ONLINE IMPERSONATION: I HAVE A RIGHT TO BE LEFT ALONE V. YOU CAN’T MANDATE HOW I USE MY PRIVACY TOOLBOX

By: Evisa Kambellari*

I. Introduction

In the virtual world, one person can present himself in different identities and several persons can present themselves under the same virtual identity.[1]  Online impersonation can occur in two ways: either by stealing one’s personal information to gain access to his online profile or by creating a completely fake profile.[2]  The fake profile might reveal information that belongs to someone else or be totally fictitious.  Such flexibility in assuming one’s identity online is due to the anonymity that people enjoy in the online world.  Inability to elaborate proper identification tools of Internet users is one of the biggest challenges in preventing and prosecuting social media related crimes.[3]  Online social networking has reshaped human interaction in a way that reduces the barriers that would traditionally keep strangers apart.[4]  Identification requirements are minimal and there is no proper mechanism of verifying the truthfulness of the information one presents in creating an online profile or e-mail account.  However, creating a fake online profile is not a criminal act per se.  The component that turns the lawful act into an unlawful act of online impersonation is the imposter’s malicious intent to “defraud,” obtain a “benefit,” or “injure”.[5]

Continue reading “ONLINE IMPERSONATION: I HAVE A RIGHT TO BE LEFT ALONE V. YOU CAN’T MANDATE HOW I USE MY PRIVACY TOOLBOX”

BALANCING LIABILITIES IN AUTONOMOUS VEHICLE ACCIDENTS: DO NOT JUST BLAME THE GHOST INSIDE

By: Sean Kim*

I. Introduction

Despite its reemergence in the last five years, the concept of autonomous vehicles existed as early as the 1920s.[1]  While the early concept largely focused on speed and collision prevention systems provided by automated highway systems, or “smart roads,”[2] the advent of computers and artificial intelligence has shifted the focus from “smart roads” to “smart cars.”[3]  This shift has led to the continued development of vision-based systems of vehicle guidance.[4]  By 2007, all entrants in the United States Defense Advanced Research Projects Administration (DARPA) competition were successful in operating their autonomous vehicles in an urban setting that mimicked a city environment.[5]  As technology becomes more sophisticated, more automobile manufacturers and leading tech companies, such as Google and Apple, are cooperating to develop autonomous vehicles.[6]

As the number of autonomous vehicles on the road increases, ­a new genre of tort law is introduced: determining and balancing liability between drivers and manufacturers in autonomous vehicle accidents.[7]  While the general public expects autonomous vehicles to offer safer, hands-free driving experiences and to completely replace human interaction with motor vehicles, the need for consumer—or driver— education or behind-the-wheel training still exists.[8]

Section II provides an overview of negligence and strict liability under products liability law, as well as an overview of the types of automobile defects relevant to the analysis.  For the sake of this Note, breach of warranty will not be addressed.  Section III discusses recent developments of autonomous vehicle news and different state laws regulating autonomous vehicles.  Section IV recommends increased federal regulation for autonomous vehicles and heightened standards for vehicle manufacturers and drivers alike.

II. Background

A. Introduction to Products Liability

1. Negligence

Negligence is generally defined as “the failure to exercise reasonable care” under the circumstances.[9]  There are five elements required to establish a prima facie case for negligence: duty, breach of duty, “but-for” causation, proximate causation, and physical harm.[10]

Duty provides a maximum threshold to which people may be held accountable for their actions that cause harm to others.[11]  Without duty, one cannot be found liable for negligence.[12]  Breach of duty is often described as an “act or omission” that unreasonably affects the rights of others.[13]  While breach of duty implies a standard of reasonable care that people ought to follow to prevent undue harm to others,[14] the standard varies in different situations.[15]

The third and fourth elements of negligence are “but-for” and proximate causation.[16]  A causal relationship—both “but-for” and proximate—between a defendant’s breach of duty and the plaintiff’s harm must be established for liability to attach.[17]  “But-for” causation asks whether harm to the plaintiff would have happened were it not for defendant’s negligence,[18] while proximate causation relates to the closeness or remoteness of the defendant’s breach of duty to the plaintiff’s harm.[19]  The more remote a defendant’s action from a plaintiff’s harm, the less likely a court will find the defendant’s action a proximate cause of the plaintiff’s harm.[20]  The last element of negligence is actual harm.[21]  Without actual harm, no liability can be assigned to the defendant.[22]

2. Strict Liability

The doctrine of strict liability “[e]nsure[s] that the costs of injuries resulting from defective products are borne by the manufacturers that put such products on the market rather than by the injured persons who are powerless to protect themselves.”[23]  Strict liability attaches to a seller of defective or unreasonably dangerous products if the product causes harm to the user or consumer, or to his property, and if (a) the seller is engaged in the business of selling such a product, and (b) the product is expected to and does reach the consumer without substantial change in its condition.[24]  Although state courts apply different interpretations for the scope of strict liability,[25] almost all states have adopted the language of Section 402A of the Restatement in their rules.[26]

B. Types of Defects in Automobile Vehicles

1. Manufacture Defects

A manufacturing defect is a mistake in the process of building a product that would be safe if it were built as designed.[27]  A manufacturer may be held strictly liable for dangerous manufacturing defects, even if it has exercised “all possible care” in manufacturing the product.[28]  A plaintiff must establish that “the product does not conform to the specifications, regardless of whether there was negligence in the manufacturing process” to prevail in a products liability litigation.[29]  However, some courts hesitate to attach strict liability to software under the manufacturing defect doctrine.[30]

Another method available to consumers is the malfunction doctrine, a variation of the manufacturing defect doctrine.[31]  The malfunction doctrine allows a plaintiff to show a manufacturing defect by inferring product defect from “circumstantial evidence that (1) the product malfunctioned, (2) the malfunction occurred during proper use, and (3) the product had not been altered or misused in a manner that probably caused the malfunction.”[32]

2. Design Defects

A design defect is a defect in intended product design that makes a product harmful or dangerous.[33]  Many states assign strict liability to manufacturers for manufacturing design defects.[34]  The State of California uses two tests—the consumer expectation test and the risk/benefit test—to establish design defects­­[35] and to hold sellers and manufacturers strictly liable.[36]  Under the consumer expectation test, a plaintiff must prove that a defendant’s defective product did not perform as safely as an ordinary consumer would have expected it to perform when used or misused in an intended or reasonably foreseeable way, and that the product’s failure to perform safely was a substantial factor in causing the plaintiff’s harm.[37]  As for the risk/benefit test, strict liability attaches to a manufacturer when two conditions are satisfied: (1) the manufacturer’s product design was a substantial factor in causing harm to the plaintiff and (2) the manufacturer fails to prove that the benefits of the product’s challenged design outweigh the risks of such design.[38]

3. Failure to Warn

Manufactures may be held liable for injuries that are attributable to the relevant risks of their products.[39]  They are required to disclose and warn consumers of the foreseeable risks of using their products, and they can be liable for any injury or damage attributable to the lack of information disclosed.[40]  In California, for example, failure to warn (or inadequate warning) is a sufficient ground to hold manufacturers and sellers strictly liable.[41]  In order to minimize potential liability stemming from failure to warn, manufacturers err on the safe side by providing copious disclaimers and warnings.[42]

For example, Tesla’s new autonomous vehicle technology manual may have a disclaimer asking drivers to pay close attention to the traffic when using its autonomous vehicle technology.  Without a disclaimer warning drivers to pay close attention to the traffic while using the autonomous technology, Tesla could be held liable for any accident that may be attributable to this lack of disclaimer.[43]  In addition to providing adequate warning at the time of sale, manufacturers have post-sale responsibilities to provide warnings for newly discovered facts pertinent to the safety of their products.[44]  Although this post-sale responsibility is widely recognized by manufacturers, the “common law legal framework for addressing liability when manufacturers fail to do so is less well established.”[45]

III. Analysis

A. State Regulations for Autonomous Vehicle Drivers

As autonomous vehicle technology becomes more available to the public, a new standard may be required for drivers that utilize this technology.  Negligence is based on a standard that asks what a reasonably prudent person would do in a given, particular situation.[46]  In light of the perceived benefit of autonomous vehicle technology, however, the reasonable driver standard may shift, placing a higher burden on the vehicle and software manufacturers.

