Anyone who wants to stick up for Apple in its legal dispute with the Federal Bureau of Investigation has until Thursday evening to file an amicus brief. The government wants Apple to write code that would help unlock an iPhone used by an alleged terrorist. Opponents of this push by the government have adopted the shorthand "GovtOS" to refer to the code, and the briefs rolling into the U.S. District Court for the Central District of California from Apple's allies give a wide-ranging look at the worst-case scenarios that could follow. Here’s a look at the basic arguments being made in the briefs, with updates coming to this story throughout the day, as new filings arrive.
If the Court Grants This Request, What’s Next?
A group of prominent security experts, including Bruce Shneier and Jonathan Zdziarski, argue against the use of the All Writs Act to compel Apple to help unlock its phone because that would inspire the government to make ever-wider requests in the future:
There is nothing in the All Writs Act or the Court’s Order that would put off-limits software “updates” that turn on a smart TV’s microphone for eavesdropping purposes, or activate a laptop camera for video surveillance. These other bypasses will pose their own, potentially even worse, privacy, cybersecurity, and personal safety risks to the public. As risky as the Court’s Order in this case is, the precedent it would set poses even greater danger.
The security experts also question whether public acknowledgment that the government can require companies to create technology to undermine security measures will ruin the trust between those companies and users. If users become suspicious of the software updates companies make and opt to turn them off, they will open themselves up to other kinds of security threats.
Apple Will Lose Control of This Code
Apple and its allies argue that once the company creates computer code, it is unlikely to go away. In their brief, the security experts stress how valuable this code will be to governments, and they predict that either the U.S. or a foreign government will eventually force Apple to hand over the code for circumventing the password limit. None of these governments can be trusted with it.
For example, if the Russian government compelled Apple to hand over the Custom Code, it could end up being sold by a corrupt agent to a Russian identity-theft ring. Even without selling it, corrupt officials could also use the code for their own agendas, such as to target political or personal enemies who had broken no law. Journalists, human-rights advocates, religious and sexual minorities, and others in those countries are at much greater risk if software that can bypass passcode limitations exists.
Even if Apple Can Comply, Other Companies Would Struggle
Apple said in a court filing last week that it would take 10 of its engineers up to a month to build what the FBI is asking for. That’s doable for multibillion-dollar companies, but not every technology company has those resources. ACT: the App Association, a trade association for app developers, argues that its members would be hard-pressed to fulfill similar demands if the court sets a precedent allowing the FBI to make them in the future.
In a separate brief, advocacy groups Access Now and the Wickr Foundation say a logical consequence would be for companies not to build security strong enough to require extraordinary action to overcome:
If Apple is forced to develop GovtOS, there is not reason why other technology companies would not be compelled by the courts to impair their security features in various ways, as well. And other companies — particularly smaller and newer ones — may decide that the benefits of building robust security into their products do not outweigh the costs associated with later being required by the courts to enfeeble those efforts, which will incentivize them to create less secure products in the first place.
The FBI Could Get What It Wants—and Realize How Bad That Is
Companies that realize they're going to be compelled by court orders to break into their own products are going to change their practices, according to a brief from a handful of tech trade groups including the Software Alliance and the Computer Technology Association. "Companies will then face a choice: continue to be burdened by such government demands, and design products in a manner than such demands can be more easily satisfied; or configure new versions of their operating systems to make development of such software 'tools' impossible," they wrote, citing press reports that Apple is already headed down the latter path.
The Center for Democracy and Technology lays out a slightly different scenario, in which the assumption that American companies are playing along costs them customers:
People may turn to foreign products that are seen as more secure and less vulnerable to hacking mandated by American law enforcement officers. Former CIA director and NSA head Michael V. Hayden has expressed concern about this exact problem, which he called "the worst of all worlds: there will be unbreakable encryption -- it just won't be made by American firms."
Encryption Is a Right That the U.S. Shouldn’t Take Away
In a report last year, David Kaye, the United Nations Special Rapporteur on the protection of promotion of the freedom of option and expression presented a report describing encryption and anonymity as “a zone of privacy to protection opinion and belief.” Kaye argued that there are other ways to conduct investigations and that the FBI hasn’t proven that it really needs Apple’s help in this case to attack the security of the iPhone.
Weakening encryption undermines other commitments the U.S. has made, an argument made by Access Now and the Wickr Foundation:
GovtOS would undermine internationally protected human rights such as privacy and freedom of expression, but the United Staes government and Apple are obligated to uphold those rights. Thus, international human rights law weighs against forcing Apple to create GovtOs.
Shouldn't Congress Be Doing This?
If some antidote to strong encryption is needed to pursue law enforcement goals, then it should be created with a new law, not by dredging up the centuries-old All Writs Act, according to a brief filed jointly by a handful of tech companies including eBay Inc., Kickstarter, LinkedIn Corp., Reddit Inc., Square, and Twitter Inc. Using the courts is particularly inappropriate given that Congress hasn't included companies like Apple in the requirements that telecommunications companies make their networks compatible with wiretaps under the Communications Assistance for Law Enforcement Act, or CALEA. "The government does not contend that Apple has any obligation under CALEA to redesign its operating system," the companies wrote. "Indeed, it has not sought the remedies available under the statute, such as an order for non-compliance. Instead it asks this Court to do exactly what Congress refused to do."
AT&T, which is subject to CALEA, agrees, and suggests that the law should be re-examined:
Personal data are largely controlled by device, search, operating system, application, and social media companies that barely existed when CALEA was passed.
These developments demand a new legislative solution that strikes a fair balance between privacy and law enforcement, accounts for current technology, applies equally to all holders of personal information, and sets appropriate limits on what government officials may compel companies to do.