Using the All Writs Act to force decryption of smartphones is the next stage of the crypto wars.
Photo: Kārlis Dambrāns/Flickr
Law enforcement have asked a magistrate judge in the Eastern District of New York to compel Apple, Inc. to unlock (and possibly decrypt) an iPhone. In response, Magistrate Judge James Orenstein has asked Apple to brief the court on "whether the assistance the government seeks is technically feasible and if, so, whether compliance with the proposed order would be unduly burdensome."
The Washington Post reports that the law enforcement officials have stated that the iPhone in question runs on an older operating system that "Apple can unlock,"—so presumably, one that is pre-iOS 8. In 2014, Apple extended encryption to text messages and other forms of data on their smartphones, announcing that for all devices running iOS 8 or later, Apple would not perform "data extractions" in response to search warrants, because they would not have the technical capability to bypass user encryption. The move ignited a debate around whether or not Apple should have to build a backdoor to accommodate government requests for decryption.
Although the smartphone in this case doesn't run iOS 8, it doesn't mean that the information at stake isn't encrypted, says Matthew D. Green, a cryptography expert and a professor at Johns Hopkins. "My understanding is that the data encryption before and after iOS 8 is roughly similar," he told me in an email. The main difference between iOS 8 and previous versions is actually the quantity of data that is encrypted. He added the caveat that, "This may not apply to very ancient versions of iOS, but I don't think we're talking about that here."
The rest of the docket is still under seal but Orenstein unsealed this specific portion of the docket, drawing attention to his somewhat unusual refusal to simply grant the application. This likely has to do with the authority under which law enforcement is making the request—the All Writs Act of 1789, which "is a residual source of authority to issue writs [court orders] that are not otherwise covered by statute." It is what Andrew Crocker, a staff attorney at the Electronic Frontier Foundation, calls "a gap-filling statute"—an all-purpose tool that empowers federal courts to get on with a host of miscellaneous insignificant matters without the drama of having to wait for Congress to pass a separate statute.
In 2014, federal courts in California and New York issued orders to compel smartphone manufacturers (including Apple) to aid law enforcement under the All Writs Act. One of the phones in those cases was an iPhone 5s.
If the All Writs Act seems like a ridiculous hack that renders the entire complicated system of warrants, subpoenas, and other kinds of court orders for various searches and seizures invalid—don't worry, it's not and it doesn't. The government can't go to court and mumble "All Writs Act" to get whatever it wants. The Supreme Court has said, "Where a statute specifically addresses the particular issue at hand, it is that authority, and not the All Writs Act that is controlling." On top of that, the All Writs Act can't be used if the order would be too burdensome.
The big question here is whether compelled decryption of a smartphone is too burdensome under the All Writs Act. In one of the 2014 All Writs Act cases, a magistrate judge in Oakland, California, specifically stated that "Apple is not required to attempt to decrypt, or otherwise enable law enforcement's attempts to access any encrypted data."
The use of the All Writs Act is the new frontier of the crypto wars, even as the government withdraws on other fronts. The Washington Post has framed Orenstein's order as the magistrate judge seeking to open up the debate, but it seems more likely that this, along with other cases, is the government probing to see how useful the All Writs Act could be for them. It's the government's test case, not Orenstein's.
"It's weird that the government would not just use its own forensic tools"
The thing is that government has far easier ways of getting encrypted information. As Andy Greenberg at WIRED points out, the government can get a warrant for an iCloud backup, a backup on a laptop or desktop computer, use a suspect's fingerprint to unlock a device, use Siri to bypass the lockscreen for certain types of information, or even use a number of hacks to get past the lock.
For an iPhone—even one running iOS 8 or later—Apple can certainly bypass the lock. It just can't decrypt any data. Since previous versions of the iPhone don't encrypt large portions of its data, bypassing the lock screen is often enough. Green told me, "My understanding is that in pre-8 versions they could simply override the lock screen (using a custom firmware image) and thus could access a great deal of data that was not encrypted under the password."
But when it comes to bypassing a lock screen, the government doesn't necessarily need Apple's help. "It's weird that the government would not just use its own forensic tools," said Crocker.
Since the rest of the docket is under seal, we don't know the facts of this case, and we don't know whether the government is requesting forced decryption. But it seems more likely than not that Apple's compliance isn't what's going to make or break the case—or even that it's what's going to stop the government from breaking into this iPhone.
The government is using this case to test the waters, and unfortunately for them, they landed a magistrate judge known for his role in the "magistrates' revolt"—a quiet movement across the country where magistrate judges began to refuse or demand more rigorous standards for what had hitherto been routine government requests for data.
In one notable 2005 opinion also touching on the All Writs Act (though not with respect to the matter of encryption), Magistrate Judge Orenstein issued a blistering rebuke to the government, saying that the interpretation of the All Writs Act they requested "invites an exercise of judicial activism that is breathtaking in its scope and fundamentally inconsistent with my understanding of the extent of my authority."
Orenstein's unsealed order in this case cites not only Supreme Court precedent, but also quotes and references statements by legislators, Congressional committee hearings with law enforcement, briefings with the FBI, and the wider history of the crypto wars beginning with CALEA in 1991. Orenstein clearly sees this request under the All Writs Act—in some ways, unremarkable and not unprecedented—as part of a larger national debate. By publicly asking Apple to brief the court on whether the government's request is even feasible or not burdensome, he's inviting that debate into his courtroom.