Basic reasonableness standards for autonomous vehicle drivers can be found in different state statutes.  For example, Nevada statute Sections 482A.070, outlining requirements for a human operator for highway testing of an autonomous vehicle,[47] and 482A.080, outlining equipment requirements for autonomous vehicles,[48] provide a basic requirement for autonomous vehicle drivers.  California, Florida, and the District of Columbia outline similar requirements for drivers and autonomous vehicles.[49]

These statutes generally include the following requirements: First, drivers must be seated in a position to allow them to immediately take control of the vehicle, i.e., being able to access the means to engage or disengage the technology.  Second, drivers must be able to safely monitor the autonomous vehicle operation.  Monitoring vehicle operation consists of monitoring the dashboard and hearing or seeing an alert indicating a failure of the autonomous system, or any other malfunction affecting the autonomous vehicle technology.  Third, drivers must be capable of taking control of the vehicle when necessary.  This requires that drivers not be in various physical or mental states—falling asleep behind the wheel or driving under the influence—that renders them incapable of manually driving the vehicle legally.

B. State Regulations for Autonomous Vehicles
1. Autonomous Vehicle Requirements

In Nevada, autonomous vehicles are required to provide a visual indication to its drivers when the autonomous technology has been engaged/disengaged, and be equipped with a means to alert the driver that the autonomous technology is unable to operate the vehicle safely.[50]  Moreover, Nevada statute requires that a driver of an autonomous vehicle be actively engaged while driving.[51]  For autonomous vehicle equipment and functionality, California, Nevada, Michigan, and the District of Columbia all require the vehicles to meet federal standards and regulations for motor vehicles and comply with applicable state traffic and motor vehicle laws.[52]  Furthermore, they require the vehicles to have safety mechanisms for engaging/disengaging the technology, visual indicators inside the vehicle that show when the vehicle is in autonomous mode, and a means of alerting the operator of a technology failure.[53]

2. Data Collecting and Reporting Requirements

One noticeable discrepancy between the aforementioned states is the requirement of reporting all disengagements of autonomous mode, near misses, and crashes.[54]  While California requires manufacturers to collect and report data related to accidents[55] or disengagement from autonomous mode by the test driver resulting from a failure of the autonomous technology,[56] Nevada only requires manufacturers to report accidents or traffic violations occurring during autonomous vehicle testing.[57]  Neither Florida nor the District of Columbia, on the other hand, has data collecting and reporting requirements for autonomous vehicle testing or operation.

3. Manufacturers’ Liability and Its Scope

For manufacturers, Nevada limits a manufacturer’s liability to accidents or injuries caused by defects that were present in the vehicle as originally manufactured.[58]  It thus shields manufacturers from potential liabilities from accidents or injuries caused by defects originating from any conversion or installation necessary to convert a regular vehicle into an autonomous vehicle.[59]  Michigan and the District of Columbia followed suit with Nevada’s approach.[60]  This approach to manufacturers’ liability seems fair and reasonable, and it closely follows the Restatement’s approach that if there were substantial changes in a product’s original condition, the manufacturer of the product would not be held liable.[61]

However, some jurisdictions have adopted a different approach.[62]  In 1996, an Illinois court wrote that “[w]here an unreasonably dangerous condition is caused by a modification to the product after it leaves the manufacturer’s control, the manufacturer is not liable unless the modification was reasonably foreseeable.”[63]  The “reasonably foreseeable” approach broadens the scope of potential liability of the automobile manufacturers because they could be held liable for damages or injuries caused by third-party modifications if these modifications were reasonably foreseeable to the manufacturer.[64]  On the other hand, California code does not even mention manufacturers’ liability, failing to address and balance liabilities between vehicle manufacturers and third­ parties that make modifications to manufactured vehicles.[65]

C. Determining a Standard for Manufacturers Liability

Further development and public use of autonomous vehicle technology may challenge the adequacy of current product liability law.  It has been suggested that the advent of autonomous vehicles will result in an imbalance of liability between autonomous vehicle manufacturers and consumers.[66]  After a much-publicized fatal accident that involved a driver with his Tesla Model S electric sedan in autonomous driving mode, federal regulators opened a formal investigation into the accident.[67]  Although Tesla, with possible recall of its vehicles looming (depending on U.S. National Highway Traffic Safety Administration (NHTSA) findings), escaped from the aforementioned accident unscathed, the accident nevertheless highlighted the need for manufacturers to eliminate any software and/or hardware defects and to provide all required information to drivers and vehicle owners.[68]

The Restatement (Third) of Torts recognized that the seller’s duty to warn of product-related defects after the point of sale is “often daunting.”[69]  Continued technological developments, such as on-board sensors and driver assistance systems—adaptive cruise control, automated emergency braking, and pedestrian detection[70]—make automakers more vulnerable to negligence and strict liability.[71]  This increase in liability, so-called “proximity-driven liability,” resulting from increased proximity between drivers and automobiles, may run against the spirit of the doctrine of strict liability, which is to safeguard the general public from defective products by increasing liability of the manufacturer—the only party able to rectify the defect and prevent public loss.[72]

The purpose of autonomous vehicle technology is to make the vehicle safe for consumers.[73]  Knowing that software is never perfect, however, it is unfair to place a higher burden of liability on manufacturers that aim to make driving easier and safer for the general public.  Barring specific instances in which software failure or malfunction is the sole cause of an accident, autonomous vehicle operators should also shoulder the responsibility of being safe operators.  Nevertheless, vehicle manufacturers should shoulder any liability stemming from defects of its hardware and/or software, regardless of whether it was negligent.

IV. Recommendation

A. Standards for Manufacturers and Drivers

Courts have generally refused to apply the doctrine of strict liability to software failures because of the notion that software cannot be perfect and error-free.[74]  While understandable, strict liability should be applied to lessen the burden borne by the public—the burden of potential dangers and both the economic and social costs associated with automotive accidents.

Manufacturers and developers are in a far better position to prevent and mitigate software failures or defects.  Furthermore, increasingly sophisticated marketing of autonomous vehicles and the autonomous vehicle technology makes it more difficult for the consumers to see the risk behind the technology.[75]  Moreover, complicated chains of supply of parts and distribution of autonomous vehicles make it that much more difficult for consumers to pinpoint the origin of the defect in a manufacturer’s product.[76]  Some autonomous vehicle manufacturers such as Google and Mercedes-Benz have indicated that they will take full responsibility of any accidents caused by failures of their autonomous vehicle software.[77]

Moreover, courts should apply the objective reasonable-person standard to autonomous vehicle software, which should consider the following, non-exhaustive factors in determining whether a software was defective: (1) total utility, or benefit, to the drivers and others, (2) total amount of risk, or harm, to the driver and others, (3) the likelihood of the risk actually causing harm to others, and (4) any existing, reasonable alternatives of lesser risk and the costs of those alternatives.[78]  This standard should allow courts to determine whether the software made a reasonable—as opposed to correct—decision, eliminating potential ethical dilemmas from the liability calculus. [79]  Although the reasonable-person standard lacks certainty,[80] courts, nevertheless, have been successfully applying it to many tort cases, and thus should be able to determine whether autonomous vehicle software has acted reasonably according to the standard.

