Legal experts at the NATO Cooperative Cyber Defence Centre of Excellence look at the recent case of FBI asking Apple to disable the feature that wipes the data on an encrypted iPhone. In doing so, the brute force protection of the phone would need to be overridden and a back door created.
This would inevitably influence other similar cases and software would work on any phone of the same type. In balancing privacy and security, a 2013 report has strongly recommended states to not interfere with the use of encryption.
NATO CCD COE Legal Researcher Tomáš Minárik: Massive Effect on Those Providing High-Level Cyber Security
“Sometime in the beginning of February 2016, FBI asked Apple to disable the feature that wipes the data on an encrypted iPhone 5C with iOS 9.0 after 10 incorrect tries at entering the password. The phone belonged to one of the San Bernardino shooters, Syed Rizwan Farook, and the FBI claims that the information on the phone may be important for the investigation. Apple refused to comply. On 16 February 2016, Sheri Pym, a magistrate judge from Riverside, California, signed an order for Apple to comply with the FBI request. Apple refused again, and a legal battle will ensue.
In short, the FBI is asking Apple to help enable it to brute-force the encryption which is designed to be unbreakable by Apple itself. According to the Guardian, as the U.S. law is based on precedent, the result of this case can influence the way encryption is treated in the U.S., which may have a massive effect on technology companies trying to provide high-level cyber security to their customers. Even Google CEO supported Apple in its defiance of the government.
According to Leonid Bershidsky, a columnist, Apple is being asked to help the FBI by providing a specially developed version of iOS capable of disabling the protection; it is not asked to decrypt the phone itself. If Farook were using an Android phone instead of an iPhone, the FBI could already be working on its own version of the Android OS to enable the brute-force attack, because Android is open-source, as opposed to iOS.
In a similar case from October 2015, Apple argued that an FBI demand for decrypting an iOS 8.0 device is unreasonably burdensome, if not impossible to comply with, and may lead to reputational harm to its brand. The impossibility is not invoked now. As explained by Peter Bright, all the FBI really needs is Apple digitally signing a piece of firmware, possibly developed by FBI itself, to make it run on Farook’s iPhone to disable the protection.”
NATO CCD COE Legal Researcher Lorena Trinberg: Human Rights and the Application of 18th Century Non-Specific Law Concerning
“Remarkably, this case connects to a U.S. law adopted in the 18th century – the All Writs Act. This law is relevant in all cases which have not been regulated by specific law or statutes and allows for issuing court orders when necessary or appropriate in aid of their respective jurisdiction. Congress has so far refused to update the corresponding ‘Communication Assistance for Law Enforcement Act of 1992’ as they are facing strong winds from technology companies. Therefore, in lack of a specific law that mandates companies like Apple explicitly to assist the government in disabling a certain feature, the All Writs Act is used as a backdoor as it has been used before for instance in order to install a certain device into a land phone line to log phone numbers.
From the perspective of international human rights law, anonymity and encryption are necessary for the exercise of the right to freedom of opinion and expression, and for the protection of the right to privacy, which are enshrined in Articles 17 and 19 of the International Covenant for Civil and Political Rights (ICCPR). However, these rights are not boundless, and both of them can be limited by law for one of the listed reasons, such as national security or public order.
The 2013 Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression pointed out that security and anonymity of communication are already undermined by certain national law and that intrusive acts threaten the democratic foundation. The Special Rapporteur therefore strongly recommends States to not interfere with the use of encryption and underlines that States should not compel the provision of encryption keys. Even though the FBI is not asking Apple to directly decrypt the phone, it is obvious that their request to rewrite the software to make it possible to guess potential passwords automatically, leads to the same outcome.
However, the reckless limitation of the scope of the above mentioned human rights needs to be avoided. Therefore, the assessment of whether human rights can be limited requires balancing out the interests and taking in particular into consideration the rule of necessity and proportionality. In this case, the judge took the decision that the interest of the FBI to gain information on how the San Bernardino shooters operated is considered to be of higher value than the interest to keep communication information limited of access to just a certain group of (potentially criminal) individuals.
As long as this decision has only impact on this specific case, the granted court order is legally well acceptable. But there are certain facts that make not only a lawyer shiver.
The U.S. legal system is based on case law. Fact is that this case would cause a precedent. Consequently, it would open the door for many similar cases to be dealt with in the same way as an unknown number of smartphones could not be decrypted by law enforcement authorities yet. In addition, the required software to be developed would work on any phone of the same type. Knowing this, more laws, in particular data protection laws might be breached afterwards once mighty governments feel tempted to use this software to access user data for more than law enforcement purposes. After all, it remains to be seen what legal developments on global level will follow upon this case.”