Apple and the federal government continue to battle over whether the FBI can force Apple to unlock the iPhones of suspected criminals and terrorists. These battles are occurring in the media, in the courts, and even before Congress. Ultimately, the right resolution to these battles may be for Congress to give courts the power to allow unlocking, but only in very specific cases, and only if Congress is certain that all of our phone data won’t be at real risk. I am not yet sure how to assess Apple CEO Tim Cook’s concern that the FBI’s requests to access individual phones will compromise all of our cell phones. Until Congress has a better handle on that technological issue, it should resist taking any action. This is a tough issue, and all decisionmakers should proceed with caution.
A recent New York federal court ruling rightly held that the FBI cannot use the All Writs Act to force Apple to bypass the password lockscreen on a drug dealer’s iPhone. This order does not set precedent for other judges – because magistrate judges do not create precedent. However, the ruling is being appealed to higher courts. Further, Judge Orenstein’s ruling may influence Judge Pym, presiding over the pending California case involving terrorist Syed Farook’s newer, more secure iPhone. In that case, the FBI is asking Apple to create software to circumvent password protection and encryption that would require far more intrusive technology than in the New York case.
I agree with Judge Orenstein (and the amicus briefs in the Farook case) that these battles between the FBI and Apple are best fought in Congress, not by courts on a case by case basis using the generic All Writs Act, given the scope of how individual court orders may compromise everyone’s privacy. I hope Judge Pym also agrees. Judge Pym should follow Judge Orenstein’s lead in holding that the All Writs Act cannot authorize the burdensome requirements on Apple asked for by the FBI, especially because, as Judge Orenstein noted, Congress declined to require information-services providers like Apple to decrypt telecommunications data for law enforcement when it passed CALEA– the Communications Assistance for Law Enforcement Act. If Congress wants to revisit how much companies like Apple should assist the FBI deal with a problem that, admittedly, Apple created by continually improving its important encryption technology, Congress can do so.
However, resolving the issue in Congress also has its perils, because Congress may attempt to implement an expansive solution such as requiring companies like Apple to create easy ways for the government to access all of our phones, given a warrant. A mandate of this nature would be so risky, and is too blunt an instrument, given that the balance of privacy and security in encryption cases would benefit, in many ways, from case by case balancing to determine when security is so important that it outweighs the privacy risks involved in a particular case.
I therefore don’t think it would be wise (and in fact could be disastrous) for Congress to create some generalizable rule giving the government master-key access to all of our encrypted data. If anything, Congress could provide authorization under some specific analogue to the All Writs Act, allowing the FBI to seek court orders asking for unlocking technology in particular cases, but only if the FBI can meet particular burdens – such as necessity, due diligence on the part of the FBI, and the lack of manipulability of the code in a way that would compromise all of our phones. But whether Congress should legislate in this way, and how Congress should decide the balance between privacy and security, depends on answers to important questions we don’t currently fully understand, because both the FBI and Apple both have motives that go beyond public welfare.
Apple’s and the government’s motives may be obscuring Congress’s and the courts’ ability to strike the right balance between privacy and security. The government seems single-mindedly fixated on crime prevention and punishment. The government’s statements, including the statements of U.S. Attorney Loretta Lynch, are quite dismissive of whether forcing Apple to design technology to unlock Farook’s phone could, if placed in the wrong hands, compromise the encryption and password-protecting technology in all of our iPhones. The government appears to believe that code targeted to unlocking Farook’s phone wouldn’t be exploited by hackers to crack the password in other devices (although the government cannot ignore the slippery-slope issue that it currently has over 100 phones of suspected criminals in its possession that it would also like to unlock, but that is a separate concern from the privacy of the general public).
The extent to which Apple’s designing computer code that specifically targets Farook’s phone would compromise all of our phones is unclear. Apple contends that it cannot guarantee that technology built to unlock a particular criminal’s phone wouldn’t be manipulated and converted into a master key that would weaken all of our phone security. But Apple’s concerns about its business model and reputational costs may be clouding (no pun intended) its position on these issues. Before Congress can determine the balance between privacy and security, it needs a comprehensive understanding of the extent to which compliance with court orders in limited cases, such as mass homicides, would undermine all of our privacy and security.