How Existing Wiretapping Laws Could Save Apple From FBI's Broad Demands
from the calea-to-the-rescue? dept
There are all sorts of interesting (and frustrating and challenging) legal questions raised by the FBI’s use of the All Writs Act to try to force Apple to build a system to allow the FBI to hack Apple’s customers. But there’s one interesting one raised by Albert Gidari that may cut through a lot of the “bigger” questions (especially the Constitutional ones that everyone leaps to) and just makes a pretty simple point: the DOJ is simply wrong that the All Writs Act applies here, rather than the existing wiretapping statute, the Communications Assistance for Law Enforcement Act, or 47 USC 1002, better known by basically everyone as CALEA. CALEA is the law that some (including the DOJ) have wanted “updated” in ways that might force internet companies and mobile phone companies to make their devices more wiretap-ready. But that hasn’t happened.
And, as Gidari points out, it seems clear that CALEA preempts the All Writs Act and explicitly forbids what the FBI is requesting here. The DOJ is claiming that CALEA doesn’t apply to Apple:
Put simply, CALEA is entirely inapplicable to the present dispute [because] Apple is not acting as a telecommunications carrier, and the Order concerns access to stored data rather than real time interceptions and call-identifying information
But Gidari notes that’s misrepresenting CALEA, which also does apply to “manufacturers and providers of telecommunications support services” and Apple could be seen as qualifying, since it’s providing the “equipment” here. And then if CALEA, rather than the All Writs Act applies, the DOJ’s argument is basically dead on arrival. As many have noted, CALEA already says that you can’t force a provider to decrypt encrypted communications:
A telecommunications carrier shall not be responsible for decrypting, or ensuring the government?s ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication.
Now, some may argue that in this case Apple “possesses the information necessary,” but that’s not actually the case. Apple doesn’t possess the information necessary to decrypt. It’s being asked to build a system that would let the FBI then hack the system to decrypt. And that’s different. And on that point, there’s this in CALEA as well:
(1) Design of features and systems configurations. This subchapter does not authorize any law enforcement agency or office
(a) to require any specific design of equipment, facilities, services, features, or system configurations to be adopted by any provider of a wire or electronic communication service, any manufacturer of telecommunications equipment, or any provider of telecommunications support services;
(b) to prohibit the adoption of any equipment, facility, service, or feature by any provider of a wire or electronic communication service, any manufacturer of telecommunications equipment, or any provider of telecommunications support services.
In a follow up post, Gidari looks at the legislative history of CALEA as well, and notes that it was a compromise between law enforcement (who wanted access to everything) and telcos (who didn’t want to give that much access). And the end result was that CALEA was designed to be clear that, no, law enforcement can’t always get anything, and certainly can’t force companies to build new tools:
Indeed, Congress outright rejected the government?s initial CALEA proposal to actually prevent deployment of new technologies that didn?t have a wiretap back door. As Congress noted, ?[t]his is the exact opposite of the original versions of the legislation, which would have barred introduction of services or features that could not be tapped.? In other words, Congress accepted the fact that some new technologies would put some evidence that law enforcement wanted, needed, and may have had access to in the past, beyond its reach in some cases.
Congress also determined that carriers would have no responsibility to decrypt encrypted communications unless the carrier provided the encryption and could in fact decrypt it. CALEA did not prohibit a carrier from deploying an encryption service for which it did not retain the ability to decrypt communications for law enforcement access, period. Here again, CALEA recognized that some evidence that may be necessary to an investigation will not be available to the government because it is encrypted and the provider lacks the key to access it.
So while CALEA provided law enforcement with some surveillance capabilities on phone networks (which the Federal Communications Commission later extended to broadband Internet access and two-way Voice over IP), it precluded the government from requiring ?any specific design of equipment, facilities, services, features, or system configurations to be adopted by any manufacturer of telecommunications equipment.? Requiring Apple by court order to create and implement a work-around for the iPhone?s security features is, in fact, doing what CALEA prohibited.
While a big Constitutional battle may be more interesting (and more long lasting), it’s possible that an argument like this one might win the actual lawsuit.
Of course, then the battle will shift back to Congress to try to update CALEA…
Filed Under: backdoors, calea, doj, encryption, fbi, hacking, iphone
Companies: apple
Comments on “How Existing Wiretapping Laws Could Save Apple From FBI's Broad Demands”
“A telecommunications carrier shall not be responsible for decrypting, or ensuring the government’s ability to decrypt,…”
But the government isn’t asking for Apple to decrypt anything or to provide a backdoor (a way ensuring the government’s ability to decrypt), are they? I thought what the government asked for was unencumbered access to brute force the front door (the phone’s PIN). Which means allowing PINs to be entered via a computer (as opposed to using the touchscreen), removal of the time delay between attempts and removal of the auto-erase function if 10 bad PINs are entered.
