Having an open and honest debate about security

This post originally appeared on the Lawfare blog.

Let’s not pretend that that the outcome the Justice Department seeks in the Apple case is limited to only a single case and just this particular phone.

This unquestionably involves a special case. Because of the specter of an ISIS connection, the San Bernardino attacks send chills down the spine of every American. The ISIS connection makes this case different from other cases of homegrown radicalization. And the actual owner of the iPhone has consented to the search.

It is these special characteristics that make the San Bernardino case a compelling vehicle for the FBI to press its concerns about end-to-end encryption on devices and apps. The Justice Department has chosen the highest possible ground from which to launch a battle with Apple that has been building for more than a year. Early on, FBI Director Jim Comey said he wanted to start a national discussion about law enforcement access to encrypted communications; with the media storm and policy and political debate that has followed the San Bernardino court order, he has certainly gotten that discussion. 

Director Comey is correct when he writes that investigators have an obligation to do all that they can to pursue leads in the San Bernardino case. And this obligation is precisely why the relief sought in San Bernardino cannot be limited just to Syed Farook’s iPhone.

Currently, there are nine other cases in which the FBI has sought information on iPhones under the All Writs Act. The investigators in those cases also feel obligated to do all they can under the law to pursue leads. Manhattan District Attorney Cyrus Vance, Jr., one of the most vocal critics of end-to-end encryption technology, says his office has obtained 175 iPhones it cannot crack into. Certainly, he and his assistant district attorneys feel the same obligation as the FBI to do all they can to pursue evidence. 

And the same will be true of every other federal and state prosecutor, as well as prosecutors and investigators around the world, if they are able to compel Apple to insert a mirror operating system that will enable them to hack into an iPhone. Senator Patrick Leahy (D-VT), the ranking Democrat on the Senate Judiciary Committee, was the chief prosecutor for Chittenden County in Vermont before he was elected to the Senate. I recently asked him if he were still in that role and leading a murder investigation, whether he would want to go to court for a decryption solution if an iPhone might provide clues to the killer. His answer was of course he would. 

Strictly speaking, the Justice Department is right that its solution is not a “back door” in that it would not be introduced on all iPhones. Instead, it would be used crack the passwords of individual phones where authorized on a case-by-case basis, offering a significantly improved security cost-benefit tradeoff.

Nevertheless, it introduces a vulnerability into the system. It would create code where none exists.  The fact that this code exists would be widely known. Even if the code should be deleted, the memories of the engineers who write it could not be erased.

The magistrate’s order does not reflect any limiting principle for such access and prosecutors have not articulated one. Nor will they if they can avoid it, because the prosecution will want to preserve arguments that any decryption solution compelled in this case can be deployed in another. And so on. Meanwhile, once a shadow operating system is created, its very existence will dilute Apple’s argument that compelling it to write code is an unreasonable burden.

Director Comey writes that the tensions presented by the San Bernardino case “should not be resolved by the FBI, which investigates for a living” but rather “by the American people deciding how we want to govern ourselves ….” He’s right. But the FBI’s actions are forcing the issue to be decided, not by the American people, but by magistrates and judges.