As autonomous vehicle technology becomes more advanced and ready for public use, autonomous vehicle drivers may become less responsible on the road, creating a potential imbalance of liability between manufacturers and consumers.[81]  Courts should apply a higher standard to autonomous vehicle drivers involved in an automobile accident while using autonomous vehicle technology.  This will require the courts to determine whether drivers of autonomous vehicles were driving, or monitoring their autonomous vehicles in a reasonable way.  Despite possible concerns about uncertainty and the unpredictable nature of the reasonable-person standard, its application would not be difficult for the courts since they have been more than capable of determining whether one has acted reasonably or not in a given situation.

B. Federal Regulation for Autonomous Vehicle Technology

Congress should enact a law regulating autonomous vehicle operations, especially to require sensors and software functionality, including parameters that govern and influence autonomous vehicle software’s decision making.  The United States Department of Transportation (USDOT) already has extensive safety standards and regulations provided by NHTSA for regular vehicles.[82]  As evidenced in numerous state laws, bills, and regulations on autonomous vehicles, regulations and requirements for the operation of autonomous vehicles are scant and general at best.[83]  On the other hand, for aircrafts, the Code of Federal Regulations (CFR) and the Federal Aviation Administration (FAA) have extensive requirements and regulations for flight guidance systems.[84]

An example of a possible federal regulation on autonomous vehicles may be monitoring and recording autonomous vehicle and driver activities for a specified time period before an accident.  The recorded vehicle and driver activities would greatly help courts determine whether the driver was monitoring his or her autonomous vehicle operation in a reasonable manner.  Furthermore, the government should regulate technical parameters such as sensor sensitivity, radar range, and software processing speed, and delineate what constitutes a substantial change, or material modification, to autonomous vehicles and autonomous vehicle software.  Unified quality standards for autonomous vehicle parts and sensors would provide clarity and information to consumers and greater control and guidance on autonomous vehicle performance, safety, installation, modification, and testing standards.

V. Conclusion

Autonomous vehicle technology is no longer a product of science fiction.  Google’s self-driving vehicles have driven over two million miles so far,[85] and many Tesla drivers are already taking advantage of Tesla’s autonomous vehicle software.[86]  However, the technology is far from perfect, and there are scenarios that are beyond technology’s current capabilities to handle.[87]  In order to protect the public from accidents caused by autonomous vehicle software defects or malfunctions, standards for autonomous vehicle manufacturers should be heightened.  Likewise, in order to protect the public from accidents caused by negligent drivers using this technology, reasonableness standards for these drivers should likewise be heightened.[88]

In addition, a federal department such as the Department of Transportation, or an agency such as NHTSA, should regulate autonomous vehicle operation, including sensor and radar operations, software controls and parameters, vehicle inspection guidelines for manufacturers and third parties, and operation manuals for autonomous vehicle drivers.  Centralized federal regulation would provide concrete guidelines not only for the states but also for the vehicle manufacturers and the public alike.  The technology is already vastly ahead of the regulation, and there is some serious work to do for our state and federal legislatures.


* Juris Doctor, University of Illinois College of Law, 2017. Thanks to the editors and staff of the Journal of Law, Technology & Policy for their efforts. I would also like to thank my wife, Catherine, for her continuous support. This work would not have been possible without her. Finally, many thanks are owed to my parents, family, and friends for their unwavering support.

[1] Marc Weber, Where to? A History of Autonomous Vehicles, Computer History Museum, http://www.computerhistory.org/atchm/where-to-a-history-of-autonomous-vehicles (last visited Apr. 8, 2017).

[2] Id.  This was because much of the danger from driving during that time period was from ill-marked roads rather than the automobiles themselves.

[3] Id.

[4] Id.

[5] Id.

[6] 33 Corporations Working on Autonomous Vehicles, CB Insights (Aug. 11, 2016), https://www.cbinsights.com/blog/autonomous-driverless-vehicles-corporations-list.

[7] John Villasenor, Products Liability and Driverless Cars: Issues and Guiding Principles for Legislation, Brookings (Apr. 24, 2014), http://www.brookings.edu/research/papers/2014/04/products-liability-driverless-cars-villasenor.

[8] Sherry Baxter, Reasonable Doubt: The Road to Regulation for Self-Driving Vehicles, Ga. Straight (Jan. 22, 2016, 2:17 PM), http://www.straight.com/news/622601/reasonable-doubt-road-regulation-self-driving-vehicles.

[9] See, e.g., Bodin v. City of Stanwood, 927 P.2d 240, 249 (Wash. 1996) (stating basis for negligence action).

[10] David G. Owen, The Five Elements of Negligence, 35 Hofstra L. Rev. 1671, 1674 (2007).

[11] Id. at 1675.

[12] Palsgraf v. Long Island R. Co., 162 N.E. 99, 99 (N.Y. 1928).

[13] Id.

[14] Id.

[15] While adults are held to a reasonable person standard, children and disabled people are held to a standard of reasonableness for a person with similar characteristics.  Restatement (Third) of Torts § 10 (2010); see also Stevens v. Veenstra, 573 N.W.2d 341 (Mich. Ct. App. 1997) (holding that a fourteen-year-old driver education student is not held to a reasonable person standard for adults, but instead to a standard reasonable for fellow fourteen-year-olds).  However, people with greater levels of skills, such as doctors and other medical professionals, are required to exercise a greater amount of care they reasonably possess.  See Helling v. Carey, 519 P.2d 981, 983 (Wash. 1974) (finding that defendant was negligent in failing to conduct a simple pressure test that other optometrists would reasonably have done).

[16] Id.

[17] Id.

[18] Id.

[19] Id.

[20] Id.

[21] Id.

[22] Id.

[23] Greenman v. Yuba Power Products, Inc., 377 P.2d 897, 901 (Cal. 1963).

[24] Restatement (Second) of Torts § 402A (1965).

[25] Villasenor, supra note 7.

[26] Derek H. Swanson & Lin Wei, McGuireWoods, United States Automotive Products Liability Law (Oct. 2009), https://www.mcguirewoods.com/news-resources/publications/us-automotive-products-liability.pdf.

[27] Restatement (Third) of Torts: Prod. Liab. § 2(a) (1998).

[28] Id.

[29] Jeffrey K. Gurney, Sue My Car Not Me: Products Liability and Accidents Involving Autonomous Vehicles, 2013 U. Ill. J.L. Tech. & Pol’y 247, 258 (2013).

[30] See 68 Am. Jur. 3d Proof of Facts § 8, at 333 (2002) (“[N]o cases have been found applying [manufacturing defects] to software.”).

[31] David G. Owen, Manufacturing Defects, 53 S.C. L. Rev. 851, 873 (2002).

[32] Id.

[33] Restatement (Third) of Torts: Prod. Liab. § 2(b) (1998).

[34]Dennis W. Stearns, An Introduction to Product Liability Law, Marler Clark L.L.P., http://www.marlerclark.com/pdfs/intro-product-liability-law.pdf (last visited Apr. 8, 2017).

[35] Barker v. Lull Eng’g Co., 573 P.2d 443, 457–58 (Cal. 1978).  The California Supreme Court in Barker set out two tests to establish defect in the product design: the consumer expectation test and the risk/benefit test.  Id.  For the consumer expectation test, a plaintiff must prove that the defendant’s defective product did not perform as safely as an ordinary consumer would have expected it to perform when used or misused in an intended or reasonably foreseeable way, and that the product’s failure to perform safely was a substantial factor in causing plaintiff’s harm.  Id.  The consumer expectation test is reserved for cases where plaintiff’s everyday experience permits a conclusion that the product design is defective and not safe.  Pruitt v. General Motors Corp. 72 Cal. App. 4th 1480, 1484 (1999).  For the risk/benefit test, the plaintiff has to prove that the defendant’s product design was a substantial factor in causing harm to the plaintiff, and the defendant must fail to prove that the benefits of the product’s challenged design outweigh the risks of the design.  Barker, 573 P.2d at 457–58.

