When the FBI order to break security protections on Syed Farook’s phone arrived on February 16th, it came as a surprise to nearly everyone. FBI director Comey had hinted that the bureau was still struggling with a locked phone from the San Bernardino case, but the bureau had been complaining about locked phones for more than a year. The idea of compelling Apple to build passcode-breaking software was still a novelty. What would such a case even look like?
Now, we’re starting to get answers. After Apple’s court filing Thursday, we can see arguments laid out from both sides and start to take stock of what the they will be fighting over. In many places, the case touches on fundamental questions of government power and the legal status of technology, issues that will be attacked from every angle as the case proceeds.
It’s still very early in a case that will likely stretch on for years, but five questions stand out in particular. How the courts answer them will decide whether the San Bernardino phone stays locked, or Apple is compelled to build the security-breaking software it’s gone to such great lengths to avoid.
How much can companies be compelled to do for the police?
This is the central question. As cited in the government’s motion to compel, the All Writs Act gives the court the power "to order a third party to provide non-burdensome technical assistance to law enforcement officials" as long as there’s a valid warrant involved. So Apple does owe the FBI some help here. It’s just a question of how much — or in the language of the court, whether the request is "unduly burdensome."
But as GWU law professor Orin Kerr has detailed, it’s not entirely clear what that standard means in practice. The strongest precedent is a 1977 Supreme Court case called US v. New York Telephone, which allowed law enforcement to compel a phone company to collect call records for a group of phone numbers being used to coordinate a gambling scheme. But the language in the ruling is vague in a number of places, and there haven’t been many cases since then to help nail down exactly what counts as "unduly burdensome." For the most part, phone companies have just kept quiet and complied with the orders.
The government filings take a strictly materialist interpretation of "burdensome," arguing that Apple has the in-house expertise to develop the software without too much trouble or expense. Apple disagrees, saying the code wouldn’t be difficult to produce, but its mere existence would cause a burden as the company looks to store (or in a more extreme scenario, delete and later reproduce) that software without weakening the company’s security structure.
Experienced Apple engineers would have to design, create, test, and validate the compromised operating system, using a hyper-secure isolation room within which to do it, and then deploy and supervise its operation by the FBI to brute force crack the phone’s passcode….Given the millions of iPhones in use and the value of the data on them, criminals, terrorists, and hackers will no doubt view the code as a major prize and can be expected to go to considerable lengths to steal it, risking the security, safety, and privacy of customers whose lives are chronicled on their phones.
This is roughly the argument Tim Cook has been making publicly — that the software is "too dangerous to create." Does "burden" extend to managing the existence of the software after the FBI order has been served? It’s genuinely hard to say, and the vagueness of the precedent means the lawyers will have a lot of room to maneuver on both sides.
How much does a given iPhone have to do with Apple?
One of the other standards set by New York Telephone is that the company is not "so far removed from the underlying controversy that its assistance could not be permissibly compelled." At the time, the standard was obvious: the phone network was being actively used to further a criminal conspiracy, so the phone company was tied in from the start.
According to the government, the same is true with Apple and Farook Syed’s iPhone:
Apple has positioned itself to be essential to gaining access to the subject device or any other Apple device, and has marketed its products on this basis. Apple designed and restricts access to the code for the auto-erase function…no other party has the ability to assist the government in preventing these features from obstructing the search ordered by the Court pursuant to the warrant. Just because Apple sold the phone to a customer and that customer created a passcode does not mean that the close software connection ceases to exist; Apple has designed the phone and software updates so that Apple’s continued involvement and connection is required.
Apple’s Thursday filing pushes back against that idea. Unlike iCloud, locally stored data is outside Apple’s control, so the company’s filing argues there’s no connection between Apple’s daily business and the data stored on Farook’s phone.
Apple is a private company that does not own or possess the phone at issue, has no connection to the data that may or may not exist on the phone, and is not related in any way to the events giving rise to the investigation… The All Writs Act does not allow the government to compel a manufacturer’s assistance merely because it has placed a good into the stream of commerce. Apple is no more connected to this phone than General Motors is to a company car used by a fraudster on his daily commute.
It’s a useful metaphor, but it’s genuinely difficult to say how far it extends into a world of networked software. Historically, GM’s cars haven’t had to worry about cloud backup systems or over-the-air software updates, although even that is changing.
Modern tech products exist in a complex network of updates and patches, never entirely out of the manufacturer’s reach. Apple, more than any other company, is responsible for that shift. Apple doesn’t own your phone’s hardware, but it aggressively updates and manages the software that runs on it and provides extensive customer service if anything goes wrong. It’s hard to say where Apple’s management ends and user control begins — but that’s a question the court will be taking on directly.
Do backdoors disrupt Apple’s business?
This is a zoomed-out approach to the burden argument, claiming the order is a fundamental challenge to the nature of Apple’s business. That would cut against the precedent described in US v. New York Telephone in a number of ways. The Supreme Court ruling takes care to note that New York Telephone is a public utility that does not have "a substantial interest in not providing assistance," and that compliance presents "no disruption to its operations."
