Apple – Timely Tech

September 7, 2016October 16, 2016

Apple Tells the Government to “Think Different” on Encryption

By Matt Weber*

Introduction

On December 2, 2015, a San Bernardino County Department of Health employee and his wife perpetrated the deadliest mass shooting since Newtown, killing 14 of his co-workers and injuring 21.[1] Following the shooting, police investigated and pursued the suspects, eventually engaging in a firefight, killing both shooters.[2] In the days and weeks following the shooting, law enforcement investigated the shooting, both to find the motive behind the shooting and to find any possible coconspirators.

On December 3, 2015, U.S. Magistrate Judge David Bristow issued a search warrant, giving law enforcement the power to search the shooters’ home and car. In the ensuing search, law enforcement officers found, among other things, an Apple iPhone 5c, which they later found to have been issued to one of the shooters by his San Bernardino County employer.[3] Like they had done many times before, the FBI approached Apple with the iPhone it found in the suspect’s car, requesting that Apple extract the data from the seized iPhone—except this time, Apple could not comply with the request.[4] Apple was unable to comply with the FBI’s request due to changes it had made to the iPhone Operating System (iOS) a year before, positioning Apple and the Federal Government for a clash that both had been preparing for since 2014.[5]

Background

Following Edward Snowden’s release of National Security Agency (NSA) files related to the U.S. Government’s mass surveillance of American citizens, American tech companies increased security on consumer devices.[6] In September 2014, Apple unveiled iOS 8 (an upgrade to the iPhone and iPad operating system), which for the first time offered default encryption to its users.[7] Apple’s encryption allows a user to set a passcode that, once set, is entangled with the iPhone’s Unique ID (UID),”[8] which together, form the phone’s encryption key.[9] Because the encryption key is based on both the user’s passcode and the iPhone’s UID, it is unknown to Apple, and virtually impossible to crack.[10] Understanding the relative impossibility of cracking encryption on consumer devices, the U.S. Government began to attempt to convince tech companies to provide law enforcement with assistance in unlocking encrypted phones (subject to a court order), something that most tech companies have thus far been unwilling to do.[11] Because Apple’s method of encryption includes the user selected passcode in the key, Apple cannot decrypt a suspect’s phone.[12]

The iPhone

On February 16, 2016, the United States Attorney requested an order (that was later granted[13]) compelling Apple to assist in the unlocking of the San Bernardino shooter’s phone.[14] Instead of obtaining an order for Apple to break its encryption (an order the FBI understands that Apple would be technically incapable of complying with), the FBI requested an order requiring Apple to assist in the unlocking of the phone.[15] The court order compels Apple to write software that bypasses two of the iPhone’s security features, (1) a delay introduced when an incorrect passcode is entered,[16] and (2) a self-destruct feature by which an iPhone destroys its data after 10 incorrect passcode attempts.[17]

This order—if complied with—would allow the FBI to connect the shooter’s updated[18] iPhone to a computer, which has a program capable of guessing all the possible passcode combinations[19], without the delay or possibility of wiping.[20] Apple has decided to fight the order, though it should be noted that Apple has assisted the FBI’s investigation, providing the Bureau with all the data the shooter backed-up to the iCloud[21] prior to turning off the iPhone’s auto-backup to the cloud.[22]

The order compelling Apple to write the above referenced software is based primarily on the 1789 All Writs Act (“the Act”), which allows courts to “issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.”[23] In this case, the government requests that the court compel Apple to assist in the satisfying of a lawful search warrant, by which the court gave the government the power to search the suspect’s iPhone 5c.[24] This order—which Apple CEO Tim Cook has argued to be unprecedented in a statement released on the company’s website[25]—set the government and Apple on a collision course, in a battle that both the tech industry and law enforcement community had been expecting since tech companies began offering relatively unbreakable encryption on consumer devices.[26]

Issue: Using the All Writs Act

Historically, the Act has been used by courts to effectuate their lawful orders when there has been no statutory framework to follow.[27] The government’s motion cites cases in which the Act was used by courts to compel parties to assist in the effecting of court orders—suggesting that Apple be similarly required to assist technically in the search of the phone, pursuant to the court’s order.[28] Unlike the cases cited by the government, Apple in this case is being required to create a new operating system, pursuant to the government’s unique specifications.[29] The government argues that because Apple’s devices cannot be updated without a unique “digital signature,”[30] it has ensured that it cannot be seen as “far removed”[31] from the matter. The government notes in the memorandum of points and authorities to its motion to compel, that Apple’s assistance is necessary based on its unique ability to “cryptographically sign code,”[32] leading the government to request that Apple write the specific code, and upload it onto the iPhone in question.

