Lighting the Way for the Next “Going Dark” Encryption Battle
By: Daniel de Zayas
“[Encryption] takes us to a place—absolute privacy—that we have not been to before, where the balance we have long struck is fundamentally challenged and changed.” – James B. Comey
It is no secret: Encryption has fueled tensions between the private sector and government. In the wake of the Snowden revelations, companies like Apple and Facebook prioritized their adoption of encryption to enhance user privacy and security, consequently sealing off valuable information and evidence from law enforcement. Coining this dilemma “Going Dark,” the government has turned to the courts to compel technology companies to decrypt their products, sparking heated litigation with the future of data privacy and security at stake. Most notably, after the 2015 San Bernardino attack, the world carefully watched as Apple and the Federal Bureau of Investigation (FBI) sparred over whether the FBI could compel Apple to circumvent an iPhone’s encryption safeguards—a question the court never definitively answered because the FBI successfully accessed the iPhone. Now, however, all eyes must recognize Apple and Facebook’s technical developments and policy shifts setting the stage for the next major litigation to determine the extent of the government’s authority to compel technical assistance. This article will review these technical developments and policy shifts, briefly assessing their impacts from the perspectives of the technology industry and law enforcement, and will advocate that courts must consider additional facts when determining whether “appropriate circumstances” exist to compel technical assistance.
In March 2016, in Apple v. FBI, the U.S. District Court for the Central District of California abruptly vacated its compelled technical assistance order against Apple after the FBI gained access to the encrypted iPhone. Although reports substantiate that the FBI paid hackers to exploit a software vulnerability to circumvent the iPhone’s security measures, other reports indicate that Cellebrite, an Israel-based data extraction company, accessed the phone by using the iPhone’s Lightning port to connect the iPhone to a device that successfully unlocked the phone (the FBI refuses to disclose how it accessed the iPhone). Regardless of the final means employed, a subsequent Department of Justice Office of Inspector General report revealed that the FBI did not fully determine whether it actually lacked the technical ability to unlock the iPhone before turning to the courts, prompting intense scrutiny that the FBI exploited the San Bernardino attack “to establish a powerful legal precedent.”
Two years after the FBI accessed the iPhone, Apple released USB Restricted Mode, a default security protection that prevents data connection with an Apple device via the Lightning port unless the device is unlocked. While Apple denotes the security measure as an attempt to safeguard user data from criminals, law enforcement officials have described the feature as an impediment and even proposed that it may create exigent circumstances justifying warrantless searches of Apple devices before they lock. Although experts have already discovered ways to circumvent USB Restricted Mode protections, the technical development exemplifies the cat-and-mouse battle between industry and government.
Facebook CEO Mark Zuckerberg concedes that Facebook does not have “a strong reputation for building privacy protective services.” However, on March 6, 2019, Zuckerberg announced a new vision for Facebook privacy practices—a vision focused on the widespread adoption of end-to-end encryption for “all private communications” (e.g., messages and calls). Like the encryption used by Apple, Facebook’s encryption would prevent even Facebook from seeing communications content. While Facebook is developing means to “identify and stop bad actors across [Facebook, Instagram, and WhatsApp],” some have described Facebook’s new vision as likely to both stifle law enforcement and intelligence agencies and hinder the detection and removal of violative content, such as videos of the New Zealand Christchurch mosque attack.
One may be surprised to learn that a federal statute enacted in 1789—the All Writs Act—authorizes the government to seek to compel technology companies to circumvent their encryption safeguards. The All Writs Act authorizes U.S. federal courts to issue “all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.” In 1977, in United States v. New York Telephone Company, the Supreme Court interpreted the Act as authorizing federal courts to, “under appropriate circumstances,” issue orders compelling non-parties to provide reasonable technical assistance to aid the government in executing a search warrant. In determining whether appropriate circumstances exist to justify the issuance of an order compelling technical assistance, courts evaluate the non-party’s nexus to the case, the necessity of the technical assistance, and the burden that the sought-after assistance would impose upon the non-party.
Looking to the Future
With companies fortifying their commitments to user privacy, a momentous case resembling Apple v. FBIis increasingly inevitable. Absent legislation that refines the All Writs Act or the scope of compelled technical assistance, courts must consider additional facts when evaluating the necessity of, and burden imposed by, the sought-after technical assistance. First, courts must closely scrutinize government efforts to circumvent encryption and to access the sought-after data. While the government need not exhaust all means, the court must discern good faith efforts, on one hand, from strategic abstaining calculated “to establish a powerful legal precedent,” on the other. Second, in evaluating the burden imposed on the non-party—in this case, technology companies—the court must weigh the companies’ business interests, specifically maintaining customer trust. Maintaining customer trust is integral to progress in data privacy and security; progress that should be fostered, not flouted, as the world increasingly adopts technology. While a court may be hesitant to hold a company’s privacy promises to its customers as an affirmative defense to providing technical assistance, a court must evaluate both the quantifiable and non-quantifiable value of these commitments.