It’s hard to say how important those criteria are, in part because of the ambiguities pointed out by Kerr, but they line up with one of the major points Apple has been making in and out of the courtroom: complying with the FBI order would weaken security for iPhone users across the globe. The government referred to these problems as "potential marketing concerns," but they could also be framed as a tangible harm to a billion iPhones around the world. Even building the GovtOS for a single phone and then deleting it forever would still leave the knowledge of how such an attack could be executed.
Apple’s filing puts it this way:
By forcing Apple to write code to compromise its encryption defenses, the Order would impose substantial burdens not just on Apple, but on the public at large. And in the meantime, nimble and technologically savvy criminals will continue to use other encryption technologies, while the law-abiding public endures these threats to their security and personal liberties—an especially perverse form of unilateral disarmament in the war on terror and crime…. If the government can invoke the All Writs Act to compel Apple to create a special operating system that undermines important security measures on the iPhone, it could argue in future cases that the courts should compel Apple to create a version to track the location of suspects, or secretly use the iPhone’s microphone and camera to record sound and video.
Establishing weakened security as an extraordinary burden could have implications across the industry. Is it burdensome to demand that a texting app log metadata, or forego forward secrecy? Quantifying security risk is a notoriously tricky legal question, but if the courts decide the issue is crucial to Apple’s case, it could provide valuable legal cover for smaller privacy-conscious services like Signal and Telegram.
Did Congress already settle this?
There’s also the real possibility that the New York Telephone case doesn’t matter at all. The All Writs Act only applies where there’s no preexisting statute that addresses the situation — but we’ve added a lot of new statutes in the 39 years since New York Telephone was argued. Some legal experts have offered 1994’s Communications Assistance for Law Enforcement Act in particular as a relevant statute. If the court agrees, it would strike at the heart of the government’s case, punting the entire argument directly back to Congress.
The government’s filings address this up front, claiming CALEA is inapplicable because Apple isn’t a carrier and the order concerns stored data rather than real-time phone records. But Apple’s filing points out a separate section of CALEA that says the government "cannot dictate to providers of electronic communications services or manufacturers of telecommunications equipment any specific equipment design or software configuration." It’s not an exact match — since GovtOS won’t be sold as a product, maybe it’s more like a coding request than a dictated software configuration — but for many, it sounds an awful lot like what the FBI is asking from Apple in the broader encryption fight.
It also matches a sentiment that’s been expressed on both sides of the encryption fight: this may be a job for Congress. When Comey first launched the FBI’s "Going Dark" initiative in June, it was more focused on the Congress than the courts, and Tim Cook has enthusiastically embraced leaving the issue to Congress in his public statements since the court order. And while Congress was certainly sluggish when it faced the issue last time, it’s genuinely unclear whether the San Bernardino attack changed that balance of power.
Does the Constitution protect you from writing code you think shouldn’t exist?
This is the big-picture argument, one that Apple is likely to make if it takes the case all the way to the Supreme Court. If code is speech, then Apple can’t be compelled to make it. Apple puts it this way:
When Apple designed iOS 8, it wrote code that announced the value it placed on data security and the privacy of citizens by omitting a back door that bad actors might exploit. The government disagrees with this position and asks this Court to compel Apple to write new software that advances its contrary views. This is, in every sense of the term, viewpoint discrimination that violates the First Amendment.
That’s an ambitious legal argument, but it’s one with a surprising amount of intellectual and legal backing. Fights over copyright in particular have given way to a lot of winning legal arguments that treat code as speech, as NYU’s Gabriella Coleman has documented. That will give Apple a lot to draw on in making its case, although many of those arguments are still controversial. Stanford’s Albert Gidari compared it to "compelling someone to shout out of a window ‘the key is under the flowerpot.’"
But while those claims are the most intellectually interesting, it’s unclear whether they’ll play much of a role in court. Most early analysis (particularly Kerr’s) has diagnosed the case as a statutory question rather than a constitutional one, and code-as-speech arguments are most likely to serve as a fallback if the more tangible burden claims fall through. The government hasn’t had a chance to directly respond to those arguments either, so it’s hard to say how robust they will ultimately be.
Those aren’t the only possible arguments, and there are plenty of other avenues for Apple to explore in the months to come. Thursday’s brief entirely ignores the Fourth Amendment, scared off by the combination of a government-owned phone and an undisputed warrant. Some have even said that the court’s order may violate international human rights law, although it will be a while before Apple is in a position to argue that case.
But however the case proceeds, it’s already clear this fight will set major precedents for the way tech companies deal with the government, setting a standard for exactly how far police are able to reach and how much companies are required to help them. From the beginning, Apple has argued that the FBI’s scheme is, if not technically impossible, so ethically fraught that it becomes unworkable. No one has ever had to defend that reasoning in court, but how Apple does it — and whether it works — will make a huge difference for American software developers in the decades to come.