Analysis

Government Arguments

In its application for an order compelling Apple’s assistance in unlocking the seized iPhone, the Government argued that the Act gave the court the power to mandate Apple’s assistance[33] The Government argued that the Act can require “a third party to provide nonburdensome technical assistance,” citing the Supreme Court in United States v. New York Telephone Co.[34] The Court in that case created a three factor test for determining whether it could compel action by a third party using the Act, (1) whether a party is far removed from the controversy, (2) whether requiring action would impose an undue burden on the part, and (3) whether the assistance from the party was necessary for the successful fulfilling of the underlying court order (in this case a search warrant for the iPhone).[35]

The government argued that it met the three step test imposed by the Court in New York Telephone Co., first arguing that Apple was not far removed from the unlocking of the iPhone.[36] The government argued that because Apple “designed, manufactured and sold the [iPhone] and wrote and owns the [operating system],” it cannot be seen as far removed from the controversy.[37] The government further argues that Apple cannot be far removed because it is the only party able to update the software[38] in a way that would comply with the court’s order.[39] The government’s argument is supported by the Supreme Court’s decision in New York Telephone Co., which held that a non-governmental third party can be compelled to act when its “facilities were being employed to facilitate a criminal enterprise.”[40]

The government next argues that the order is not unduly burdensome for Apple. The government points to Apple’s regular business of writing software code to suggest that it cannot now claim that writing a specific code would impose an undue burden.[41]

Lastly, the Government argues that it meets the necessity requirement because Apple has created a situation whereby it is the only entity that can write software to update its iOS.[42] Because iPhones require Apple’s crypto-signature, Apple’s assistance is required to effectuate the search warrant. The government notes that it is not requesting that Apple provide the unencrypted contents of the phone, but instead that it simply assist in the Government’s testing of passcodes to unlock the phone.[43]

Apple Arguments

Apple responded to the Government’s motion to compel by arguing that it should not be required to further comply with the governments request.[44] Because it (1) relies on a misapplication of the Act, (2) violates the First Amendment by compelling speech by Apple, and (3) violates the Fifth Amendment’s due process clause.[45]

Apple’s argument is generally centered on the Government’s improper application of the Act. When deciding whether to apply the Act, the Supreme Court held that when a statute addresses an underlying issue specifically, that statute, and not the Act is “controlling.”[46] Apple first argues that the Act cannot require the action requested by the Government, suggesting that the Act allows for courts to “fill in gaps in the law” to exercise the power they already have, but not the “free-wheeling” ability to change existing law.[47] Apple argues that the court lacks the authority to compel it to comply with the order because Congress contemplated (when passing the Communications Assistance for Law Enforcement Act) bestowing upon courts the power to require such a compulsion, but ultimately chose to exempt manufacturers of telecommunications equipment[48] from implementing “any specific design of equipment . . . features, or system configurations.”[49]

Facing new challenges to law enforcement’s ability to fight crime, Congress, in 1994, passed the Communications Assistance for Law Enforcement Act (“CALEA”).[50] CALEA grants law enforcement investigative powers, but also limits what can be required from manufacturers and service providers.[51] When passing CALEA, Congress had the chance address whether it would require companies to assist law enforcement in the in the manner being requested by the FBI—but ultimately chose not to make any such requirement. In fact, CALEA provides that telecommunications carriers (which Apple points out that it is not) are not required to decrypt or “ensur[e] the government’s ability to decrypt” unless the communication was encrypted by the carrier (and even then the carrier must “possesses the information necessary to decrypt”—which Apple does not).[52] Congress’ inclusion of some language related to encryption but omission of requirements to compel assistance in decryption implies that it considered such a compulsion but ultimately rejected it.

Apple argues that CALEA specifically addresses whether to require manufacturers and service providers to aid decryption.[53] Because CALEA speaks on the specific matter, the Act should not be the statute to rule, but instead should be trumped by CALEA’s provisions. The Supreme Court held in Pennsylvania Bureau of Corrections v. U.S. Marshall Service that the Act does not allow courts to issue writs when compliance with existing statutes would be simply “inconvenient or less appropriate,”[54] as CALEA would be in this situation.

Apple next addresses the Government’s use of United States v. New York Telephone Co., ultimately drawing distinctions between the government’s requests here and those of the Telephone Company in New York Telephone Co.[55] Apple argues that the government does not show that it satisfies the three-part test provided by the Court in New York Telephone.

First, Apple is too far removed from the underlying case. Unlike the the telephone company, which owned the lines being allegedly used to “facilitate a criminal enterprise on a continuing basis,”[56] Apple contends that it is a private company that does not own the phones or have any connection to the data on the phone. Second, the government’s request would impose an “unprecedented and oppressive burden” on Apple. While the telephone company was required assist the government in their installing of pen registers[57]–a device that telephone companies used frequently in conducting their normal business[58]– in the instant case, the government is asking Apple to create an entirely new operating system in an effort to assist the government’s attempts to unlock the phone. Apple asserts that such an undertaking violated the Act’s prohibition against adversely affecting the third party or imposing an under burden. Third, Apple contends that its assistance is only necessary because of the actions of the FBI earlier in its investigation.[59] While the court suggested in New York Telephone that there was “no conceivable way” for the FBI to successfully carry out its court-ordered investigation, Apple argues that here, the FBI did not face such a situation, but instead, through its own actions created a need to turn to the Act.

