A 2015 mass shooting in San Bernardino spawned one of the most controversial cybersecurity cases of the new millennium. The FBI and Apple litigation in which the FBI sought to compel Apple to create a backdoor to their security systems in order to access the shooter’s phone raised serious issues about privacy and the scope of the All-Writs Act. However, the case never saw a true resolution – the FBI withdrew their case when a third party was able to successfully access the target device. The lack of resolution to the question of whether the government can compel a company to provide a backdoor to their security systems remains unanswered, and it’s a question that technology giants must still consider.
At a recent talk on ‘Privacy in Cyberspace’ at Columbia Law School, two of the attorneys that were part of the 2016 litigation discussed both the government and private company perspectives. Bruce Sewell, who was counsel at Apple during the litigation, highlighted the fear that, if Apple were forced to create a backdoor to its security system, sinister parties could potentially gain access to that backdoor and wreak havoc. Saritha Komatireddy, an AUSA in the Eastern District of New York who oversaw parallel litigation at the time of the San Bernardino case, discussed the need for the government to have some way of accessing a device if it could hold critical information. The issue really focuses on the fact that, while Apple or other companies will gladly turn over information they have access to (i.e. information stored in “the cloud” or on servers they control) if provided with a warrant, they simply cannot hand over information that is purely stored on a phone because they do not have a way of accessing it. The government essentially wanted Apple to redesign security software to create a backdoor that they could use to get around passcode security. Embedded in the problem of allowing the government to dictate the level of security a company provides its users is the deeper issue of whether or not citizens should have a place to store information that the government should never be able to access?
One of the most interesting arguments the government relied on in the Apple litigation was the application of the All-Writs Act which, although signed into law by George Washington in 1789, has rarely been used in American jurisprudence. The All-Writs Act “allows federal judges the power to issue court orders, which makes sense considering that “writs” is an old-fashioned term for “formal order.”” The Act allows for orders to be issued as long as they are not unduly burdensome and will be no more than minimally disruptive to a company’s operations. When the litigation against Apple was withdrawn, the absence of an answer to these key legal questions left something of a vacuum. Interestingly, because the FBI was able to gain access to the device without Apple’s help, this negated one of the requirements of the All-Writs Act’s requirements – that the writ not be unreasonably burdensome. This burdensome requirement can be interpreted as meaning that there be no other way for the FBI to get the information other than by the means they requested of Apple. Because the FBI was able to find a third party to access the device, there clearly was a less burdensome means of accessing the information. As there was a third party that was able to create a means of accessing the device, the question becomes ‘is anything truly inaccessible’? If the answer is ‘no’, then the government would have a much harder time succeeding in a future All-Writs Act argument. If the answer is ‘yes’, then the question is mostly mute – the answer implies a company like Apple could not get around their security even if they were to try to.
Support for companies like Apple is incredibly split in cases like the San Bernardino case. The general consensus from the panelists in the Columbia lecture is that this issue is not dead and will likely be raised again soon – even if it is not raised in the United States. While a district court rulingrejected the government’s arguments in favor of using the All-Writs Act in litigation that was parallel to the San Bernardino case, the issue is still live across the country. Companies need to consider the possibility of the All-Writs Act being used to compel their action in cybersecurity matters, but also in any matter where they hold keys (or can create the keys) for information the government wants. They should be prepared to counter those arguments with examples of alternative methods to prevent the government from successfully arguing that their request is not unreasonably burdensome. Furthermore, companies should start considering whether or not there exists a right to total privacy – a privacy right that extends beyond their device or system to all Americans and inherent in judicial conceptions of privacy. The questions remain unanswered, and thinking about their solutions now may be critical to defeating government requests under the All-Writs Act in future litigation.