[36] David H. Canter et al., California Products Liability Law: A Primer (Jan. 2012), http://trialattorneysofamerica.com/documents/Primer2012.pdf; see also Anderson v. Owens-Corning Fiberglas Corp., 810 P.2d 549, 553 (Cal. 1991) (holding that strict liability has been invoked for three different types of defects: manufacturing, design, and inadequate warnings).

[37] Barker, 573 P.2d at 457–58.

[38] Id.

[39] Restatements (Third) of Torts § 2(c) (1998); see also Villasenor, supra note 7.

[40] Villasenor, supra note 7.

[41] In Livingston v. Marie Callenders, Inc., the court found Marie Callenders liable to a plaintiff who suffered an allergic reaction to a Marie Callenders product on a strict liability failure to warn theory.  72 Cal. App. 4th 830 (1999).  The product contained an ingredient (MSG) to which a substantial number of the population is allergic.  Id. at 832–33.  Also, the ingredient was one whose danger was not generally known, or if known was one which the consumer would reasonably not expect to find in the product, and where the defendant knew, or by the application of reasonable developed human skill and foresight should have known, of the presence of the ingredient and the danger.  Id.

[42] Villasenor, supra note 7.

[43] A product is defective because of inadequate warnings if the foreseeable risks of harm posed by the product could have been reduced by reasonable warnings by the seller or other distributor, and the lack of warnings renders the product not reasonably safe.  Restatement (Third) of Torts: Prod. Liab. § 2(c) (1998).

[44] Id. § 10.  The Supreme Court of Michigan ruled in Comstock v. General Motors Corp. that a manufacturer of an automobile (GM), the brakes of which were defective, had a duty to warn of the vehicle’s inherent danger, not only at the time of sale but any time shortly after the product entered the stream of commerce if a defect became known to the manufacturer and if a failure to give prompt warning of the known, latent defect imperiled life and limb.  99 N.W.2d 627, 636 (Mich. 1959).  In Hasson v. Ford Motor Co., the Supreme Court of California stated in its dicta that the manufacturer was negligent in failing to take into account (in designing its braking systems and advising on their maintenance) foreseeable brake abuse by drivers resulting in overheating of brakes.  564 P.2d 857, 870 (Cal. 1977).

[45] Villasenor, supra note 7.

[46] Owen, supra note 10, at 1677.

[47] Nev. Rev. Stat. § 482A.070 (2013).

[48] Id. § 482A.080.

[49] See Cal. Code Regs. tit. 13, § 227.44 (2014); Fla. Stat. §319.145 (2012); D.C. Code §50-2352 (2012) (outlining some vehicle and driver requirements for testing and/or operating autonomous vehicles).

[50] Nev. Rev. Stat. § 482A.080 (2013).

[51] Id. § 482A.070.  Autonomous vehicle drivers are required to be (a) seated in a position so that he can take immediate control of his vehicle, (b) able to monitor safe operation of the vehicle, and (c) capable of taking control over the autonomous vehicle in case of emergency.

[52] James M. Anderson et al., RAND Corp., Autonomous Vehicle Technology: A Guide for Policymakers 44–47 (2016), http://www.rand.org/content/dam/rand/pubs/research_reports/RR400/RR443-1/RAND_RR443-1.pdf.

[53] Nev. Rev. Stat. § 482A.080 (2013); D.C. Code §50-2352 (2012); Cal. Veh. Code § 38750(c) (2013); Fla. Stat. §319.145 (2012).

[54] Technology Law & Policy Clinic Autonomous Vehicles Team, Autonomous Vehicle Law Report and Recommendations to the ULC, U. Wash. Sch. L., https://www.law.washington.edu/Clinics/Technology/Reports/AutonomousVehicle.pdf, at 5 (last visited Apr. 8, 2017).

[55] Cal. Code Regs. tit. 13, § 227.44 (2014).

[56] Id. § 227.46.

[57] Nev. Admin. Code §482A.130 (2012).

[58] Id. § 482A.090.

[59] Id.

[60] “A manufacturer of automated technology is immune from civil liability for damages that arise out of any modification made by another person to a motor vehicle or an automated motor vehicle, or to any automated technology . . . .”  Mich. Admin. Code r. 257.817 (2013).  “The original manufacturer of a vehicle converted by a third party into an autonomous vehicle shall not be liable in any action resulting from a vehicle defect caused by the conversion of the vehicle, or by equipment installed by the converter, unless the alleged defect was present in the vehicle as originally manufactured.”  D.C. Code §50-2353 (2013).

[61] “One who sells any product in a defective condition unreasonably dangerous to the user or consumer or to his property is subject to liability for physical harm thereby caused to the ultimate user or consumer, or to his property, if (a) the seller is engaged in the business of selling such a product, and (b) it is expected to and does reach the user or consumer without substantial change in the condition in which it is sold.”  Restatement (Second) of Torts § 402A(1) (1965) (emphasis added).  However, a question remains: what constitutes a substantial change?  The Restatement leaves that question to the courts to decide.  See id. § 402A(1) cmt. p (commenting on varying degree of changes that can be made to a product without shifting the liability from the seller or manufacturer of the product to the party that made the changes).

[62] Villasenor, supra note 7.

[63] Davis v. Pak-Mor Mfg. Co. 672 N.E.2d 771, 775 (Ill. Ct. App. 1996); see also Woods v. Graham Eng’g Corp., 539 N.E.2d 316, 318  (Ill. Ct. App. 1989) (ruling that when a change or modification by a third party is foreseeable, liability will still be imposed on the original manufacturer); Hoyt v. Wood/Chuck Chipper Corp., 651 So.2d 1344, 1351 (La. Ct. App. 1995) (holding engine manufacturer not liable since it could not have anticipated plaintiff’s material alteration of the power unit).

[64] See Lavoie v. Power Auto, Inc., 312 P.3d 601, 608 (Or. Ct. App. 2013) (holding that changing a floor mat of a vehicle was a reasonably foreseeable modification/alteration that was a substantial contributing factor to the personal injury).  So in some states, automobile manufacturers will have to consider changing floor mats as one of the foreseeable “substantial” modifications that can cause automobile accidents.

[65] Cal. Veh. Code § 38750 (2015); see also Anderson et al., supra note 52, at 47.

[66] Gary E. Marchant & Rachel A. Lindor, The Coming Collision Between Autonomous Vehicles and the Liability System, 52 Santa Clara L. Rev. 1321, 1339 (2012).

[67] Bill Vlasic & Neil E. Boudette, Self-Driving Tesla Was Involved in Fatal Crash, U.S. Says, N.Y. Times (June 30, 2016), https://www.nytimes.com/2016/07/01/business/self-driving-tesla-fatal-crash-investigation.html.

[68] Id.

[69] Restatement (Third) of Torts § 10 cmt. a (1998).

[70] Sven A. Beiker, Legal Aspects of Autonomous Driving, 52 Santa Clara L. Rev. 1145, 1147–48 (2012).

[71] Bryant Walker Smith, Proximity-Driven Liability, 102 Geo. L.J. 1777, 1794 (2014).

[72] Id. at 1778.

[73] FAQ, Waymo, https://waymo.com/faq/ (last visited Apr. 8, 2017).

[74] 68 Am. Jur. 3d Proof of Facts § 8, at 333 (2002).

[75] Frances E. Zollers et al., No More Soft Landings for Software: Liability for Defects in an Industry that Has Come of Age, 21 Santa Clara Computer & High Tech. L.J. 745, 746 (2005).

[76] Id.

[77] Michael Ballaban, Mercedes, Google, Volvo to Accept Liability when Their Autonomous Cars Screw Up, Jalopnik (Oct. 7, 2015, 11:47 AM), http://jalopnik.com/mercedes-google-volvo-to-accept-liability-when-their-1735170893.