Re: Re:
I would argue that disabling security features that protect the encrypted data is “ensuring the government’s ability to decrypt”
Re: "Cumbered"
What is “encumbered access”? Does Apple or its fab already provide an “encumbered” linkage between the supposedly-secret uid fused in the processor, and external markings?
Would that be “encumbered access” because it’s national security secret access? And thus, “unencumbered” would merely mean that everyone can talk about how the government learns the contents of the phone?
Re: Re:
I would argue that disabling security features that protect the encrypted data is “ensuring the government’s ability to decrypt”
The primary security feature, the PIN, still protects the encrypted data even if Apple helps the FBI as requested by disabling security measures designed to help protect the PIN from attack. If Farook used an insecure passcode then the FBI will break it quickly (possible in less than 10 attempts), if Farook used a very secure passcode then the FBI might never be able to break in. Nothing is ensured.
Re: Re: Re:
Apple is being asked to disable the security feature that prevents brute-forcing the PIN. Thus, the government is asking Apple to circumvent a security system. That’s a back door.
The strength of the PIN (I’m not sure what makes some PINs stronger than others, aside perhaps from how often people choose them) is irrelevant here. If the Feds get what they want, they can easily try all possible PINs.
Re: Re: Re:
Well considering that the key needed to decrypt the information would get wiped in the event of 10 wrong guesses and decrypting the information would be impossible without it, what do you think the request to disable that feature was designed to accomplish if it wasn’t to “ensure the government’s ability to decrypt”?
Re: But that is a backdoor
That is indeed a backdoor. A backdoor doesn’t have to provide a key, it just has to weaken the protections. That’s what eliminating the PIN count and reducing the PIN delay does.
Re: Re:
the government has even less of a leg to stand on for this argument. what they can compel people to do it limited for a reason. they can’t force a bunch of people into a labor camp to build something. in the past companies were generally willing to work with the government but recently the governments action have meant fewer and fewer are willing to help them out and they seem to be to incompetent to figure it out for themselves.
>I thought what the government asked for was unencumbered access to brute force the front door (the phone’s PIN).
No, that’s not a thought, that’s an incredibly silly word game–which doesn’t keep it from being the kind of talking point the FBI uses when the law is dead set against it:
“We don’t want back doors, we’d be perfectly happy with a side door.”
“We don’t need a door at all, so long as we can break the windows whenever we wish.”
“We wouldn’t need to break windows if the homeowner could only be compelled to disassemble the house from the inside.”
“The owner is willing to open the door, why won’t he disassemble the front wall enough to drive a tank inside?”
“No, no, of COURSE we aren’t insisting on the front wall: a side wall would be perfectly acceptable.”
To all of which, the proper response is: “Your mixed metaphor perish with you: to the law and to the testimony!”
The law? “shall NOT be responsible for … ensuring the government’s ability to decrypt….”
A telecommunications carrier shall not be responsible for decrypting, or ensuring the government’s ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication.
CALEA sure helped Lavabit, and certainly prevented Microsoft from handing the skype keys over to the NSA. Of course, it may just be that neither case considered CALEA in that context. But why let legal details get in the way of a good snark?
Re: Snark
The Hunting of the Snark by Lewis Carroll
Re: Re:
Lavabit was information technology communications, but not telecommunications. Same with Skype. Apple is in the interesting place of actually being a telecommunications product provider, and it is this product whose software the FBI want them to modify.
So Apple gets out under a technicality. Internet communications was never protected in the same way that narrowly defined telecommunications has been for decades.
Learning from idiots?
“When encryption is outlawed, only outlaws will have encryption.”
If you have nothing to hide, you don’t need it, so wanting the ability to keep anything a secret from the government proves you’re a criminal.
Of course, the FBI is not doing this as a political scam on the “lucky” opportunity of using an infamous case to outlaw encryption. They are just trying to drum up business, since they know EVERYONE has some secret.
By the way, there is too much focus on the negative side of dirty secrets and hidden crimes used as sticks. The carrot side is just as bad, less noticeable, and MORE in use.
Actually, Apple is a leading abuser on that side. The personal data about your interests, tastes, and even your strengths is used by the marketeers to manipulate you and sell you all manner of stylish crape you don’t need.
(My dark secret is a propensity to use four-letter words like crape.)
It's like CALEA was created in a different time...
…A time when people remembered things like “1984” and the Watergate scandal.
Re: It's like CALEA was created in a different time...
Apple 1984 Super Bowl Commercial
Re: It's like CALEA was created in a different time...
