On February 16, 2016, Magistrate Sheri Pym of the United States District Court of Central California ordered Apple Inc. (“Apple”) to affirmatively develop tools to bypass or disable the auto-erase function on an iPhone 5C owned by the target of a criminal investigation, to enable the Federal Bureau of Investigations (“FBI”) to circumvent native iPhone security features which protect the device’s “physical device port, Bluetooth, WiFi” and other access points, and to “ensure” the FBI’s ability to have unmitigated access to user data maintained on the target iPhone. Though Magistrate Pym’s order is only three pages long, the order will likely have long-lasting impact on the future of the legal and technology industries if it survives Apple’s anticipated appeal.
For readers without a background in engineering or platform development, each smartphone, including the iPhone, is a digital bank trading in the currency of data. The operating system, which enables users to manage their applications, is like the main vault of a financial bank. Similarly, each application is like a personal deposit box. Applications generally differ in purpose and use, and as such, maintain different types of data. Some applications may contain sensitive financial information, i.e. Google Pay, Amazon, etc., and other applications may contain personal data like text messaging services, e-mail accounts, etc. However, the common thread linking all applications is their collective dependency on the underlying security of the host hardware and operating system.
Magistrate Pym’s order upsets the balance of smartphone security in two major ways. First, in ordering Apple to develop the tools to bypass the iPhone’s point of access security measures, Apple is now required to create a backdoor to the iPhone’s data vault. Second, in ordering Apple to ensure the FBI’s ability to access iPhone user data without triggering the iPhone’s auto-erase features, Apple is now also required to create a backdoor to each application hosted in the iPhone’s data vault. Generally, hardware and software developers limit points of access to reduce the surface area of risk and because of longstanding knowledge in the technology community that all points of access can be breached. As such, the Pym order exponentially increases the vulnerability of all iPhone devices and applications, especially because the backdoors mandated by the order must have the ability to bypass, circumvent or even disable the iPhone’s built-in security features.
Magistrate Pym’s order also has an enormous effect on mass data. While the tools being compelled by the order are intended to be used on only one iPhone, once these tools are developed, they can be utilized against all iPhones that have been updated or patched since August 2015. This represents approximately 68.2 million unique devices in the United States alone. In essence, Magistrate Pym’s order is akin to requiring all financial banks to build backdoors to every vault and deposit box in order to investigate a single bank robbery.
Magistrate Pym’s order represents one of the first instances, outside of the U.S. Foreign Intelligence Surveillance Court and the U.S. District Court for the District of Columbia, that a court has ordered a manufacturer or developer to non-consensually create a means to undermine or defeat a company’s primary line of business. Unfortunately, and unlike the orders arising from the U.S. Foreign Intelligence Surveillance Court and the U.S. District Court for the District of Columbia, Magistrate Pym’s order was not sealed. As such, if Apple complies with Magistrate Pym’s order, every hacker would know about the existence of a skeleton key that can be used to access data that is maintained and transmitted from an iPhone.
Aside from Magistrate Pym’s order, the issue of granting any actor unfettered access to millions of iPhones raises concerns about the prudence of mass data collection capabilities. In the instant case, the government has asked for tools that can be used to collect data from nearly 90% of all iPhone devices. Presumably, any data collected from these tools will be documented and recorded by the requesting agency or agencies. However, as evidenced by the multitude of data breach incidents in 2015 alone, almost all individuals holding government security clearances have had their personnel files subject to unauthorized access and disclosure. As such, serious consideration must be given to whether it is possible to protect digital backdoors and skeleton keys before ordering the creation of such tools.
Michael L. Salad is an attorney in Cooper Levenson’s Business & Tax and Cyber Risk Management practice groups. He concentrates his practice on estate planning, business transactions, mergers and acquisitions, tax matters and cyber risk management. Michael holds an LL.M. in Estate Planning and Elder Law. Michael is licensed to practice law in New Jersey, Florida and the District of Columbia. Michael may be reached at 609.572.7616 or via e-mail at msalad@cooperlevenson.com.
Peter Y. Fu is an attorney in Cooper Levenson’s Business & Tax and Cyber Risk Management practice groups. He concentrates his practice on sales and use tax, enterprise risk management, and commercial transactions. Peter is licensed to practice law in New Jersey and Florida. Peter can be reached at 609.572.7556 or via e-mail at pfu@cooperlevenson.com.