[78] The factors closely mimic that of the reasonable-person standard that reflects a cost-benefit approach supported by principles of utility and efficiency.  Owen, supra note 10, at 1677.  It also resembles the “Hand Formula” that uses a risk-calculating approach of judging one’s decision making.  United States v. Carroll Towing Co., 159 F.2d 169, 173 (2d Cir. 1947).

[79] John Gardner, The Many Faces of the Reasonable Person, N.Y.U. Sch. L., at 7­–8, http://www.law.nyu.edu/sites/default/files/upload_documents/The%20Many%20Faces%20of%20the%20Reasonable%20Person.pdf.

[80] Id.

[81] See Alex Davies, Obviously Drivers Are Already Abusing Tesla’s Autopilot, WIRED (Oct. 22, 2015, 7:00 AM), http://www.wired.com/2015/10/obviously-drivers-are-already-abusing-teslas-autopilot/ (noting that some drivers of autonomous vehicles are driving recklessly by pushing the limit of the autonomous vehicle technology).

[82] Federal Motor Vehicle Safety Standards and Regulations, Nat’l Highway Traffic Safety Admin., http://www.nhtsa.gov/cars/rules/import/FMVSS (last visited Apr. 8, 2017).

[83] The Hawaii House of Representatives’ bill for autonomous vehicle operation only includes safety requirements, minimum insurance coverage, and necessary equipment and performance standards that ensure safe operation.  H.R.B. No. 1458, 28th Leg. (Haw. 2015).  In addition, Nevada’s statute has not set forth autonomous vehicle requirements for operations, insurance, and minimum safety standards.  Nev. Rev. Stat. § 482A.100 (2013).

[84] 14 C.F.R. § 25.1329 (2016).

[85] Waymo, supra note 73.

[86] Your Autopilot Has Arrived, Tesla (Oct. 14, 2015), https://www.teslamotors.com/blog/your-autopilot-has-arrived.

[87] Neal E. Boudette, Tesla’s Self-Driving System Cleared in Deadly Crash, N.Y. Times (Jan. 19, 2017), https://www.nytimes.com/2017/01/19/business/tesla-model-s-autopilot-fatal-crash.html.

[88] See Sam Levin & Nicky Woolf, Tesla Driver Killed While Using Autopilot Was Watching Harry Potter, Witness Says, Guardian (July 1, 2016, 1:43 PM), https://www.theguardian.com/technology/2016/jul/01/tesla-driver-killed-autopilot-self-driving-car-harry-potter (noting that driver negligence may have contributed to the first fatal Tesla crash).

Apple Tells the Government to “Think Different” on Encryption

By Matt Weber*

Introduction

On December 2, 2015, a San Bernardino County Department of Health employee and his wife perpetrated the deadliest mass shooting since Newtown, killing 14 of his co-workers and injuring 21.[1]  Following the shooting, police investigated and pursued the suspects, eventually engaging in a firefight, killing both shooters.[2]  In the days and weeks following the shooting, law enforcement investigated the shooting, both to find the motive behind the shooting and to find any possible coconspirators.

On December 3, 2015, U.S. Magistrate Judge David Bristow issued a search warrant, giving law enforcement the power to search the shooters’ home and car. In the ensuing search, law enforcement officers found, among other things, an Apple iPhone 5c, which they later found to have been issued to one of the shooters by his San Bernardino County employer.[3]  Like they had done many times before, the FBI approached Apple with the iPhone it found in the suspect’s car, requesting that Apple extract the data from the seized iPhone—except this time, Apple could not comply with the request.[4]  Apple was unable to comply with the FBI’s request due to changes it had made to the iPhone Operating System (iOS) a year before, positioning Apple and the Federal Government for a clash that both had been preparing for since 2014.[5]

Background

Following Edward Snowden’s release of National Security Agency (NSA) files related to the U.S. Government’s mass surveillance of American citizens, American tech companies increased security on consumer devices.[6]  In September 2014, Apple unveiled iOS 8 (an upgrade to the iPhone and iPad operating system), which for the first time offered default encryption to its users.[7] Apple’s encryption allows a user to set a passcode that, once set, is entangled with the iPhone’s Unique ID (UID),”[8]  which together, form the phone’s encryption key.[9] Because the encryption key is based on both the user’s passcode and the iPhone’s UID, it is unknown to Apple, and virtually impossible to crack.[10]  Understanding the relative impossibility of cracking encryption on consumer devices, the U.S. Government began to attempt to convince tech companies to provide law enforcement with assistance in unlocking encrypted phones (subject to a court order), something that most tech companies have thus far been unwilling to do.[11]  Because Apple’s method of encryption includes the user selected passcode in the key, Apple cannot decrypt a suspect’s phone.[12]

The iPhone

On February 16, 2016, the United States Attorney requested an order (that was later granted[13]) compelling Apple to assist in the unlocking of the San Bernardino shooter’s phone.[14]  Instead of obtaining an order for Apple to break its encryption (an order the FBI understands that Apple would be technically incapable of complying with), the FBI requested an order requiring Apple to assist in the unlocking of the phone.[15]  The court order compels Apple to write software that bypasses two of the iPhone’s security features, (1) a delay introduced when an incorrect passcode is entered,[16] and (2) a self-destruct feature by which an iPhone destroys its data after 10 incorrect passcode attempts.[17]

This order—if complied with—would allow the FBI to connect the shooter’s updated[18] iPhone to a computer, which has a program capable of guessing all the possible passcode combinations[19], without the delay or possibility of wiping.[20]  Apple has decided to fight the order, though it should be noted that Apple has assisted the FBI’s investigation, providing the Bureau with all the data the shooter backed-up to the iCloud[21] prior to turning off the iPhone’s auto-backup to the cloud.[22]

The order compelling Apple to write the above referenced software is based primarily on the 1789 All Writs Act (“the Act”), which allows courts to “issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.”[23]  In this case, the government requests that the court compel Apple to assist in the satisfying of a lawful search warrant, by which the court gave the government the power to search the suspect’s iPhone 5c.[24]  This order—which Apple CEO Tim Cook has argued to be unprecedented in a statement released on the company’s website[25]—set the government and Apple on a collision course, in a battle that both the tech industry and law enforcement community had been expecting since tech companies began offering relatively unbreakable encryption on consumer devices.[26]

Issue: Using the All Writs Act

Historically, the Act has been used by courts to effectuate their lawful orders when there has been no statutory framework to follow.[27] The government’s motion cites cases in which the Act was used by courts to compel parties to assist in the effecting of court orders—suggesting that Apple be similarly required to assist technically in the search of the phone, pursuant to the court’s order.[28] Unlike the cases cited by the government, Apple in this case is being required to create a new operating system, pursuant to the government’s unique specifications.[29] The government argues that because Apple’s devices cannot be updated without a unique “digital signature,”[30] it has ensured that it cannot be seen as “far removed”[31] from the matter. The government notes in the memorandum of points and authorities to its motion to compel, that Apple’s assistance is necessary based on its unique ability to “cryptographically sign code,”[32] leading the government to request that Apple write the specific code, and upload it onto the iPhone in question.

