The Burden of Protecting The Code: US v. Apple Part I
Author:Karli Sager
Date:February 25th, 2016

On Friday, the government filed a motion to compel Apple to comply with an order requiring its assistance in searching Syed Riwan Farook’s iPhone 5C.  Farook and his wife shot and killed 14 people and injured many others at the Inland Regional Center in San Bernardino last December. They later died in a shootout with law enforcement.  

The government wants to retrieve data off of Farook’s iPhone that could be related to the shootings and his relationship to ISIS.  Trouble is the iPhone’s privacy features will auto erase data after 10 failed attempts at entering the correct passcode, which the government obviously does not have. The government wants Apple to provide an update to its iOS 8 system that gets rid of the auto erase function so the government can hack Farook’s iPhone’s password.   

In Tim Cook’s February 16, 2016 “Message to Our Customers” letter, which came out before the government’s motion to compel, Cook defended Apple’s refusal to crack the iOS 8’s security features by stating the government is justifying its ask with “an unprecedented use” of the All Writs Act of 1789.  So just what does a statute promulgated in 1789 have to do with the iPhone encryption today?

The All Writs Act gives a court wide latitude to issue “all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.”  In other words, a court has the power to issue writs—or orders—not otherwise covered by law.  Fast forward almost 200 hundred years to 1977, when the Supreme Court in US v. New York Telephone Company said the All Writs Act gives a court the authority to order a third party to “provide nonburdensome technical assistance” to the feds.  In its motion on Friday, the government says this is exactly what it is asking Apple to do—give nonburdensome technical assistance to turn off the security features of Farook’s iPhone.

So what is “nonburdensome technical assistance” in the case of a valid warrant?  In typical fashion, the 1977 Supreme Court gives courts a three-part test to determine whether an order under the All Writs Act flies: (1) the recipient is “not so far removed” from the underlying controversy, (2) the order does not place an “undue burden” on the recipient, and (3) the assistance is necessary to achieve the purpose of the warrant.  For our purposes, you can ignore the first and third parts of this test because the prize is behind door number two.

There lies the factual controversy of an “undue burden.”  Exciting the many Star Wars fans among us, the government position is this: “The simple fact of having to create code that many not now exist in the exact form required does not an undue burden make.”  The code they are asking Apple to build is “discrete” and “limited” and is not a big deal for “a company that writes software code as part of its regular business.” Apple has created many version of its operating system and regularly sends out patches for its systems. Apple has not complained it would be costly or technically difficult to create the software. And, even if it did, the government makes sure to point out in a footnote that it will cover the cost of developing the new code.  

While Apple’s response to the government’s motion is not due until this Friday, Cook’s letter shines a light on a burden potentially shouldered by others—the threat to the privacy and data security of its customers.  In his letter, Cook points to its customer’s privacy and the safety of their data from hackers and criminals and the like.  He writes: “In today’s digital world, the ‘key’ to an encrypted system is a piece of information that unlocks the data, and it is only as secure as the protections around it.  Once the information is known or a way to bypass the code is revealed, the encryption can be defeated by anyone with that knowledge.”  Cook says that user’s “information needs to be protected from hackers and criminals who want to access it, steal it, and use it without our knowledge or permission.” Yesterday in an email to Apple employees, Cook reiterated that what is at stake “is the data security of hundreds of millions of law-abiding people.”

The government dismisses Cook’s stance on privacy and data security as a global marketing strategy. The burden associated with compliance, it argues, “is measured based on the direct costs of compliance, not on other more general considerations about reputation or the ramifications of compliance.”

The government also takes issue with the security risk for other iPhone users. In arguing that the order would not be a threat to other users of Apple products, it says that Apple can maintain sole custody of the software, destroy it after it is used, and refuse to disseminate it outside of Apple.  The government even gives Apple the option of taking possession of Farook’s iPhone, loading the software on the phone, and then allowing the government to make its passcode attempts through remote access.  

Whether this solution is technically feasible is a subject of debate. A recent TechCrunch article discusses the feasibility of creating customized version of iOS to only work on the specific recovered iPhone without sharing the key with the FBI, with no clear technical answer.  

Assuming it could be done, and the government wasn’t the weak link in protecting the key, what is the cost to Apple of protecting the code?  As recounted in Cory Doctorow’s book, Information Doesn’t Want to Be Free, once Muslix64 broke the locks on a software-based HD-DVD player, there was no stopping the widespread distribution of the key.  As of July 2014, there were 518,000 web pages containing the secret key discovered by Muslix64. The point is that, once digital locks are out there, they are hard to keep secret.  Maybe Apple, even with its renowned ability to keep a secret, knows a little more about how hard it is to keep a key locked down and the government too little.