well decide that, in appropriate cases, more (or less) coercive relief should be available as against third-parties like Apple. But absent such legislation, we’re stuck with the laws that are on the books today—laws that, as we’ve explained above, should be read to authorize some, but not all, of what the government has sought.