Analysis

Government Arguments

In its application for an order compelling Apple’s assistance in unlocking the seized iPhone, the Government argued that the Act gave the court the power to mandate Apple’s assistance[33]  The Government argued that the Act can require “a third party to provide nonburdensome technical assistance,” citing the Supreme Court in United States v. New York Telephone Co.[34]  The Court in that case created a three factor test for determining whether it could compel action by a third party using the Act, (1) whether a party is far removed from the controversy, (2) whether requiring action would impose an undue burden on the part, and (3) whether the assistance from the party was necessary for the successful fulfilling of the underlying court order (in this case a search warrant for the iPhone).[35]

The government argued that it met the three step test imposed by the Court in New York Telephone Co., first arguing that Apple was not far removed from the unlocking of the iPhone.[36]  The government argued that because Apple “designed, manufactured and sold the [iPhone] and wrote and owns the [operating system],” it cannot be seen as far removed from the controversy.[37]  The government further argues that Apple cannot be far removed because it is the only party able to update the software[38]  in a way that would comply with the court’s order.[39] The government’s argument is supported by the Supreme Court’s decision in New York Telephone Co., which held that a non-governmental third party can be compelled to act when its “facilities were being employed to facilitate a criminal enterprise.”[40]

The government next argues that the order is not unduly burdensome for Apple. The government points to Apple’s regular business of writing software code to suggest that it cannot now claim that writing a specific code would impose an undue burden.[41]

Lastly, the Government argues that it meets the necessity requirement because Apple has created a situation whereby it is the only entity that can write software to update its iOS.[42]  Because iPhones require Apple’s crypto-signature, Apple’s assistance is required to effectuate the search warrant. The government notes that it is not requesting that Apple provide the unencrypted contents of the phone, but instead that it simply assist in the Government’s testing of passcodes to unlock the phone.[43]

Apple Arguments

Apple responded to the Government’s motion to compel by arguing that it should not be required to further comply with the governments request.[44]  Because it (1) relies on a misapplication of the Act, (2) violates the First Amendment by compelling speech by Apple, and (3) violates the Fifth Amendment’s due process clause.[45]

Apple’s argument is generally centered on the Government’s improper application of the Act. When deciding whether to apply the Act, the Supreme Court held that when a statute addresses an underlying issue specifically, that statute, and not the Act is “controlling.”[46]  Apple first argues that the Act cannot require the action requested by the Government, suggesting that the Act allows for courts to “fill in gaps in the law” to exercise the power they already have, but not the “free-wheeling” ability to change existing law.[47] Apple argues that the court lacks the authority to compel it to comply with the order because Congress contemplated (when passing the Communications Assistance for Law Enforcement Act) bestowing upon courts the power to require such a compulsion, but ultimately chose to exempt manufacturers of telecommunications equipment[48] from implementing “any specific design of equipment . . . features, or system configurations.”[49]

Facing new challenges to law enforcement’s ability to fight crime, Congress, in 1994, passed the Communications Assistance for Law Enforcement Act (“CALEA”).[50]  CALEA grants law enforcement investigative powers, but also limits what can be required from manufacturers and service providers.[51] When passing CALEA, Congress had the chance address whether it would require companies to assist law enforcement in the in the manner being requested by the FBI—but ultimately chose not to make any such requirement. In fact, CALEA provides that telecommunications carriers (which Apple points out that it is not) are not required to decrypt or “ensur[e] the government’s ability to decrypt” unless the communication was encrypted by the carrier (and even then the carrier must “possesses the information necessary to decrypt”—which Apple does not).[52]  Congress’ inclusion of some language related to encryption but omission of requirements to compel assistance in decryption implies that it considered such a compulsion but ultimately rejected it.

Apple argues that CALEA specifically addresses whether to require manufacturers and service providers to aid decryption.[53]  Because CALEA speaks on the specific matter, the Act should not be the statute to rule, but instead should be trumped by CALEA’s provisions. The Supreme Court held in Pennsylvania Bureau of Corrections v. U.S. Marshall Service that the Act does not allow courts to issue writs when compliance with existing statutes would be simply “inconvenient or less appropriate,”[54] as CALEA would be in this situation.

Apple next addresses the Government’s use of United States v. New York Telephone Co., ultimately drawing distinctions between the government’s requests here and those of the Telephone Company in New York Telephone Co.[55]  Apple argues that the government does not show that it satisfies the three-part test provided by the Court in New York Telephone.

First, Apple is too far removed from the underlying case. Unlike the the telephone company, which owned the lines being allegedly used to “facilitate a criminal enterprise on a continuing basis,”[56] Apple contends that it is a private company that does not own the phones or have any connection to the data on the phone. Second, the government’s request would impose an “unprecedented and oppressive burden” on Apple. While the telephone company was required assist the government in their installing of pen registers[57]–a device that telephone companies used frequently in conducting their normal business[58]–  in the instant case, the government is asking Apple to create an entirely new operating system in an effort to assist the government’s attempts to unlock the phone. Apple asserts that such an undertaking violated the Act’s prohibition against adversely affecting the third party or imposing an under burden. Third, Apple contends that its assistance is only necessary because of the actions of the FBI earlier in its investigation.[59] While the court suggested in New York Telephone that there was “no conceivable way” for the FBI to successfully carry out its court-ordered investigation, Apple argues that here, the FBI did not face such a situation, but instead, through its own actions created a need to turn to the Act.

Conclusion

It seems that both Apple and the government foresaw this potential clash coming since Apple (and other tech companies) began encrypting devices sold to consumers. Many in the media have questioned if this was the right test case for either side.[60]  For the government, it seems to be a good test case because the crime is question is terrorism related, and the underlying crime was well reported and remains in the minds of the American public.[61]  Unfortunately, for the government, there is no time issue—while the phone might help in the investigation of a crime, there does not seem to be a pressing need for the phone to be unlocked immediately.[62] For Apple, the case does not seem to the best test case for whether it should be required to assist in the unlocking of one of its devices because the suspect is widely assumed to be guilty of the heinous murder of 14 co-workers.[63] It has also been noted that this particular iPhone model is not one which Apple should be fighting over as it is not the most up-to-date phone or software, and the government-requested solution would not work on future iPhone models.[64]

At least in public opinion, Apple may benefit from standing by its customers, claiming that writing the software requested by the government would unnecessarily put all iOS users at risk,[65] Tim Cook noted in his open letter to customers that “They have asked us to build a backdoor to the iPhone.”[66]

On March 21, 2016 (the day before the hearing on the order), the Government submitted an ex parte application for a continuance, requesting that the court continue the hearing to April 5, 2016.[67] The Government requested the continuance because, since initially requesting the hearing, a third party approached the FBI suggesting that the party had a different method to unlock the phone.[68]  This new method, if successful, would not only make Apple’s assistance unnecessary, but destroy the Government’s argument under the Act. The Government requested additional time to test the new method before deciding whether it has eliminated the need for Apple’s assistance.

While this might appear to be an opportunity for both sides to take a step back and devise a procedure moving forward, it is likely only pushing this issue down the road. Apple’s newest phones are not as easy to break into (at least not using this type of method),[69]which might lead the government to move towards mandating backdoors. While it is unclear where either party goes moving forward, it is clear that this fight is far from over, it is all but certain that the Government will come back with another request for Apple to build, as Tim Cook described it, “something . . . too dangerous to create.”[70]

 


*Matt Weber. University of Illinois College of Law, J.D. candidate, Class of 2017. Many thanks to my parents, my sister Ashley and her husband Leigh. Thanks to JLTP Editors Iman Naim and Winston Zishu for their help and guidance. Gracias también a los Xeneizes and Albiceleste.

[1] Erik Ortiz, San Bernardino Shooting: Timeline of How the Rampage Unfolded, NBCNews (Dec. 3, 2015, 11:28 PM), http://www.nbcnews.com/storyline/san-bernardino-shooting/san-bernardino-shooting-timeline-how-rampage-unfolded-n473501.

[2] Id.

[3] Elliot Hannon, Judge Orders Apple to Help FBI Hack San Bernardino Shooter’s Phone, Slate (FEB. 16, 2016, 8:43 PM), http://www.slate.com/blogs/the_slatest/2016/02/16/judge_orders_apple_to_help_fbi_unlock_san_bernardino_shooter_s_phone.html; Fred Kaplan, How Apple’s Stand Against the FBI Could Backfire, Slate (Feb. 19, 2016, 6:26 PM), http://www.slate.com/articles/technology/future_tense/2016/02/how_apple_ceo_tim_cook_s_stand_against_the_fbi_could_backfire.html.

