Sifting Fact from Fiction with All Writs and Encryption: No Backdoors
Following recent reports in the Wall Street Journal and Ars Technica, there’s been new interest in the government’s use of a relatively obscure law, the All Writs Act. According to these reports, the government has invoked the All Writs Act in order to compel the assistance of smartphone manufacturers in unlocking devices pursuant to a search warrant. The reports are based on orders from federal magistrate judges in Oakland and New York City issued to Apple and another unnamed manufacturer (possibly also Apple) respectively, requiring them to bypass the lock screen on seized phones and enable law enforcement access.
These reports come at an interesting time. Both Apple and Google have announced expanded encryption in their mobile operating systems. If a device is running the latest version of iOS or Android, neither company will be able to bypass a user’s PIN or password and unlock a phone, even if the government gets a court order asking it to do so. The announcements by Apple and Google have in turn led to calls for “golden keys”—hypothetical backdoors in devices intended to allow only law enforcement to access them. As we’ve explained, we think these proposals to create backdoors totally misunderstand the technology and make for terrible policy.
Amid this prospect of a second “Cryptowar” is the lurking fear that the government might force unwilling companies to include backdoors in their products, even if they’re not required by Congress to do so. We sometimes hear from jaded developers and others who think that all it would take to force a backdoor is one National Security Letter. While NSLs are unconstitutional, even the government admits that they can only be used to obtain limited information, which does not include forcing anyone to backdoor a product. Nevertheless, this fear is feeding some of the interest generated by the press reports about the government’s invocation of All Writs Act in the unlocking cases.
So what is the All Writs Act, and why does it allow the government to bring in third parties like phone manufacturers to require them to help in an investigation? What are the limits of a court’s power under the All Writs Act? Can it be used to force developers to build backdoors into their products?
EFF has been paying attention to the All Writs Act for a while, though not quite since its enactment in 1789. As we explained in 2005, the Act gives federal courts the authority to issue the writs (court orders) that are "necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law." In other words, it’s an all-purpose law that allows courts to require third parties’ assistance to execute a prior order of the court. Using the Act to obtain assistance executing a search warrant is relatively common, and the Supreme Court has sanctioned the Act’s use to order a telephone company to help install a pen register. Lower courts have used the Act in analogous situations, such as forcing suspects to decrypt their personal devices pursuant to a search warrant.
However, as our earlier post notes, the Supreme Court has set out limits to the Act: A court cannot use it to bypass other laws or the Constitution, nor can it require third parties to assist in ways that would be “unreasonably burdensome.” Back in 2005, a federal judge issued a forceful rejection of the argument that the All Writs Act could be used to compel a provider to allow the tracking of a cell phone in real time without a search warrant.
Unlocking, Decryption, and Backdoors
In the recent cases requiring manufacturers to unlock phones pursuant to a search warrant, both judges made clear that their orders were narrow. The New York federal court allowed the company an opportunity to object if the order was unduly burdensome, while the federal court in Oakland explicitly stated that “Apple is not required to attempt to decrypt, or otherwise enable law enforcement’s attempt to access any encrypted data.”1
It bears remembering that in both cases, the government had already obtained search warrants for the phones. Thus, the government was invoking the All Writs Act in these cases to effectuate the warrants, which don’t themselves command the companies to do anything. The Act is the mechanism for getting the companies’ assistance. Presumably, these orders concerned phones that the companies were capable of unlocking, though we don’t know for sure.
If, on the other hand, the companies simply could not unlock the phones (as would probably be the case for the most recent versions of iOS and Android), the companies would bring that to the court’s attention and that would likely be the end of the matter. A similar dynamic might play out if law enforcement obtained a warrant for an encrypted phone and sought to use the Act to compel a third party to decrypt it, though the third party might raise different arguments on the burden and legality of such an order.
This brings us to the specter of compelled backdoors. Simply put, the government cannot use an authority like the All Writs Act to force a company to backdoor its product. Compelling a company to re-engineer a product designed to provide robust encryption is the definition of unreasonably burdensome because it undermines the basic purpose of the product.2 What’s more, forcing the installation of a generalized backdoor is not “in aid of the court’s jurisdiction,” since the court would be reaching beyond the specific targeted search to a generalized backdoor. Finally, there are significant arguments that using the Act this way would run afoul of statutory law—particularly the Communications Assistance for Law Enforcement Act—and the Constitution. It’s very hard to imagine a court buying such a request.
As we’ve said before, we applaud companies that are standing up for their customers’ security. Developers should be able to build strong encryption into their products without a government-mandated backdoor. If the government presents an order to the contrary, please reach out to email@example.com.
- 1. As a small note, even in iOS 7, mail stored on an iPhone is encrypted, so a court’s order compelling Apple to unlock such a phone would result in the decryption of the stored emails.
- 2. However, it may be a different story if the product does not require re-engineering, that is if a backdoor already exists.
Recent DeepLinks Posts
Aug 26, 2016
Aug 25, 2016
Aug 24, 2016
Aug 23, 2016
Aug 22, 2016
- Abortion Reporting
- Analog Hole
- Anti-Counterfeiting Trade Agreement
- Artificial Intelligence & Machine Learning
- Bloggers' Rights
- Border Searches
- Broadcast Flag
- Broadcasting Treaty
- Cell Tracking
- Coders' Rights Project
- Computer Fraud And Abuse Act Reform
- Content Blocking
- Copyright Trolls
- Council of Europe
- Cyber Security Legislation
- Defend Your Right to Repair!
- Development Agenda
- Digital Books
- Digital Radio
- Digital Video
- DMCA Rulemaking
- Do Not Track
- E-Voting Rights
- EFF Europe
- Electronic Frontier Alliance
- Encrypting the Web
- Export Controls
- Fair Use and Intellectual Property: Defending the Balance
- FAQs for Lodsys Targets
- File Sharing
- Fixing Copyright? The 2013-2016 Copyright Review Process
- Free Speech
- Genetic Information Privacy
- Government Hacking and Subversion of Digital Security
- Hollywood v. DVD
- How Patents Hinder Innovation (Graphic)
- International Privacy Standards
- Internet Governance Forum
- Know Your Rights
- Law Enforcement Access
- Legislative Solutions for Patent Reform
- Locational Privacy
- Mandatory Data Retention
- Mandatory National IDs and Biometric Databases
- Mass Surveillance Technologies
- Medical Privacy
- Mobile devices
- National Security and Medical Information
- National Security Letters
- Net Neutrality
- No Downtime for Free Speech
- NSA Spying
- Offline : Imprisoned Bloggers and Technologists
- Online Behavioral Tracking
- Open Access
- Open Wireless
- Patent Busting Project
- Patent Trolls
- PATRIOT Act
- Pen Trap
- Policy Analysis
- Public Health Reporting and Hospital Discharge Data
- Reading Accessibility
- Real ID
- Reclaim Invention
- Search Engines
- Search Incident to Arrest
- Section 230 of the Communications Decency Act
- Social Networks
- SOPA/PIPA: Internet Blacklist Legislation
- State-Sponsored Malware
- Student Privacy
- Stupid Patent of the Month
- Surveillance and Human Rights
- Surveillance Drones
- Terms Of (Ab)Use
- Test Your ISP
- The "Six Strikes" Copyright Surveillance Machine
- The Global Network Initiative
- The Law and Medical Privacy
- TPP's Copyright Trap
- Trade Agreements and Digital Rights
- Trans-Pacific Partnership Agreement
- Travel Screening
- Trusted Computing
- UK Investigatory Powers Bill
- Video Games