Apple vs. The FBI: What Does the Law Actually Say?

As Apple and the FBI battle over whether the technology giant should unlock a mass shooter’s iPhones, I explore some of the legal issues at play.

(Author’s Note: This article originally appeared in Inc. in 2016, when the FBI and Apple were engaged in a major legal battle over the FBI’s demand that Apple help it access the contents of the iPhone belonging to the terrorist who murdered 14 people and injured 22 people in San Bernardino the year prior. I am sharing this article now, as Apple and the FBI begin the second major battle of their war over the protection of private citizens’ data. For information about the current January 2020 dispute concerning the unlocking of the alleged Florida Naval Air Station terrorist’s two smartphones, please see the new article, Apple vs FBI Round 2: Apple Refuses To Unlock Phones Belonging To Florida Naval Air Station Shooter.)

Earlier this week (in February of 2016), I explained various reasons why we should all be disturbed by the FBI’s attempt to force Apple to create a vulnerable version of the iPhone operating system in order to assist law enforcement to obtain data from a dead terrorist’s cellphone. I explained the potentially catastrophic damage that obeying a judge’s order to do so could inflict on Apple and other American firms that sell technology products, and I described the Pandora’s box that creating the security vulnerability would open. Many other cybersecurity professionals have expressed similar sentiments.

Regardless of the effect of the order on American businesses and of its potential impact on the freedom of future generations of Americans, however, a judge’s order is a judge’s order. It is not something to be taken lightly. So, if it is to be vacated or overruled, then there has to be support in the law for doing so. Which brings us to the question: On what grounds can Apple demand that the judge’s order be vacated?

In fact, some who took positions opposing my own–and who have argued that Apple should have immediately obeyed the judge’s order–have asked: Didn’t the judge correctly apply the All Writs Act of 1789, which essentially authorizes federal courts and judges to issue any orders they need to issue to fulfill their duties, provided that such orders do not violate other laws or constitutional rights?

For a legal analysis, I asked Fernando Pinguelo, head of the cybersecurity practice at Scarinci Hollenbeck LLC, and Mason A. Barney of Olshan Frome Wolosky LLP, who explained the following:

On February 25, Apple filed its much anticipated response to Magistrate Judge Pym’s February 16 order compelling Apple to create software to assist the government in unlocking an iPhone found in the possession of one of the shooters in the San Bernardino attack. Apple’s response challenges the legal authority relied upon by the government, arguing in part that the judge’s order places an unreasonable burden on the company. Apple also takes the issue a step further by claiming First Amendment protections–i.e., that Apple is protected by freedom of speech rights against any government attempts to compel Apple to create computer code, which it equates to speech. Here is an explanation of the legal arguments:

Judge Pym issued her order pursuant to the All Writs Act and gave Apple the opportunity to argue that compliance with her order would be “unreasonably burdensome.” She did not choose the “unreasonably burdensome” language out of thin air. In United States v. New York Tel. Co., 434 U.S. 159 (1977), the Supreme Court held that the power of federal courts to impose duties on third parties pursuant to the All Writs Act is not without limits–“unreasonable burdens may not be imposed.” Compliance with an order under the All Writs Act should require “minimal effort on the part of the [targeted] Company and no disruption to its operations.”

The All Writs Act provides the courts with a vaguely defined, though necessary, power that is intended to allow judges to issue orders that will assist in exercising their existing statutory jurisdiction. The unreasonable burden factor ensures that courts do not abuse this power.

Apple has chosen to invest substantial time and money building encryption into its iPhone and has been telling its customers–and prospective customers–that the encryption makes those phones impossible for hackers, or prying government eyes, to penetrate. According to Apple’s CEO Tim Cook in his February 16 open letter, Judge Pym’s order will undermine this claim by forcing Apple to create software that circumvents the otherwise impenetrable encryption. For this reason, Apple stated that it would not comply with the order.

The government argued in its motion to compel filed on February 19 that, among other things, the judge’s order did not impose unreasonable burdens because it is limited to a single iPhone. Apple’s assertions regarding its “marketing or general policy concerns are not legally cognizable objections to the order.” Yet the government failed to cite any cases that directly addressed this assertion.

In October 2015, the government made similar arguments to Magistrate Judge Orenstein in a different case in the Eastern District of New York. At that time, the government requested an order under the All Writs Act directing Apple to assist in unlocking an iPhone belonging to a drug dealer. In response, Judge Orenstein raised a number of concerns about this request. With regard to the burden on Apple, he said that the company clearly made a conscious decision to encrypt their iPhones “in such a way that would be resistant to ready law enforcement access” and he could not “assume that forcing it to modify that decision would not impose an unreasonable burden.”

This approach finds support in the case law. For example, in 1991 the Fifth Circuit federal court refused to affirm an order under the All Writs Act that would have required Louisiana sheriffs to make a “substantial, uncompensated change in …existing operations” in state jails. More recently, the Ninth Circuit federal court (of which California federal courts are a part) stated that the All Writs Act would prohibit “a complete disruption of a service [a company] offer[ed] to a customer as part of their business.”

Yesterday, Apple filed its response to Judge Pym’s order. In it, Apple attacked each of the government’s arguments. Apple highlighted how the software that the government requested will be a magnate for hackers who could use it to bypass the encryption on any number of iPhones, and could potentially place every iPhone user at risk. Apple noted that in no other case cited by the government has a company been compelled to write code to bypass its encryption. Apple asserted that “compelling minimal assistance to surveil or apprehend a criminal …, or demanding testimony or production of things that already exist …, is vastly different, and significantly less intrusive, than conscripting a private company to create something entirely new and dangerous.”

Apple then took its burden argument a step further, asserting that the judge’s order violates the First Amendment. Computer code, it argued, is speech within the meaning of the First Amendment. By encoding impenetrable encryption into its iPhones, Apple “announced the value it placed on data security and the privacy of citizens[.]” The government disagrees with this decision. When the government sought an order compelling Apple to write code to bypass the security, the government was asking Apple to change Apple’s decision, and implicitly devalue Apple’s security. This, according to Apple, shows that the government is valuing its own opinion over Apple’s opinion, and that type of “viewpoint discrimination” violates the First Amendment.

Apple makes a compelling argument that the FBI’s attempt to use the courts to force its assistance implicates significant legal issues. These issues show why the All Writs Act is not intended to be used to decide the kind of major policy decisions that are at the heart of Apple’s objections to Judge Pym’s order. For the government’s part, it is merely using the limited tools available to it, namely an ill-defined power, granted to the court by a centuries-old law established during an era in which today’s technologies and information security issues were beyond anyone’s wildest imagination.

For that reason, Congress needs to actively engage in this issue and come up with a more sustainable solution. Until then, courts will remain the sole arbiter of the debate–and they will continue to act under a clearly imperfect set of circumstances.