The tech industry has for months been jousting with federal law enforcement over the government's right to ask tech companies for a "back door" to access encrypted data on consumer devices. But the heated public face off between Apple and the FBI over access to San Bernardino shooter Syed Farook’s iPhone may be the flashpoint that brings the whole thing to a dramatic conclusion.
A federal district court in California last Tuesday ordered Apple to help the FBI unlock and decrypt data on the iPhone 5c owned by Syed Rizwan Farook, one of two people who opened fire on a government office in San Bernardino, California, on December 2.
That this sensitive matter is being debated under the media's bright lights is no accident.
Cases like this are usually held under seal in national security courts like the FISA (Foreign Intelligence Surveillance Act) courts, so the public never knows about the proceedings and outcomes, points out Peter Y. Fu, an attorney in the cyber risk management group at Cooper Levenson in Atlantic City, New Jersey.
But the court in which the FBI won its order is a public court — a federal district court in the Central District of California. Some of the records in the case remain under seal, but the order regarding Apple is public record, as are the briefs and motions that came afterward. So the media, as it does around everything involving Apple, has swarmed over every detail. The court order has dominated headlines in the last week.
In sealed cases, the attorneys on both sides are afforded the chance to hash out an agreement in private. Had the current case been kept under seal, Apple may have been more willing to create a one-time hardware or software key to unlock Farook's iPhone. The knowledge that such a key existed would never have been made public, could never have been known to cyber thieves and other bad actors. It's also possible that Apple rejected that request weeks ago, and only then did the FBI seek an order in a public court.
Either way, the FBI's choice of court was a surprise. "They went nuclear pretty quickly," Fu said.
This forced Apple to respond in a very public way, hence Apple CEO Tim Cook's open letter defying the court order last week.
The FBI may also have filed in public court because it wanted to bring the government's encryption standoff with tech companies to a head, say legal experts.
The bureau, Fu says, may have been confident that the media coverage, and the public response, would focus on the idea that "Apple is helping the terrorists" by not doing all it can to help access the data on Farook's iPhone.
The FBI may not have counted on the outpouring of support in most of the media (and all of the tech community) for Apple's cause.
The public venue is probably explained by law enforcement's desire to get a law passed in Congress requiring tech companies to comply with aggressive decryption requests.
"It’s a clear indication that the government wanted to sway public opinion and make a public precedent of a case they could have done in secret," said Electronic Frontier Foundation staff attorney Andrew Crocker. "What they’re setting up is, if they win they get the precedent and, even if they lose they can use the story anecdotally to take to Congress or to sway public opinion."
Apple is resisting the district court order because it would be forced to create a hardware key ("master key") or a software key ("skeleton key") to break into Farook's iPhone.
A software key involves uploading a new piece of firmware in a SIF file to the device’s OS, which would disable some of the phone’s security features. A hardware key would mean replacing the RAM module in the phone, also with the effect of disabling security features in iOS 8, explains Cooper Levenson’s Fu.
Whether or not such a key can be protected from leaking to bad actors is one question. But Apple believes that the very idea that such a key could be built might prompt cyber thieves or political eavesdroppers to re-engineer the key.
"It’s like telling the world there is a way to do it," Fu said. And bad guys would be listening carefully. "Now they know there is this vector of attack."
This in itself could damage consumer confidence in the data they keep on their iPhones, which could hurt the sales of iPhones and other Apple products around the world.
"It’s not a privacy issue; it’s a business issue," Fu said. "The issue is that the government is asking Apple—and will certainly ask other tech companies—to create things that totally undermine consumer trust."
Fu says that’s why so many other tech companies, like Facebook and Google, are lining up behind Apple—if Apple loses the government will come asking them for custom keys too.
The district court order signed by Judge Pym represents the first time law enforcement has attempted in a public court to compel a private tech company to create software to hack into one of the tech company's devices. It's unprecedented.
The EFF's Crocker says the only case that comes close is one from 2003 in which the government asked an unnamed company (strongly believed to be OnStar) to modify its in-car information system to be able to eavesdrop on conversations inside the vehicle.
In "The Company vs. The United States" the company argued that modifying its product in such a way would render the device inoperable. So the Court of Appeals in the Ninth District agreed with the company that compliance would be "unreasonably burdensome."
The key that the FBI is asking Apple to make would not break all iPhones, but it could damage Apple’s business by eroding the trust of its customers. Apple is being asked—in a very public forum—to bring into existence a key that could potentially open millions of iPhones.
"When my clients get served with a FISA order or an outright subpoena from the FBI or a law enforcement agency, they are generally not overly cumbersome or unreasonably burdensome," Cooper Levenson’s Fu said. "And at the end of the day, law enforcement will usually carry the day and get what they’re asking for."
"The reason this case in particular is so unique is that the court is asking Apple to create a back door mechanism that circumvents their entire business model," Fu said. "It’s like asking an automaker to provide a master key to every automobile they’ve ever made."
Now that the case is public, Apple is very unlikely to back down and comply with the District Court of the Central District of California’s order, signed by Judge Sheri Pym.
Apple has until February 26 to file an application with the court saying compliance would be "unreasonably burdensome." (If it neither files nor complies with the order, the FBI attorneys could ask the court to hold Apple in contempt.)
Apple will very likely file its "unreasonably burdensome" application to the court this week. The company will also make a broader policy argument in the filing that assisting the FBI in this way would set a dangerous precedent going forward, says Crocker.
The Central District Court in Riverside will hear the case again on March 22. Crocker explains that the court order that came down last Tuesday was "preliminary" and meant to elicit a response from Apple, and that the real order will come after the March 22 hearing.
While Judge Pym is the magistrate who reviewed the government's case and signed the order, she hasn’t officially been assigned the case, a court official said. She will, however, be the presiding judge when the case is reviewed again March 22.
If either the FBI or Apple is unhappy with the judge’s final decision on the order (almost a certainty), the case will be transferred to another district court judge, also in the Central District’s Western Division.
For example, if the judge for some reason agrees that compliance would be unnecessarily burdensome for Apple, the FBI’s attorneys would almost certainly ask that the case be transferred to the other district court.
It’s far more likely that the judge will reject Apple's claim on the grounds that Apple is in the business of making software, so creating the firmware to break into one iPhone wouldn't be that much trouble. In that case, Apple will ask that the case be assigned to another district court judge.
If that other district court judge agrees with Pym’s original order, Apple could then appeal the case to the Ninth District Court of Appeals. So could the FBI if the new district court judge sides with Apple.
The same general rule applies in the Court of Appeals. The case would first be heard by a three-judge panel. If either side was unhappy with the result, the case would become an "en banc" issue, and the full court would then hear the arguments.
Another unhappy result for either side in the Court of Appeals would leave only one other court to hear the case—the U.S. Supreme Court. And, as Fu and Crocker point out, the High Court chooses to "grant cert" to (accept) very few cases out of the hundreds it considers each year.
However, there’s reason to believe that if Congress doesn’t intervene during the long process of moving through the courts, the Apple v. United States case has a reasonably good chance of being heard by the high court. It would, after all, bring to a dramatic head a fight that’s been brewing between law enforcement and the tech industry for a long time.
The question is whether or not such a heated public battle can produce a set of rules that balance the government's need to fight terror with the tech companies' need to protect consumer privacy.