[4] Will Oremus, Apple vs. The FBI, Slate (Feb. 17, 2016, 7:44 PM), http://www.slate.com/articles/technology/future_tense/2016/02/apple_s_stand_against_the_fbi_is_courageous_it_s_also_good_for_apple.html; Ben Thompson, Apple Versus the FBI, Understanding iPhone Encryption, the Risks for Apple and Encryption, stratechery (Feb. 17, 2016), https://stratechery.com/2016/apple-versus-the-fbi-understanding-iphone-encryption-the-risks-for-apple-and-encryption.

[5] Apple Statement; Marcy Wheeler, Why This iPhone?, Slate (Feb. 19, 2016, 1:26 PM), http://www.slate.com/articles/technology/future_tense/2016/02/the_apple_fbi_encryption_battle_is_over_an_iphone_unlikely_to_yield_critical.html.

[6] Danny Yadron, Spencer Ackerman and Sam Thielman, Inside the FBI’s Encryption Battle with Apple, The Guardian (Feb. 18, 2016), http://www.theguardian.com/technology/2016/feb/17/inside-the-fbis-encryption-battle-with-apple.

[7] Cyrus Farivar, Apple Expands Data Encryption Under iOS 8, Making Handover to Cops Moot, arstechnica (Sep. 17, 2014, 9:57 PM), http://arstechnica.com/apple/2014/09/apple-expands-data-encryption-under-ios-8-making-handover-to-cops-moot/.

[8] See, Apple Inc., iOS Security, Apple Inc. (Sep. 2014), https://assets.documentcloud.org/documents/1302613/ios-security-guide-sept-2014.pdf (describing the UID as a number, set during the manufacturing process that Apple itself does not record); Ben Thompson, Apple Versus the FBI, Understanding iPhone Encryption, the Risks for Apple and Encryption, stratechery (Feb. 17, 2016), https://stratechery.com/2016/apple-versus-the-fbi-understanding-iphone-encryption-the-risks-for-apple-and-encryption.

[9] Ben Thompson, Apple Versus the FBI, Understanding iPhone Encryption, the Risks for Apple and Encryption, stratechery (Feb. 17, 2016), https://stratechery.com/2016/apple-versus-the-fbi-understanding-iphone-encryption-the-risks-for-apple-and-encryption.

[10] See, Mohit Arora, How Secure is AES Against Brute Force Attacks?, EETimes (May, 7, 2012, 5:29 PM), http://www.eetimes.com/document.asp?doc_id=1279619. (Explaining that using AES 256, an encryption key used by the iPhone would be 256 characters long, meaning there are 2256 combinations. Assuming a computer powerful enough to guess 33.86 X 1012/second (using the world’s fastest super computer, the Tianhe-2), it would take about 1.03 X 1055 years on average to crack an AES 256 key. For perspective, the Earth is 4.5 X 109 years old.).

[11] Andrew Crocker, Judge to DOJ: Not All Writs, Electronic Frontier Foundation (Oct. 12, 2015), https://www.eff.org/deeplinks/2015/10/judge-doj-not-all-writs.

[12] See, Apple Inc., iOS Security, Apple Inc. (Sep. 2014), https://assets.documentcloud.org/documents/1302613/ios-security-guide-sept-2014.pdf (explaining that the user-selected passcode is entangled with the UID to create an encryption key, that Apple does not have access to); Dan Guido, Apple Can Comply with the FBI Court Order, Trail of Bits Blog (Feb. 17, 2016), http://blog.trailofbits.com/2016/02/17/apple-can-comply-with-the-fbi-court-order; Ben Thompson, Apple Versus the FBI, Understanding iPhone Encryption, the Risks for Apple and Encryption, stratechery (Feb. 17, 2016), https://stratechery.com/2016/apple-versus-the-fbi-understanding-iphone-encryption-the-risks-for-apple-and-encryption.

[13] Order Compelling Apple Inc. To Assist Agents in Search, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016).

[14] Government’s Ex Parte Application for Order Compelling Apple Inc. To Assist Agents in Search, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016).

[15] Government’s Ex Parte Application for Order Compelling Apple Inc. To Assist Agents in Search, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016).

[16] See, Apple Inc., iOS Security, Apple Inc. (Sep. 2014), https://www.apple.com/business/docs/iOS_Security_Guide.pdf, 12 (explaining key security features, the delay, triggered after 4 incorrect passcode attempts imposes a 1-minute delay after the 5th incorrect attempt, a 5-minute delay after the 6th incorrect attempt, a 15-minute delay after the 7th and 8th incorrect attempts, and a 1-hour delay after the 9th incorrect attempt.).

[17] See, Apple Inc., iOS Security, Apple Inc. (Sep. 2014), https://www.apple.com/business/docs/iOS_Security_Guide.pdf, 12 (explaining key security features, the iPhone can be set to wipe all its data after the 10th incorrect passcode attempt. This wipe is achieved by discarding the encryption key from accessible memory, making the entire hard-disk unintelligible.).

[18] Order Compelling Apple Inc. To Assist Agents in Search, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016) (Apple would upload a custom operating system to the shooter’s phone modifying security settings—though not specifically decrypting.).

[19] 10,000 possible combinations for a 4-digit numeric passcode, or 1 Million possible combinations for a 6-digit numeric passcode.

[20] See, Apple Inc., iOS Security, Apple Inc. (Sep. 2014), https://www.apple.com/business/docs/iOS_Security_Guide.pdf, 12 (explaining that even without the delay, the iteration counter imposes an 80 millisecond delay, therefore, all the possible combinations could theoretically be guessed in under 5 hours.).

[21] Apple Inc’s Motion to Vacate Order Compelling Apple Inc. To Assist Agents in Search at 11, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016); Amy Davidson, The Dangerous All Writs Act Precedent in the Apple Encryption Case, The New Yorker (Feb. 19, 2016), http://www.newyorker.com/news/amy-davidson/a-dangerous-all-writ-precedent-in-the-apple-case.

[22] Amy Davidson, The Dangerous All Writs Act Precedent in the Apple Encryption Case, The New Yorker (Feb. 19, 2016), http://www.newyorker.com/news/amy-davidson/a-dangerous-all-writ-precedent-in-the-apple-case.

[23] 28 U.S.C. § 1651 (2012).

[24] Government’s Ex Parte Application for Order Compelling Apple Inc. To Assist Agents in Search, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016).

[25] Tim Cook, Customer Letter, Apple Inc. (Feb. 16, 2016) http://www.apple.com/customer-letter/ (“The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers. We oppose this order, which has implications far beyond the legal case at hand.”).

[26] Danny Yadron, Spencer Ackerman and Sam Thielman, Inside the FBI’s Encryption Battle with Apple, The Guardian (Feb. 18, 2016), http://www.theguardian.com/technology/2016/feb/17/inside-the-fbis-encryption-battle-with-apple.

[27] Andrew Crocker, Judge to DOJ: Not All Writs, Electronic Frontier Foundation (Oct. 12, 2015), https://www.eff.org/deeplinks/2015/10/judge-doj-not-all-writs.

[28] Government’s Ex Parte Application for Order Compelling Apple Inc. To Assist Agents in Search, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016).

[29] Id.

[30] Apple’s unique encryption key—without which, a phone cannot be updated.

[31] Government’s Ex Parte Application for Order Compelling Apple Inc. To Assist Agents in Search, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016) (pointing to United States v. New York Tel. Co., 434 U.S. 159, 174 (1977).).

[32] Government’s Motion to Compel Apple Inc. To Comply with this Court’s February 16, 2016 Order Compelling Assistance in Search, at 17, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016).

[33] Government’s Ex Parte Application for Order Compelling Apple Inc. To Assist Agents in Search, at 17, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016).

