The big news in the privacy sphere over the last few weeks has been the ongoing dispute between the FBI and Apple. Apple has refused to comply with a court order requiring it to help the FBI unlock an iPhone belonging to Syed Rizwan Farook, one of the shooters involved in the San Bernadino terrorist attack last December.
This case has provoked much discussion around how far companies should go to protect individuals’ privacy and the balance between, on the one hand, the right to privacy and protection of personal data, and on the other, the prevention of crime and promotion of justice.
TLT has previously commented on the deliberations of the US government over whether technology companies can be compelled to install backdoors to their devices to allow the government access to information held on them.
On 2 December last year, Farook and his wife, Tashfeen Malik, killed 14 people and injured 22 in a terrorist attack in San Bernadino, California, before being killed themselves.
The FBI obtained a search warrant under which Apple provided data from weekly backups to iCloud from Farook’s phone.
Within 24 hours of the attack, the FBI asked the San Bernardino County government to reset the phone's icloud storage account. This made it impossible for further back-ups to be made, including information stored immediately prior to the attacks, which the FBI could have accessed via the search warrant.
The content of Farook's iPhone was encrypted and the iPhone has a feature which erases the encryption key on the iPhone after 10 incorrect attempts at entering the phone’s four-digit passcode are made. This means that, after 10 incorrect attempts, the information is still held on the iPhone, but it is impossible to decode without the deleted encryption key. This encryption also means that Apple is unable to access information held on the phone, but not backed up onto an iCloud server.
The FBI believes that there may be further important data on Farook’s phone that was not contained in the backups released to them. They therefore obtained a court order requiring Apple to build a custom version of the iOS software that would circumvent this feature and allow the FBI to "update" the iPhone so that the they could make unlimited passcode attempts to unlock the phone to gain access to the data contained on it.
Apple has vehemently opposed the court order. Their position is that creating this software for the FBI would create a dangerous precedent and potentially allow other iPhones to be unlocked in the same way. Apple considers there is no way to guarantee that such software would not fall into the wrong hands and be abused to undermine other users’ rights to privacy.
Other tech companies have generally rallied around Apple and served supporting documents at Court in support of Apple’s position. The UN's High Commissioner for Human Rights has also gone on record stating that such an order has the potential for "extremely damaging implications" on human rights and that the FBI "risk unlocking a Pandora's box".
In addition, there are concerns that if the Court order is granted, this sets a precedent, not just for US law enforcement bodies, but also for other nations to compel Apple to undertake similar actions to weaken their products' security systems.
The FBI, on the other hand, has argued that the court order is “modest” and would be confined to the single iPhone in question. The FBI’s view is that the public interest in knowing what data is on the iPhone outweighs any arguments that Apple might have about protecting privacy and that, in any case, Apple would be able to keep the new software confidential and prevent it from being abused.
However, the Director of the FBI, when giving evidence to the House Judiciary Committee on this issue, admitted that if they were able to obtain the court order, it would set a legal precedent allowing the agency access to any encrypted device.
Other District Attorneys have publically gone on record to suggest that if such an order is obtained, they would be applying for similar orders in respect of other encrypted devices they hold.
Whilst this case has, due to the nature of the atrocities committed, been the focus of the media and political attention, a similar case was heard at the end of February 2016 in the District Court of Eastern District of New York, in which the Department for Justice applied for a similar order to allow the FBI access to the contents of a drug dealer's iPhone.
In this case, the Court declined to grant a similar order, and the judge was scathing of the Department of Justice's arguments. He agreed with Apple's arguments that legislation used to try to obtain the order did not extend to the creation of new information not in the possession or control of the subject of the order. The Department of Justice has lodged an appeal against this decision.
The argument for privacy focuses not so much on Farook’s right to privacy, or even the privacy rights of terrorists more generally, but on the potential wider effects the ruling could have on privacy across the United States and even the world. If the software were created, no matter how hard Apple tried to keep it secure, there would always be a risk of that software falling into the hands of a criminal who could use it to access data held on any iPhone regardless of the security features on that phone. It is difficult to fathom the potential scale of damage that could result from this.
That said, with the global threat of terrorism ever increasing, the question will be whether the risk of this happening can be justified by the possibility that the data held on the iPhone could be useful in the fight against terrorism.
The appeal was due to be heard in court this week, but the Justice Department has requested that the hearing be postponed while it investigates an exploit which it believes could be used to allow access to the information on the phone. If the FBI decides that this alternative method does not work, then the case will be back in court in a few weeks time.
Even if this exploit works, Apple will, no doubt, seek to neutralise its effectiveness by way of a software update, which means that even if this order is withdrawn, it is likely that this issue will return to the courts in the future.
Whatever the outcome, it will certainly have interesting and significant implications for the balance of public interest and crime-fighting with not only the privacy rights of individuals, but the privacy rights of society as a whole.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at March 2016. Specific advice should be sought for specific cases. For more information see our terms & conditions.