Apple's EULA Gives It License to Invade Your Privacy, Government Claims
Update (mere hours later): Apple filed a reply to this brief that matches our position that the government has overreached. Here's the relevant part:
The fact that Apple’s devices include software, and that such software comes with licensing requirements, does not change anything. See Reply at 13-15. Apple’s licensing agreement does not establish a connection between Apple and the private data its customers store on their devices. It does not, for example, permit Apple to invade its customers’ devices uninvited or prohibit those customers from re-selling their devices to someone else absent consent from Apple. It merely places limitations on the customers’ use and redistribution of Apple’s software (limitations that are common to the industry). To hold that the existence of such a license is enough to conscript Apple into government service would be to say that the manufacturer of a car that has licensed software in it (which is increasingly the case) could be required to provide law enforcement with access to the vehicle or to alter its functionality at the government’s request.
Original post follows.
When you buy a book, the government can’t demand the publisher or bookstore turn over the notes you’ve written in the margins. But in a case in the United States District Court for the Eastern District of New York, the government is currently arguing that the way Apple licenses its software to users means that people don’t actually own their copy of code that powers their iPhones, and thus the company can be ordered to bypass the lock screen in order to get at data on those users’ devices.
While we don’t think the argument has much merit, it’s a prime example of how license agreements can be bootstrapped to strip people of the rights that we normally associate with ownership. Most commonly, those threats look like attempts to interfere with secondary markets for reselling or lending goods, or restrictions on people’s right to tinker with or modify their stuff. But once ownership rights have been attacked from these angles, it’s no great leap to see the government try to get in on the game.
This confluence of user autonomy and civil liberties issues arises in what is otherwise a seemingly routine federal drug prosecution. Magistrate Judge James Orenstein deferred ruling earlier this month on an attempt by the government to compel Apple to bypass the lock screen on a device seized from a suspect, instead asking Apple to weigh in on whether it would be burdensome to comply. Judge Orenstein also rightfully questioned whether the government’s reliance on the general-purpose All Writs Act would have the consequence of undermining the ongoing public debate on encryption, as our earlier analysis explains.
We’ve since learned that the device in question is an iPhone 5s running iOS 7. For such “pre-iOS 8” devices, Apple has the technical capability to bypass the lock screen and has previously assisted law enforcement officials in doing so. However, in its response brief filed earlier this week, Apple raised several reasons why complying in this case might be burdensome, including the cumulative effect of law enforcement requests and the need for its employees to testify in ensuing criminal trials. Most significant, however, was Apple’s argument that in light of the company’s strong stance on user privacy and security, being forced to comply in this case “could threaten the trust between Apple and its customers and substantially tarnish the Apple brand.“ (EFF joined an amicus brief filed by the ACLU supporting Apple, but the judge rejected the brief because he felt that Apple’s participation was sufficient).
The government filed its response to Apple’s brief today, arguing that the All Writs Act gives the court sufficient authority to compel Apple to unlock the phone. Along the way, it makes some pretty staggering arguments, including dismissing Apple’s concerns about harm to its reputation out of hand and pointing to several earlier cases in which Apple willingly unlocked seized phones. But the biggest howler comes as part of an argument that Apple has such a close connection to the devices it sells that it can be compelled to step in and take control of the device:
Apple designed, manufactured, and sold the Target Phone that is the subject of the search warrant. But that is only the beginning of Apple’s relationship to the phone and to this matter. Apple wrote and owns the software that runs the phone, and this software is thwarting the execution of the warrant. Apple’s software licensing agreement specifies that iOS 7 software is “licensed, not sold” and that users are merely granted “a limited non-exclusive license to use the iOS Software.” See “Notices from Apple,” Apple iOS Software License Agreement ¶¶ B(1)-(2), attached hereto as Exhibit C. Apple also restricts users’ rights to sell or lease the iOS Software: although users may make a “one-time permanent transfer of all” license rights, they may not otherwise “rent, lease, lend, sell, redistribute, or sublicense the iOS Software.” Ex. C, ¶ B(3). Apple cannot reap the legal benefits of licensing its software in this manner and then later disclaim any ownership or obligation to assist law enforcement when that same software plays a critical role in thwarting execution of a search warrant.
Needless to say, the suggestion that companies should be able to invade their users’ privacy on behalf of the government long after the device is sold runs counter to basic principles of user autonomy. It’s a fact that these one-sided end-user license agreements, or EULAs, are both exceedingly common and a raw deal for users. The government, however, stretches this particular EULA argument beyond its breaking point.
Nor does this argument hold much weight under the All Writs Act. Apple’s contractual relationship with iPhone users says nothing about the extent to which it can be brought into the government’s investigation of one of those users.1 A search warrant allows the government to use its resources to carry out search a specified place or thing, but it doesn’t give the government carte blanche to make sure the search is successful. That’s essentially what it’s asking the court to sanction in this case.
Apple has emerged in the post-Snowden era as an ally of user privacy rights—and as this case demonstrates, that’s not just in publicity efforts. On the technical side, that has meant embracing end-to-end encryption of iMessage and passcode-controlled device encryption that even the company itself cannot unlock. Perhaps it’s time that it examines as well the privacy impact of expansive license agreements that diminish user rights.
- 1. Even if the government does convince the court that Apple’s EULA means it controls the iOS instance on the phone, this raises some serious constitutional concerns. For example, under this rule Apple might well have a new or different Fourth Amendment interest in the phone, not to mention First and Fifth Amendment interests. The government wants to have it both ways—requiring Apple to get involved but ignoring possible infringement of its rights.