Conclusion

It seems that both Apple and the government foresaw this potential clash coming since Apple (and other tech companies) began encrypting devices sold to consumers. Many in the media have questioned if this was the right test case for either side.[60] For the government, it seems to be a good test case because the crime is question is terrorism related, and the underlying crime was well reported and remains in the minds of the American public.[61] Unfortunately, for the government, there is no time issue—while the phone might help in the investigation of a crime, there does not seem to be a pressing need for the phone to be unlocked immediately.[62] For Apple, the case does not seem to the best test case for whether it should be required to assist in the unlocking of one of its devices because the suspect is widely assumed to be guilty of the heinous murder of 14 co-workers.[63] It has also been noted that this particular iPhone model is not one which Apple should be fighting over as it is not the most up-to-date phone or software, and the government-requested solution would not work on future iPhone models.[64]

At least in public opinion, Apple may benefit from standing by its customers, claiming that writing the software requested by the government would unnecessarily put all iOS users at risk,[65] Tim Cook noted in his open letter to customers that “They have asked us to build a backdoor to the iPhone.”[66]

On March 21, 2016 (the day before the hearing on the order), the Government submitted an ex parte application for a continuance, requesting that the court continue the hearing to April 5, 2016.[67] The Government requested the continuance because, since initially requesting the hearing, a third party approached the FBI suggesting that the party had a different method to unlock the phone.[68] This new method, if successful, would not only make Apple’s assistance unnecessary, but destroy the Government’s argument under the Act. The Government requested additional time to test the new method before deciding whether it has eliminated the need for Apple’s assistance.

While this might appear to be an opportunity for both sides to take a step back and devise a procedure moving forward, it is likely only pushing this issue down the road. Apple’s newest phones are not as easy to break into (at least not using this type of method),[69]which might lead the government to move towards mandating backdoors. While it is unclear where either party goes moving forward, it is clear that this fight is far from over, it is all but certain that the Government will come back with another request for Apple to build, as Tim Cook described it, “something . . . too dangerous to create.”[70]

*Matt Weber. University of Illinois College of Law, J.D. candidate, Class of 2017. Many thanks to my parents, my sister Ashley and her husband Leigh. Thanks to JLTP Editors Iman Naim and Winston Zishu for their help and guidance. Gracias también a los Xeneizes and Albiceleste.

[1] Erik Ortiz, San Bernardino Shooting: Timeline of How the Rampage Unfolded, NBCNews (Dec. 3, 2015, 11:28 PM), http://www.nbcnews.com/storyline/san-bernardino-shooting/san-bernardino-shooting-timeline-how-rampage-unfolded-n473501.

[2] Id.

[3] Elliot Hannon, Judge Orders Apple to Help FBI Hack San Bernardino Shooter’s Phone, Slate (FEB. 16, 2016, 8:43 PM), http://www.slate.com/blogs/the_slatest/2016/02/16/judge_orders_apple_to_help_fbi_unlock_san_bernardino_shooter_s_phone.html; Fred Kaplan, How Apple’s Stand Against the FBI Could Backfire, Slate (Feb. 19, 2016, 6:26 PM), http://www.slate.com/articles/technology/future_tense/2016/02/how_apple_ceo_tim_cook_s_stand_against_the_fbi_could_backfire.html.

[4] Will Oremus, Apple vs. The FBI, Slate (Feb. 17, 2016, 7:44 PM), http://www.slate.com/articles/technology/future_tense/2016/02/apple_s_stand_against_the_fbi_is_courageous_it_s_also_good_for_apple.html; Ben Thompson, Apple Versus the FBI, Understanding iPhone Encryption, the Risks for Apple and Encryption, stratechery (Feb. 17, 2016), https://stratechery.com/2016/apple-versus-the-fbi-understanding-iphone-encryption-the-risks-for-apple-and-encryption.

[5] Apple Statement; Marcy Wheeler, Why This iPhone?, Slate (Feb. 19, 2016, 1:26 PM), http://www.slate.com/articles/technology/future_tense/2016/02/the_apple_fbi_encryption_battle_is_over_an_iphone_unlikely_to_yield_critical.html.

[6] Danny Yadron, Spencer Ackerman and Sam Thielman, Inside the FBI’s Encryption Battle with Apple, The Guardian (Feb. 18, 2016), http://www.theguardian.com/technology/2016/feb/17/inside-the-fbis-encryption-battle-with-apple.

[7] Cyrus Farivar, Apple Expands Data Encryption Under iOS 8, Making Handover to Cops Moot, arstechnica (Sep. 17, 2014, 9:57 PM), http://arstechnica.com/apple/2014/09/apple-expands-data-encryption-under-ios-8-making-handover-to-cops-moot/.

[8] See, Apple Inc., iOS Security, Apple Inc. (Sep. 2014), https://assets.documentcloud.org/documents/1302613/ios-security-guide-sept-2014.pdf (describing the UID as a number, set during the manufacturing process that Apple itself does not record); Ben Thompson, Apple Versus the FBI, Understanding iPhone Encryption, the Risks for Apple and Encryption, stratechery (Feb. 17, 2016), https://stratechery.com/2016/apple-versus-the-fbi-understanding-iphone-encryption-the-risks-for-apple-and-encryption.

[9] Ben Thompson, Apple Versus the FBI, Understanding iPhone Encryption, the Risks for Apple and Encryption, stratechery (Feb. 17, 2016), https://stratechery.com/2016/apple-versus-the-fbi-understanding-iphone-encryption-the-risks-for-apple-and-encryption.

[10] See, Mohit Arora, How Secure is AES Against Brute Force Attacks?, EETimes (May, 7, 2012, 5:29 PM), http://www.eetimes.com/document.asp?doc_id=1279619. (Explaining that using AES 256, an encryption key used by the iPhone would be 256 characters long, meaning there are 2²⁵⁶combinations. Assuming a computer powerful enough to guess 33.86 X 10¹²/second (using the world’s fastest super computer, the Tianhe-2), it would take about 1.03 X 10⁵⁵ years on average to crack an AES 256 key. For perspective, the Earth is 4.5 X 10⁹years old.).

[11] Andrew Crocker, Judge to DOJ: Not All Writs, Electronic Frontier Foundation (Oct. 12, 2015), https://www.eff.org/deeplinks/2015/10/judge-doj-not-all-writs.

[12] See, Apple Inc., iOS Security, Apple Inc. (Sep. 2014), https://assets.documentcloud.org/documents/1302613/ios-security-guide-sept-2014.pdf (explaining that the user-selected passcode is entangled with the UID to create an encryption key, that Apple does not have access to); Dan Guido, Apple Can Comply with the FBI Court Order, Trail of Bits Blog (Feb. 17, 2016), http://blog.trailofbits.com/2016/02/17/apple-can-comply-with-the-fbi-court-order; Ben Thompson, Apple Versus the FBI, Understanding iPhone Encryption, the Risks for Apple and Encryption, stratechery (Feb. 17, 2016), https://stratechery.com/2016/apple-versus-the-fbi-understanding-iphone-encryption-the-risks-for-apple-and-encryption.

[13] Order Compelling Apple Inc. To Assist Agents in Search, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016).

[14] Government’s Ex Parte Application for Order Compelling Apple Inc. To Assist Agents in Search, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016).

[15] Government’s Ex Parte Application for Order Compelling Apple Inc. To Assist Agents in Search, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016).

[16] See, Apple Inc., iOS Security, Apple Inc. (Sep. 2014), https://www.apple.com/business/docs/iOS_Security_Guide.pdf, 12 (explaining key security features, the delay, triggered after 4 incorrect passcode attempts imposes a 1-minute delay after the 5^th incorrect attempt, a 5-minute delay after the 6^th incorrect attempt, a 15-minute delay after the 7^th and 8^th incorrect attempts, and a 1-hour delay after the 9^th incorrect attempt.).

[17] See, Apple Inc., iOS Security, Apple Inc. (Sep. 2014), https://www.apple.com/business/docs/iOS_Security_Guide.pdf, 12 (explaining key security features, the iPhone can be set to wipe all its data after the 10^th incorrect passcode attempt. This wipe is achieved by discarding the encryption key from accessible memory, making the entire hard-disk unintelligible.).

[18] Order Compelling Apple Inc. To Assist Agents in Search, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016) (Apple would upload a custom operating system to the shooter’s phone modifying security settings—though not specifically decrypting.).

[19] 10,000 possible combinations for a 4-digit numeric passcode, or 1 Million possible combinations for a 6-digit numeric passcode.

[20] See, Apple Inc., iOS Security, Apple Inc. (Sep. 2014), https://www.apple.com/business/docs/iOS_Security_Guide.pdf, 12 (explaining that even without the delay, the iteration counter imposes an 80 millisecond delay, therefore, all the possible combinations could theoretically be guessed in under 5 hours.).

[21] Apple Inc’s Motion to Vacate Order Compelling Apple Inc. To Assist Agents in Search at 11, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016); Amy Davidson, The Dangerous All Writs Act Precedent in the Apple Encryption Case, The New Yorker (Feb. 19, 2016), http://www.newyorker.com/news/amy-davidson/a-dangerous-all-writ-precedent-in-the-apple-case.

[22] Amy Davidson, The Dangerous All Writs Act Precedent in the Apple Encryption Case, The New Yorker (Feb. 19, 2016), http://www.newyorker.com/news/amy-davidson/a-dangerous-all-writ-precedent-in-the-apple-case.

[23] 28 U.S.C. § 1651 (2012).

[24] Government’s Ex Parte Application for Order Compelling Apple Inc. To Assist Agents in Search, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016).

[25] Tim Cook, Customer Letter, Apple Inc. (Feb. 16, 2016) http://www.apple.com/customer-letter/ (“The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers. We oppose this order, which has implications far beyond the legal case at hand.”).

[26] Danny Yadron, Spencer Ackerman and Sam Thielman, Inside the FBI’s Encryption Battle with Apple, The Guardian (Feb. 18, 2016), http://www.theguardian.com/technology/2016/feb/17/inside-the-fbis-encryption-battle-with-apple.

[27] Andrew Crocker, Judge to DOJ: Not All Writs, Electronic Frontier Foundation (Oct. 12, 2015), https://www.eff.org/deeplinks/2015/10/judge-doj-not-all-writs.

[28] Government’s Ex Parte Application for Order Compelling Apple Inc. To Assist Agents in Search, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016).

[29] Id.

[30] Apple’s unique encryption key—without which, a phone cannot be updated.

[31] Government’s Ex Parte Application for Order Compelling Apple Inc. To Assist Agents in Search, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016) (pointing to United States v. New York Tel. Co., 434 U.S. 159, 174 (1977).).

[32] Government’s Motion to Compel Apple Inc. To Comply with this Court’s February 16, 2016 Order Compelling Assistance in Search, at 17, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016).

[33] Government’s Ex Parte Application for Order Compelling Apple Inc. To Assist Agents in Search, at 17, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016).

[34] Government’s Motion to Compel Apple Inc. To Comply with this Court’s February 16, 2016 Order Compelling Assistance in Search, at 11-12, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016).

[35] United States v. New York Tel. Co., 434 U.S. 159, 175-75 (1977).

[36] Government’s Ex Parte Application for Order Compelling Apple Inc. To Assist Agents in Search, at 13, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016).

[37] Id.

[38] Government’s Ex Parte Application for Order Compelling Apple Inc. To Assist Agents in Search, at 13, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016) (“The same software Apple is uniquely able to modify . . . Especially but not only because iPhones will only run software cryptographically signed by Apple . . .”).

[39] Government’s Ex Parte Application for Order Compelling Apple Inc. To Assist Agents in Search, at 13, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016).

[40] Government’s Ex Parte Application for Order Compelling Apple Inc. To Assist Agents in Search, at 13-14, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016) (quoting New York Telephone Co., 434 U.S. at 174); Government’s Motion to Compel Apple Inc. To Comply with this Court’s February 16, 2016 Order Compelling Assistance in Search, at 8, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016).

[41] Government’s Ex Parte Application for Order Compelling Apple Inc. To Assist Agents in Search, at 14-16, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016).

[42] Government’s Ex Parte Application for Order Compelling Apple Inc. To Assist Agents in Search, at 16, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016).

[43] Government’s Ex Parte Application for Order Compelling Apple Inc. To Assist Agents in Search, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016).

[44] Apple notes that it has already assisted the government in their investigation; Mikey Campbell, FBI Contacted Apple, Received Data Related to San Bernardino Case 3 days After Shooting, appleinsider (Feb. 27, 2016, 12:39 AM), http://appleinsider.com/articles/16/02/27/fbi-contacted-apple-received-data-related-to-san-bernardino-case-3-days-after-shooting-.

[45] Apple Inc’s Motion to Vacate Oder Compelling Apple Inc to Assist Agents in Search, and Opposition to Government’s Motion to Compel Assistance, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016).

[46] Pa. Bureau of Corr. v. United States Marshals Serv., 474 U.S. 34, 43 (1985) (“The All Writs Act is a residual source of authority to issue writs that are not otherwise covered by statute. Where a statute specifically addresses the particular issue at hand, it is that authority, and not the All Writs Act, that is controlling. Although that Act empowers federal courts to fashion extraordinary remedies when the need arises, it does not authorize them to issue ad hoc writs whenever compliance with statutory procedures appears inconvenient or less appropriate.”).

[47] Apple Inc’s Motion to Vacate Oder Compelling Apple Inc to Assist Agents in Search, and Opposition to Government’s Motion to Compel Assistance, at 14, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016).

[48] Apple Inc’s Motion to Vacate Oder Compelling Apple Inc to Assist Agents in Search, and Opposition to Government’s Motion to Compel Assistance, at 16, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016).

[49] 47 U.S.C. § 1002(b)(1) (2012). (“This subchapter does not authorize any law enforcement agency or officer—

(A) to require any specific design of equipment, facilities, services, features, or system configurations to be adopted by any provider of a wire or electronic communication service, any manufacturer of telecommunications equipment, or any provider of telecommunications support services; or

(B) to prohibit the adoption of any equipment, facility, service, or feature by any provider of a wire or electronic communication service, any manufacturer of telecommunications equipment, or any provider of telecommunications support services.”) [emphasis added].

[50] Id.

[51] 47 U.S.C. § 1002(b) (2012).

[52] 47 U.S.C. § 1002(b)(3) (2012).

[53] Apple Inc’s Motion to Vacate Oder Compelling Apple Inc to Assist Agents in Search, and Opposition to Government’s Motion to Compel Assistance, at 6-8, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016).

[54] Pa. Bureau of Corr. v. United States Marshals Serv., 474 U.S. 34, 43 (1985).

[55] New York Telephone Co., 434 U.S. at 159.

[56] Id. at 174.

[57] A device used to record phone numbers dialed on specific phone lines.

[58] New York Telephone Co., 434 U.S. at 174-75 (Court notes that the phone company regularly used pen registers in normal operations).

[59] Apple Inc’s Motion to Vacate Oder Compelling Apple Inc to Assist Agents in Search, and Opposition to Government’s Motion to Compel Assistance, at 11, fn. 21, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016).(The FBI has acknowledged that it worked with the phone’s owner (San Bernardino County) to reset the the iCloud password in an effort to unlock the iCloud backup. Apple argues that had the county and the FBI not reset the password, “this litigation may not have been necessary,” as it could have initiated a remote backup of the phone and subsequently produced an updated backup to investigators.).

[60] Fred Kaplan, How Apple’s Stand Against the FBI Could Backfire, Slate (Feb. 19, 2016, 6:26 PM), http://www.slate.com/articles/technology/future_tense/2016/02/how_apple_ceo_tim_cook_s_stand_against_the_fbi_could_backfire.html; Marcy Wheeler, Why This iPhone?, Slate (Feb. 19, 2016, 1:26 PM), http://www.slate.com/articles/technology/future_tense/2016/02/the_apple_fbi_encryption_battle_is_over_an_iphone_unlikely_to_yield_critical.html.

[61] Id.

[62] Tim Cook, Customer Letter, Apple Inc. (Feb. 16, 2016) http://www.apple.com/customer-letter/; Marcy Wheeler, Why This iPhone?, Slate (Feb. 19, 2016, 1:26 PM), http://www.slate.com/articles/technology/future_tense/2016/02/the_apple_fbi_encryption_battle_is_over_an_iphone_unlikely_to_yield_critical.html.

[63] Fred Kaplan, How Apple’s Stand Against the FBI Could Backfire, Slate (Feb. 19, 2016, 6:26 PM), http://www.slate.com/articles/technology/future_tense/2016/02/how_apple_ceo_tim_cook_s_stand_against_the_fbi_could_backfire.html; Will Oremus, Irate DOJ Dismisses Apple’s Fight with the FBI as a “Brand Marketing Strategy”, Slate (Feb. 19, 2016, 6:02 PM), http://www.slate.com/blogs/future_tense/2016/02/19/department_of_justice_motion_mocks_apple_s_fbi_fight_as_a_brand_marketing.html; Kaveh Waddell, The Optics of Apple’s Encryption Fight, The Atlantic (Feb. 17, 2016), http://www.theatlantic.com/technology/archive/2016/02/why-apple-is-fighting-the-fbi/463260.

[64] Dan Guido, Apple Can Comply with the FBI Court Order, Trail of Bits Blog (Feb. 17, 2016), http://blog.trailofbits.com/2016/02/17/apple-can-comply-with-the-fbi-court-order; Ben Thompson, Apple Versus the FBI, Understanding iPhone Encryption, the Risks for Apple and Encryption, stratechery (Feb. 17, 2016), https://stratechery.com/2016/apple-versus-the-fbi-understanding-iphone-encryption-the-risks-for-apple-and-encryption.

[65] Tim Cook, Customer Letter, Apple Inc. (Feb. 16, 2016) http://www.apple.com/customer-letter/; Will Oremus, Apple vs. The FBI, Slate (Feb. 17, 2016, 7:44 PM), http://www.slate.com/articles/technology/future_tense/2016/02/apple_s_stand_against_the_fbi_is_courageous_it_s_also_good_for_apple.html.

[66] Tim Cook, Customer Letter, Apple Inc. (Feb. 16, 2016) http://www.apple.com/customer-letter/.

[67] Government’s Ex Parte Application for a Continuance, In the Matter of the Search of an Apple IPhone Seized During the Execution of a Search Warrant on a Black Lexis IS300, California License Plate 35KG203, No. 15-0451M (C.D. Cal. 2016).

[68] Id.

[69] See, Apple Inc., iOS Security, Apple Inc. (Sep. 2014), https://www.apple.com/business/docs/iOS_Security_Guide.pdf, 4-7 (describing the “Secure Enclave” on newer iOS devices).

[70] Tim Cook, Customer Letter, Apple Inc. (Feb. 16, 2016) http://www.apple.com/customer-letter/.

September 16, 2014September 16, 2014

Anything You Say May Be Used Against You: Corporate Voiceprint Tactics Trigger Latest Privacy & Security Concerns

By Shruti Panchavati*

“We raid speech for its semantic meaning, and then discard the voice like detritus leftovers.”[1]

I. Introduction

Work is being done to integrate various biometrics into mobile devices, but the human voice is a natural choice for businesses because public attention on voiceprinting is shockingly low. For instance, it came as no surprise when privacy concerns began to take form even as Apple unveiled its fingerprint scanner on the newest iPhone 5S;[2] lawmakers and advocates declared it a hacker’s “treasure trove.”[3] And yet, despite its obvious functional similarities, Apple’s voiceprint scanner “Siri” has received little public scrutiny, suggesting a widespread misunderstanding about the human voice, one that mobile giants have been quick to market.[4] The result is chilling: in the absence of legal and regulatory guidelines these corporations could be on their way to creating the largest name to voice database, without even trying.

An increasing number of mobile companies are combining voiceprint technology with broad privacy policies to gain an unfettered right to collect, store, and use an individual’s data for an indefinite period of time. This Article examines Apple’s voiceprint policy and argues that modern-day remedial strategies have failed to protect users’ privacy and security. In response, states should adopt and implement California’s Right to Know Act, which would allow users to access and track their digital footprint. Part II of this Article highlights the sweeping implications of corporate voiceprinting. Part III exposes the wide-reaching privacy and security implications in Apple’s ill named “Privacy” Policy. Part IV recommends a practical, effective solution that balances the privacy concerns of the user against the commercial interests of the mobile industry.

II. An Audible Signature

Voiceprinting (also referred to as “voice biometrics”) creates a mathematical representation of the sound, pattern, pitch, and rhythm of an individual’s voice, which can then be used for any number of purposes, such as recognition or identification.[5] The technology has the distinct advantage of basing authentication on an intrinsic human characteristic—the human voice. It is our audible signature and, just as no two fingerprints are alike, no two voices are alike.[6] It is also a powerful guide to the speaker’s most terrifyingly intimate details.[7] With just a few words, the voice can reveal an individual’s gender, age, height, health, emotional state, sexual orientation, race, social class, education, and relationship to the person being spoken.[8] It is a remarkably rich resource that is largely taken for granted, in part, because of the spread of mobile devices.

Mobile technology appears to have dissociated the voice from the body, lulling the public into a false sense of security about corporate voiceprinting. To see its implications, consider that financial service organizations have already implemented voice biometrics to allow users to check account balances, make payments, track transactions simply using their voice.[9] Additionally, governments across the globe are investing in voice biometrics that would allow them to tuck away millions of voiceprints for surveillance and law enforcement.[10] Indeed, the human voice is now more valuable than any password or PIN number and widespread corporate collection, storage, and use of our audible signatures raises grave privacy and security concerns, begging the question: can mobile companies be trusted to handle this technology responsibly?

III. Unraveling Apple’s Voiceprint Policy

On October 4, 2011, Apple unveiled the iPhone 4S with Siri, a built-in interactive personal assistant.[11] While it was not the first foray into speech-recognition technology,[12] it is the most popular and, after only five months of availability, the iPhone 4S sold about 15.4 million units.[13] It is undoubtedly a remarkable technological achievement, but combined with its overbroad Privacy Policy, it can have many unforeseeable consequences for innocent users.

Apple’s iOS7 Software Licensing Agreement, in relevant part, notes that, “[w]hen you use Siri or Dictation, the things you say will be recorded and sent to Apple in order to convert what you say into text and to process your requests.”[14] In other words, anything said to Siri is recorded and sent to the company’s data farm in North Carolina, where Apple converts the spoken words into a digital code.[15] Not mentioned in the Privacy Policy is that the company assigns each user a randomized number and, as voice files from Siri requests are received, the data is assigned to that number.[16] After six months, Apple then “disassociates” the user number from the voice clip, but maintains records of these disassociated files for up to eighteen months for “testing and product improvement purposes.”[17] However, it remains unclear what Apple really does when it “dissociates” these files or what it means to use user voiceprints for “testing and product improvement purposes.” Moreover, without any regulatory oversight, there is no guarantee that Apple ever actually deletes these records after eighteen months or at all.

Siri’s Privacy Policy further states that “[b]y using Siri or Dictation, you agree and consent to Apple’s and its subsidiaries’ and agents’ transmission, collection, maintenance, processing, and use of this information, including [the user’s] voice input and User Data, to provide and improve Siri, Dictation, and dictation functionality in other Apple products and services.”[18] This information collected includes “all types of data associated with your verbal commands and may also include audio recordings, transcripts of what [is] said, and related diagnostic data.”[19] What Apple is referring to here is a voiceprint, so by signing the licensing agreement, a user consents to the company’s collection, storage, and use of their voice biometric data. Additionally, Apple gives itself the right to share this data with any of its unnamed partners and subsidiaries without notice or cause and for an indefinite period of time.

It may be argued that Apple and other like companies know better than to misuse user information because it would be poor public relations strategy. There is no evidence to prove that corporations are currently exploiting their position.[20] However, the problem remains that no one—users, lawmakers, privacy advocates, or politicians—knows what is happening behind closed doors and Apple is not saying either way.[21] Personal data economy has become a largely elusive and highly lucrative world and, as always, real concern in privacy and security is not what is happening, but what could happen.

IV. Recommendation & Conclusion

With the widespread use of voiceprint technology in mobile phones, it is no surprise that companies, such as Apple, have digital portfolios on each user. Banning voice biometric technology is not a desired option and admittedly companies do need some information about a user and his or her preferences to operate applications, such as Siri, efficiently.[22] However, present-day remedies do not provide sufficient protections against corporate intrusions and data thefts.[23]

In the face of this dilemma, California’s “Right to Know” Act sets an unprecedented level of corporate transparency that gives users the right to access and track their own private data.[24] Specifically, the Act requires that “any business that holds a customer’s personal information to disclose it within 30 days of that customer’s request. Adding to this, names and contact information of all third parties with which the business has shared that customer’s data with during the previous 12 months must also be disclosed.”[25] Additionally, if the company refuses disclosure, the user has the legal right to bring a civil claim, forcing them to comply with the law.[26] The Act mimics the right to access data that is already available to residents in Europe, proving that big technology giants, such as Apple, already have the procedures in place to respond.[27] As more and more companies continue to implement efficient strategies to facilitate the process, the Act will not only have introduced corporate transparency into the digital age, but will likely have also made it the norm.

It may be argued that the Right to Know Act is too modest and does not actually give users the right to correct or delete their personal data. These are certainly important considerations down the road and, in a perfect world, users would have full and complete control of all of their information. However, it may be a long time, if ever, before that robust privacy and security strategies can be implemented. In the meantime, the Right to Know Act is an important first step in putting privacy and security back in the hands of the user.

*J.D. Candidate, University of Illinois College of Law, expected 2015. B.S. Psychology with Neuroscience Option, Pennsylvania State University, 2012. I am grateful to the editors of the Journal of Law, Technology, and Policy for their advice and insight on this piece.

[1] Anne Karpf, The Human Voice: How this Extraordinary Instrument Reveals Essential Clues About Who We Are 13 (Bloomsbury USA, 1st ed. 2006).

[2] Chenda Ngak, Should You Fear Apple’s Fingerprint Scanner?, CBS News (Sept. 24, 2013, 10:12 AM), http://www.cbsnews.com/news/should-you-fear-apples-fingerprint-scanner/.

[3] Charlie Osborne, iPhone Fingerprint Scanner Sparks Privacy Worries, CNET (Sept. 17, 2013, 9:55AM), http://news.cnet.com/8301-13579_3-57603298-37/iphone-fingerprint-scanner-sparks-privacy-worries/.

[4] See Kevin C. Tofel, How to Enable Experimental “OK Google” Voice Recognition on your Chromebook, Gigaom (Nov. 21, 2013, 8:33 AM), http://gigaom.com/2013/11/21/how-to-enable-experimental-ok-google-voice-recognition-on-your-chromebook/ (noting that Google Voice is already a popular feature on the Android smartphone and Chrome).

[5] Authentify, Voice Biometric Authentication, http://www.authentify.com/solutions/voice_biometrics.html (last visited Sep. 15, 2014).

[6] See id. (“A voice biometric or ‘voice print,’ is as unique to an individual as a palm or finger print.”).

[7] Karpf, supra note 1, at 10–11.

[8] Id.

[9] Omar Zaibak, 3 Banks Using Voice Biometrics for Security and Authentication, Voice Trust (Mar. 24, 2014), http://www.voicetrust.com/blog/voice-biometrics-banking/.

[10] Noel Brinkerhoff, Governments Begin to Build Voice Print Databases, All Gov (Oct. 6, 2012), http://www.allgov.com/news/top-stories/governments-begin-to-build-voice-print-databases-121006?news=845876.

[11] Press Release, Apple Launches iPhone 4S, iOS 5 & iCloud (Oct. 4, 2011), available at http://www.apple.com/pr/library/2011/10/04Apple-Launches-iPhone-4S-iOS-5-iCloud.html.

[12] Bernadette Johnson, How Siri Works, HowStuffWorks, http://electronics.howstuffworks.com/gadgets/high-tech-gadgets/siri1.htm (last visited Sep. 15, 2014).

[13] Id.

[14] iOS Software License Agreement, Apple, available at http://www.apple.com/legal/sla/docs/iOS7.pdf (last visited Sep. 15, 2014) (emphasis original).

[15] John W. Mashni & Nicholas M. Oertel, Does Apple’s Siri Records and Store Everything You Say?, Technology Law Blog (July 17, 2012), www.michiganitlaw.com/Apple-Siri-Record-Store-Everything-You-Say.

[16] Eric Slivka, Anonymized Siri Voice Clips Stored by Apple for Up to Two Years, MacRumors (Apr. 19, 2013, 6:42 AM), www.macrumors.com/2013/04/19/anonymized-siri-voice-clips-stored-by-apple-for-up-to-two-years/.

[17] Id.

[18] iOS Software License Agreement, supra note 14.

[19] John Weaver, Siri is My Client: A First Look at Artificial Intelligence and Legal Issues, N.H. B. J., Winter 2012, at 6 available at https://www.nhbar.org/uploads/pdf/BJ-Winter2012-Vol52-No4-Pg6.pdf.

[20] See Matthew Panzarino, Apple Says It Has Never Worked With NSA To Create iPhone Backdoors, Is Unaware of Alleged DROPOUT JEEP Snooping Program, Tech Crunch (Dec. 31, 2013), http://techcrunch.com/2013/12/31/apple-says-it-has-never-worked-with-nsa-to-create-iphone-backdoors-is-unaware-of-alleged-dropoutjeep-snooping-program/ (indicating that Apple denied creating any iPhone “backdoors” for the National Security Agency that would allow NSA to monitor Apple’s users).

[21] Barbara Ortutay, Apple Privacy Concerns: Experts Slam Apple Over ‘Locationgate,’ The Huffington Post (June 28, 2011), http://www.huffingtonpost.com/tag/apple-privacy-concerns.

[22] iOS Software License Agreement, supra note 14.

[23] Australian Associated Press, Facebook Gave Government Information on Hundreds of Australian Users, The Guardian (Aug. 28, 2013, 2:41 AM) http://www.theguardian.com/technology/2013/aug/28/facebook-australia-user-data-requests (noting the failure of a claim by an Austrian law student, who invoked a “habeas data” right by demanding Facebook data).

[24] Rainey Reitman, New California “Right to Know” Act would Let Consumers Find out who has their Personal Data—and Get a Copy of it, Electronic Frontier Foundation (Apr. 2, 2013), https://www.eff.org/deeplinks/2013/04/new-california-right-know-act-would-let-consumers-find-out-who-has-their-personal.

[25] Assembly Bill, 14 California Legislature 1291, (2013), available at http://leginfo.ca.gov/pub/1314/bill/asm/ab_12511300/ab_1291_bill_20130222_introduced.pdf.

[26] Id.

[27] Reitman, supra note 24.