[34] Government’s Motion to Compel Apple Inc. To Comply with this Court’s February 16, 2016 Order Compelling Assistance in Search, at 11-12, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016).

[35] United States v. New York Tel. Co., 434 U.S. 159, 175-75 (1977).

[36] Government’s Ex Parte Application for Order Compelling Apple Inc. To Assist Agents in Search, at 13, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016).

[37] Id.

[38] Government’s Ex Parte Application for Order Compelling Apple Inc. To Assist Agents in Search, at 13, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016) (“The same software Apple is uniquely able to modify . . . Especially but not only because iPhones will only run software cryptographically signed by Apple . . .”).

[39] Government’s Ex Parte Application for Order Compelling Apple Inc. To Assist Agents in Search, at 13, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016).

[40] Government’s Ex Parte Application for Order Compelling Apple Inc. To Assist Agents in Search, at 13-14, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016) (quoting New York Telephone Co., 434 U.S. at 174); Government’s Motion to Compel Apple Inc. To Comply with this Court’s February 16, 2016 Order Compelling Assistance in Search, at 8, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016).

[41] Government’s Ex Parte Application for Order Compelling Apple Inc. To Assist Agents in Search, at 14-16, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016).

[42] Government’s Ex Parte Application for Order Compelling Apple Inc. To Assist Agents in Search, at 16, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016).

[43] Government’s Ex Parte Application for Order Compelling Apple Inc. To Assist Agents in Search, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016).

[44] Apple notes that it has already assisted the government in their investigation; Mikey Campbell, FBI Contacted Apple, Received Data Related to San Bernardino Case 3 days After Shooting, appleinsider (Feb. 27, 2016, 12:39 AM), http://appleinsider.com/articles/16/02/27/fbi-contacted-apple-received-data-related-to-san-bernardino-case-3-days-after-shooting-.

[45] Apple Inc’s Motion to Vacate Oder Compelling Apple Inc to Assist Agents in Search, and Opposition to Government’s Motion to Compel Assistance, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016).

[46] Pa. Bureau of Corr. v. United States Marshals Serv., 474 U.S. 34, 43 (1985) (“The All Writs Act is a residual source of authority to issue writs that are not otherwise covered by statute. Where a statute specifically addresses the particular issue at hand, it is that authority, and not the All Writs Act, that is controlling. Although that Act empowers federal courts to fashion extraordinary remedies when the need arises, it does not authorize them to issue ad hoc writs whenever compliance with statutory procedures appears inconvenient or less appropriate.”).

[47] Apple Inc’s Motion to Vacate Oder Compelling Apple Inc to Assist Agents in Search, and Opposition to Government’s Motion to Compel Assistance, at 14, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016).

[48] Apple Inc’s Motion to Vacate Oder Compelling Apple Inc to Assist Agents in Search, and Opposition to Government’s Motion to Compel Assistance, at 16, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016).

[49] 47 U.S.C. § 1002(b)(1) (2012). (“This subchapter does not authorize any law enforcement agency or officer—

(A) to require any specific design of equipment, facilities, services, features, or system configurations to be adopted by any provider of a wire or electronic communication service, any manufacturer of telecommunications equipment, or any provider of telecommunications support services; or

(B) to prohibit the adoption of any equipment, facility, service, or feature by any provider of a wire or electronic communication service, any manufacturer of telecommunications equipment, or any provider of telecommunications support services.”) [emphasis added].

[50] Id.

[51] 47 U.S.C. § 1002(b) (2012).

[52] 47 U.S.C. § 1002(b)(3) (2012).

[53] Apple Inc’s Motion to Vacate Oder Compelling Apple Inc to Assist Agents in Search, and Opposition to Government’s Motion to Compel Assistance, at 6-8, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016).

[54] Pa. Bureau of Corr. v. United States Marshals Serv., 474 U.S. 34, 43 (1985).

[55] New York Telephone Co., 434 U.S. at 159.

[56] Id. at 174.

[57] A device used to record phone numbers dialed on specific phone lines.

[58] New York Telephone Co., 434 U.S. at 174-75 (Court notes that the phone company regularly used pen registers in normal operations).

[59] Apple Inc’s Motion to Vacate Oder Compelling Apple Inc to Assist Agents in Search, and Opposition to Government’s Motion to Compel Assistance, at 11, fn. 21, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016).(The FBI has acknowledged that it worked with the phone’s owner (San Bernardino County) to reset the the iCloud password in an effort to unlock the iCloud backup. Apple argues that had the county and the FBI not reset the password, “this litigation may not have been necessary,” as it could have initiated a remote backup of the phone and subsequently produced an updated backup to investigators.).

[60] Fred Kaplan, How Apple’s Stand Against the FBI Could Backfire, Slate (Feb. 19, 2016, 6:26 PM), http://www.slate.com/articles/technology/future_tense/2016/02/how_apple_ceo_tim_cook_s_stand_against_the_fbi_could_backfire.html; Marcy Wheeler, Why This iPhone?, Slate (Feb. 19, 2016, 1:26 PM), http://www.slate.com/articles/technology/future_tense/2016/02/the_apple_fbi_encryption_battle_is_over_an_iphone_unlikely_to_yield_critical.html.

[61] Id.

[62] Tim Cook, Customer Letter, Apple Inc. (Feb. 16, 2016) http://www.apple.com/customer-letter/; Marcy Wheeler, Why This iPhone?, Slate (Feb. 19, 2016, 1:26 PM), http://www.slate.com/articles/technology/future_tense/2016/02/the_apple_fbi_encryption_battle_is_over_an_iphone_unlikely_to_yield_critical.html.

[63] Fred Kaplan, How Apple’s Stand Against the FBI Could Backfire, Slate (Feb. 19, 2016, 6:26 PM), http://www.slate.com/articles/technology/future_tense/2016/02/how_apple_ceo_tim_cook_s_stand_against_the_fbi_could_backfire.html; Will Oremus, Irate DOJ Dismisses Apple’s Fight with the FBI as a “Brand Marketing Strategy”, Slate (Feb. 19, 2016, 6:02 PM), http://www.slate.com/blogs/future_tense/2016/02/19/department_of_justice_motion_mocks_apple_s_fbi_fight_as_a_brand_marketing.html; Kaveh Waddell, The Optics of Apple’s Encryption Fight, The Atlantic (Feb. 17, 2016), http://www.theatlantic.com/technology/archive/2016/02/why-apple-is-fighting-the-fbi/463260.

[64] Dan Guido, Apple Can Comply with the FBI Court Order, Trail of Bits Blog (Feb. 17, 2016), http://blog.trailofbits.com/2016/02/17/apple-can-comply-with-the-fbi-court-order; Ben Thompson, Apple Versus the FBI, Understanding iPhone Encryption, the Risks for Apple and Encryption, stratechery (Feb. 17, 2016), https://stratechery.com/2016/apple-versus-the-fbi-understanding-iphone-encryption-the-risks-for-apple-and-encryption.

[65] Tim Cook, Customer Letter, Apple Inc. (Feb. 16, 2016) http://www.apple.com/customer-letter/; Will Oremus, Apple vs. The FBI, Slate (Feb. 17, 2016, 7:44 PM), http://www.slate.com/articles/technology/future_tense/2016/02/apple_s_stand_against_the_fbi_is_courageous_it_s_also_good_for_apple.html.

[66] Tim Cook, Customer Letter, Apple Inc. (Feb. 16, 2016) http://www.apple.com/customer-letter/.

[67] Government’s Ex Parte Application for a Continuance, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016).

[68] Id.

[69] See, Apple Inc., iOS Security, Apple Inc. (Sep. 2014), https://www.apple.com/business/docs/iOS_Security_Guide.pdf, 4-7 (describing the “Secure Enclave” on newer iOS devices).

[70] Tim Cook, Customer Letter, Apple Inc. (Feb. 16, 2016) http://www.apple.com/customer-letter/.