“1994”
Re: Re: It's like CALEA was created in a different time...
facepalm
1984:
http://www.amazon.com/1984-Signet-Classics-George-Orwell/dp/0451524934
Good god, what do they teach kids these days?
Re: Re: Re: It's like CALEA was created in a different time...
Nineteen Eighty-Four
Re: Re: Re:2 It's like CALEA was created in a different time...
And as soon as TPP gets ratified and TTIP gets signed, 1984 will (for all practical intents and purposes) move to enter public domain in 2044 (or whatever the U.S. decides to -yet again- extend copyright to) worldwide.
Back on topic: I’d love for this case to be solved (and set in stone) as a matter of constitutionality, but I’m pretty sure Apple can’t risk such high stakes, so I guess any win for them would work at this point.
Re: Re: It's like CALEA was created in a different time...
OK. It’s official, some people definitely don’t know 1984.
That is sad, and worrying.
Re: Re: Re: It's like CALEA was created in a different time...
Born in the U.S.A.
While it’s an interesting argument, I think you are pretty much intentionally misreading the law to try to draw a conclusion. Specifically, this:
(1) Design of features and systems configurations. This subchapter does not authorize any law enforcement agency or office
(a) to require any specific design of equipment, facilities, services, features, or system configurations to be adopted by any provider of a wire or electronic communication service, any manufacturer of telecommunications equipment, or any provider of telecommunications support services;
(b) to prohibit the adoption of any equipment, facility, service, or feature by any provider of a wire or electronic communication service, any manufacturer of telecommunications equipment, or any provider of telecommunications support services.
This would appear on it’s face to be related to forcing ALL of the company’s products to be modified to this standard. The court order does not require a specific design for IPhones, it only asks for a modification for the device in police custody. There is no indication that the feds (or anyone else) wants this patch rolled out to every iphone in the world.
That said, CALEA may be a better argument against requiring a true backdoor in a product. I would not be shocked to see this law get modified in the near future to eliminate this potential legal arguement.
Re: Re:
Where does it mention or even imply all devices/software/etc., instead of just one?
If Apple puts this modified OS on one phone, they’ve ‘adopted’ the software.
Re: Re: Re:
The difference is the word “design”. A one off software modification for law enforcement isn’t a design, it isn’t the overall way the devices would be made, it’s a one off. It reads about overall product and not any one device.
If Apple rolled it out to all phones as a result of the court order, then yes, it would be “design”… but to place it one a single device… not so much.
Re: Re: Re: Re:
Oh yes it is, as law enforcement in this case is defining a design feature that they want. Design is simply the act of deciding how to implement something.
Re: Re: Re: Re:
The creation of any piece of software is, most assuredly, by design.
Re: Re: Re: Re:
I might give you that you were sincere with your definition of a “backdoor”.
Here, I have a lot of trouble sending any shred of good faith.
1. Even a one-off software requires “design”.
2. So you seriously think this will be a one-time-only thing?
3. You could have argued a few technicalities (eg. does Apple qualify as telecommunication provider? does CALEA apply when you’re trying to decrypt stored information and not ongoing communications?…), but this objection is just ridiculous.
Re: Re: Re: Re:
A one off software modification for law enforcement isn’t a design, it isn’t the overall way the devices would be made, it’s a one off.
If it doesn’t require design, then you’re saying it already exists.
It apparently doesn’t, otherwise this conversation wouldn’t exist.
Seriously, stop throwing words around like you have any semblance of a clue as to what they mean.
Re: Re:
This would appear on it’s face to be related to forcing ALL of the company’s products to be modified to this standard.
Bull. It applies to being forced to modify ANY of their products.
You’re so full of it.
Re: Re:
(a) to require any specific design of equipment, facilities, services, features, or system configurations to be adopted by any provider of a wire or electronic communication service, any manufacturer of telecommunications equipment, or any provider of telecommunications support services;
Seems pretty clear to me, they’re not allowed to force any changes. To claim otherwise would absolutely gut the restriction, as they could simply argue that a company doesn’t have to implement or change a particular feature or system configuration for all their products and/or services… just the ones the government/police tell them to.
Re: Re:
You know that whole, “Wipe the phone after 10 wrong guesses” thing? Guess what? That is a system level feature configured by the user that law enforcement is trying to compel them to change.
Re: Re:
You’re just using an overbroad interpretation of “to be adopted”. Changing a single phone would apply.
oh, really easy
I like these arguements. Why couldn’t, our government talk with a government that has the source code for a copy of it. After all the great protector of privacy in america gave the “C” government a copy of their latest source code. I’ll bet the others have not only found out, how, and already busted into what they want to hear.
Apple doesn't have to be a telco
I do believe Apple does provide support for their services which of course includes Facetime as well as iMessages.
Re: Apple doesn't have to be a telco
Oh I misread that. Sorry.