As the battle over digital security heats up, with the FBI and law enforcement on one side and security experts and even intelligence officials on the other, it’s more important than ever to shine a light on the government’s efforts to defeat encryption in investigations. But as a recently unsealed court docket in Massachusetts and new reporting on FBI efforts to defeat encryption reveal, we’ve been having that debate in the dark.
On February 16, 2016, the public was for the first time made aware of a hugely important legal battle that had been brewing for some time behind closed doors. On that date, the FBI and Department of Justice decided to make public an order from a California federal court demanding that Apple help the government access content on one of the iPhones that had been used by Syed Farook, the San Bernardino shooter. Apple publicly refused to comply. The Silicon Valley powerhouse hired a star-studded legal team, filed a brief opposing the order, and went on a public relations blitz to convince the American public that what the government was demanding was wrongheaded and dangerous. By many accounts, Apple won that public relations war. And just as it was becoming clear that the government was facing much more and wider opposition than it had probably expected, officials announced that they were withdrawing from the legal fight. Someone had come to them with a solution, officials said, and they no longer needed Apple’s help getting into the phone.
Case closed, then. Apple customers and technology users writ large could rest easier, knowing the government wasn’t going to try to use an 18th century law to force 21st century technology companies to weaken their security.
Unfortunately, it’s not so simple.
The legal showdown around the San Bernardino shooter’s phone was the first time the public got a glimpse into the use of a dangerous legal theory that the government has been advancing, in secret, for years. Research conducted by the ACLU of Massachusetts and the national ACLU has shown that the government has used the All Writs Act of 1787 to attempt to conscript not only Apple but also Google into breaking into devices more than 60 times going back to 2008, in more than 20 states.
While conducting that research, our office discovered a public docket that led us to suspect that there may be a sealed court docket in the federal District Court of Massachusetts for another All Writs Act application, and possibly even a court order. So on March 31, 2016, ACLU of Massachusetts attorney Jessie Rossman filed a motion to unseal the docket sheet. On April 8—the final business day before the government was required to respond to our motion under court order—the government asked the court to unseal the docket in the case identified in our motion. The court did so, and we found out that our suspicions had been correct. The previously sealed docket contained a government application for an All Writs Act order to force Apple to help the government access the contents of an iPhone, as well as the court order doing so.
Issued February 1, 2016, the same day the government filed its application with the court, the order says that Apple must “assist law enforcement agents in the examination of one Apple iOS device (an iPhone)…by providing reasonable technical assistance.”
According to Apple, it never complied with the court order. But although it occurred only two weeks prior to the legal showdown in California, the government never pushed the issue in the courts or publicized Apple’s refusal to comply. The underlying search warrant in the Massachusetts case has now expired, meaning that if the FBI wants to push the issue in this case, the government would have to get a new search warrant, and then ask for another All Writs Act order.
We may never have known these details had the ACLU not filed a motion to unseal this docket. Why does this matter? It’s vital that the public has a window into the government’s legal actions pertaining to surveillance and digital security, no less as the debate over encryption moves from the courts to congress.
This week, Senators Richard Burr and Dianne Feinstein publicly released legislation they are calling the “Compliance with Court Orders Act of 2016.” The bill, if enacted, would force technology companies to deliberately weaken their security, to enable government agencies to access the contents of encrypted devices and communications. Burr and Feinstein’s proposal would do what the FBI has been trying to achieve in the courts, not just in the San Bernardino case but also in dozens of cases across the country, including here in Massachusetts.
But the Burr/Feinstein legislation and the precedent the FBI sought in the San Bernardino case are non-starters that would put the United States government, its people, and its businesses at risk of hacks and the theft of sensitive information. Such powers would also be a disaster for the United States technology industry, which employs millions of people and upon which our national economy depends.
Just last night the New York Times reported on documents obtained by MIT researcher Ryan Shapiro, revealing that the FBI used remote malware to read the encrypted emails of animal rights activists way back in 2003. Today, the government claims it is “going dark” because of encryption, but these documents show that FBI agents have been able to defeat encryption technologies for over a decade. The government’s position is that “[i]ndividually tailored solutions” like the malware agents used in 2003 “have to be the exception and not the rule,” as FBI general counsel Valerie Caproni told Congress in 2011. But “individually tailored solutions” like the ones the FBI used over a decade ago against animal rights activists are necessary if we want digital security in the information age.
The ACLU of Massachusetts filed a motion to unseal the Massachusetts court docket containing the All Writs Act order because vital issues like whether or not United States businesses can provide users with secure technologies shouldn’t be hashed out in secret, sealed court motions. We need to have this debate out in the open, informed by the reality of ongoing legal proceedings and the FBI’s secretive use of malware, in no small part because when we do, technology experts will be able to argue the facts of the situation. And primary among those facts is this: Encryption only works if it is unbreakable for all. There’s no “backdoor” access that can only be available to law enforcement—and such universal access is unnecessary if law enforcement can already hack into devices, as it did in 2003, in the most serious investigations. If companies are required to weaken their security so that FBI and local police can get inside, that means many other adversaries—including foreign governments and criminal hackers—will also be able to get in. Ultimately, encryption is an issue that even the best political compromise cannot solve: we either have it, or we don’t.
As the reporting on the 2003 FBI spying on animal rights activists and our motion to unseal the Massachusetts docket show, the real danger isn’t that law enforcement won’t be able to solve crimes, it’s that the debate about encryption won’t be informed by all the facts. In an open society, we can’t afford to “go dark” when it comes to the facts that inform critical public policymaking.