Apple's latest legal filing: 'The Founders would be appalled'

In its last brief to Judge Pym before the first hearing on March 22, Apple makes its case for encryption.

Apple managed to keep its cool on Tuesday when replying to the government’s last, rather incendiary, briefing. In its reply to Judge Pym, Apple laid out its legal arguments for refusing to comply with the FBI’s request for assistance in breaking into the iPhone 5c of San Bernardino shooter Syed Rizwan Farook.

Apple also vigorously defended itself against the government’s claims that the company made iOS more secure in a deliberate attempt to thwart law enforcement, or as a marketing decision, even submitting supplemental declarations from Craig Federighi and a senior director of worldwide advertising. It’ll be interesting to see what issues are emphasized at the hearing, because right now it doesn’t seem like Apple and the Department of Justice see eye to eye on, well, pretty much anything.

Here’s a summary of Apple’s brief, which will be its last word before the first hearing, scheduled for March 22 at 1pm PST.

The All Writs Act is inappropriate

The court’s order for Apple to create a new version of iOS that would be easier for the FBI to crack was issued under the All Writs Act, a law first passed in the late 18th century. This act allows courts to issue warrants that aren’t authorized by more specific laws. But in this case, Apple argues, there is a more specific law called CALEA that can’t be stretched to fit the government’s request. Apple also argues that Congress had a chance to pass even more specific legislation, but declined to act.

Basically, Apple says the government is trying to use the All Writs Act to authorize anything the government wants that isn’t aleady on the books as being illegal.

The government attempts to rewrite history by portraying the [All Writs] Act as an all-powerful magic wand rather than the limited procedural tool that it is.… According to the government, short of kidnapping or breaking an express law, the courts can order private parties to do virtually anything the Justice Department and FBI can dream up. The Founders would be appalled.

Nobody but the FBI thinks this is a good idea

While Apple’s brief focuses on the law, it doesn’t ignore the broader context of the encryption debate. This is bigger than the FBI and Apple disagreeing about if and how to break into Farook’s iPhone, in other words, and even top officials that used to work for the government can see the risk.

“Indeed, the Justice Department and FBI are asking this Court to adopt their position even though numerous current and former national security and intelligence officials flatly disagree with them,” reads Apple’s filing. It goes on to quote several from the community, including former NSA and CIA Director Michael Hayden, who said, “America is more secure—America is more safe—with unbreakable end-to-end encryption.”

The filing also points out that if Apple is forced to weaken its own encryption, real criminals will just seek out other encryption tools. It quotes FBI Director James Comey, who said at a recent Congressional hearing, “Encryption will always be available to bad actors.” At the same hearing, the filing notes, Professor Susan Landau agreed that the order “would weaken us but not change [the availability of strong encryption] for the bad guys.”

Apple also rejects the government’s insistence that this GovtOS could be made, tested, used once, and destroyed without ever getting out. The filing quotes cybersecurity experts both in and out of the government as saying that simply isn’t true, that hackers are always looking to exploit these kinds of weaknesses. One footnote even cites the Mac ransomware attack from just last week, in which malicous software was even cryptographically signed to trick Macs into thinking it was legit.

There’s no limiting principle

Good laws come with limits. In its earlier motion to dismiss the court order, Apple complained that the All Writs Act, since it’s designed to fill in the gaps between statutes, doesn’t have that limiting principle. So if the government is allowed to use the All Writs Act to compel Apple to write a new, crackable version of iOS, this could be precedent for even more alarming scenarios. A drug company be compelled to make lethal injection drugs against its wishes, for example, or Apple could be compelled to make a version of iOS that would allow the government to track a single phone’s location or use it to eavesdrop. If the All Writs Act really is a magic wand, let’s see what it can do, right?

In this new filing, Apple notes that in the DOJ’s last brief, it didn’t touch Apple’s hypotheticals with a 10-foot legal pole. “Indeed, it is telling that the government fails even to confront the hypotheticals posed to it (e.g. compelling a pharmaceutical company to manufacture lethal injection drugs), or explain how there is any conceivable daylight between GovtOS today, and LocationTrackingOS or EavesdropOS tomorrow.”

(In fact, that isn’t purely hypothetical—one of Apple’s footnotes cites a Texas case in which courts wouldn’t allow the government to hack a vehicle’s OnStar system to take photos and report its location. “The government is adept at devising new surveillance techniques,” Apple notes dryly, with so leave us out of it, please left unsaid.)

The All Writs Act can’t circumvent CALEA

CALEA, or the Communication Assistance for Law Enforcement Act, was passed in 1994 to require telecom carriers to assist the government with some wiretapping and surveillance. Since then, it’s been expanded to cover Internet and VoIP traffic as well. Apple’s brief reads:

CALEA defines the circumstances under which private companies must create systems to assist law enforcement in its investigatory efforts, as well as the circumstances where such providers are not and cannot be required to build programs and systems to enable law enforcement access.

In other words, CALEA has limiting principles. That’s good since those limits came from Congress, and they give the lawyers a framework for their arguments.

CALEA has specific language about encryption: Telecom carriers “shall not be responsible for decrypting, or ensuring the government’s ability to decrypt, any communications encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication.” Apple says that Farook chose to encrypt the phone by setting a passcode, and that Apple doesn’t possess the information necesary to decrypt it—that’s what the government is asking for.

To put a finer point on it, since the phone in question was provided by his employer, it’s very likely that his employer required him to use a passcode—which his employer could have easily reset at any time by using even the most basic of multi-device managment practices.

And to put an even finer point on it, while Apple is a “communications company” under CALEA, it is not legally considered a “telecommunications carrier,” and so the language about carriers not being responsible for decrypting doesn’t apply to Apple. So, the filing argues, “If companies subject to CALEA’s obligations cannot be required to bear this burden, Congress surely did not intend to allow parties specifically exempted by CALEA (such as Apple) to be subjected to it.”

In fact, when CALEA was passed, this very question came up in the debate. From Apple’s filing:

During congressional hearings on CALEA, then-FBI director Louis Freeh assured Senator Leahy that CALEA would not impede the growth of new technologies. When Senator Leahy asked whether CALEA would inhibit the growth of encryption, he responded, “this legislation does not ask [companies] to decrypt. It just tells them to give us the bits as they have them. If they are [en]crypted, that is my problem.”

What’s next?

Now Judge Pym has some time to read and consider all of these filings before the scheduled March 22 hearing in Riverside, California. We’ll be keeping a close eye on this, but we want to know what you think. Has Apple made a compelling case to dismiss the order? Let us know in the comments.

Join the CSO newsletter!

Error: Please check your email address.

Tags Apple

More about AppleApple.Department of JusticeDOJFBIMacsNSAOnStarVoIP

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Susie Ochs

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts