Here’s an interesting number for you: 63. That’s the number of times the federal government has issued orders to companies to assist in gaining access to smartphones which were locked, something they used the All Writs Act of 1789 to justify. Another interesting number: 9. That’s the amount of times it was issued to Google. The rest were on Apple.
And you know what? Google and Apple obliged (though it’s not clear how many times they were able to offer sufficient help). That is until the FBI gained a court order forcing Apple to unlock the iPhone 5c belonging to one of the shooters responsible for attacks in San Bernardino.
So, why is it such a big deal now?
This was the first time a company had been ordered to actively and willingly weaken or circumvent their products’ security with new software for the sake of complying with the order.
You see, it wasn’t an issue before because Apple didn’t have to go as far as creating new software to give the government what they needed, and their phones didn’t have the same level of encryption and protection that they’ve had for the past 1-2 years. Google has never had to deal with that, either.
“We carefully scrutinize subpoenas and court orders to make sure they meet both the letter and spirit of the law,” said a spokesperson for Google. “However, we’ve never received an All Writs Act order like the one Apple recently fought that demands we build new tools that actively compromise our products’ security. As our amicus shows, we would strongly object to such an order.”
Google was able to comply with some of the orders because we didn’t have mandatory device encryption until Android 5.0 Lollipop (although they later delayed the requirement and only made a “strong” suggestion for OEMs to encrypt devices as standard, at least until Marshmallow arrived), and one feature of the Android Device Manager (a handy tool for finding or protecting your phone when you lose it) allowed Google to issue one-time password resets to locked devices, something they weren’t asked to build for the sake of complying with an order.
That feature was only available for phones that met a couple of conditions:
- The device protection had to be a pattern lock. It couldn’t work against phones which used PINs, passwords or fingerprint lock mechanisms.
- The device had to be unencrypted, something which the user can enable themselves, and is sometimes done by default on some phones as of Android 5.0 Lollipop.
To boot, Google ended up axing the feature altogether starting with Android 5.0 Lollipop, so those sorts of orders could no longer be carried out by way of an existing method for a majority of Android phones released in the past couple of years. Had the court ordered Google to compromise their own security with a new method for the purpose of complying with the order, they claim they would have taken the same stance Apple did when they were asked to do so.
Why Apple (and everyone else) is fighting
The big problem with the All Writs Act is that it was written with a certain vagueness that has allowed law enforcement and courts to reinterpret its meaning for their benefit in all sorts of cases. Most commonly in today’s age? Access to the information on criminals’ smartphones.
As it stands, the All Writs Act essentially applies to, well, everything, even if the original law never intended as such. Here’s the relevant excerpt from the original law as it was written way back when George Washington was still sitting as our first president:
The Supreme Court and all courts established by Act of Congress may issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.
In layman’s terms, it means once all other options of investigating a case within the confines of law are exhausted, the courts can order people (or companies, in this case) to assist in getting the job done. In the government’s eyes, that means Apple is wrong to have refused the order as the law seems designed to give an all-access pass to anything they want, because there’s nothing in the law that puts a limit on what they can do. In fact, the government says they’ll issue more orders like that one if they have to.
Now do you see why this is such a bad precedent to set? It essentially says to the American people:
- You don’t have a right to privacy.
- You don’t have a right to an encrypted smartphone.
- Companies don’t have a right to sell encrypted smartphones.
- Companies don’t have a right to protect their users’ information.
It may not sound like it, but that one order said all of that, and that’s probably the scariest thing of all.
It’s important to remember these companies have no problem assisting with investigations when ordered by law. That has never been a secret. But using a law from a time when smartphones didn’t even exist to justify a complete denial of information safety and privacy is just plain bad. We aren’t going to shame anyone for fighting for that law to be adjusted to account for modern times, or even abolished.
[via Ars Technica]