Apple Ordered to Disable Auto-Erase Feature

Pursuant to the All Writs Act, 28 U.S.C. § 1651, Magistrate Judge Sheri Pym ordered on February 16, 2016 that Apple assist in the investigation of the San Bernardino shooting by disabling a feature that would auto-erase one of the shooter’s phone after ten password attempts.  According to the government’s ex parte application, unless the auto-erase feature is disabled, “iOS will instantly, irrecoverably, and without warning erase the encryption keys necessary for accessing stored data.”  Declaration of Christopher Pluhar at 5.  Although the media is reporting that Apple is being forced to unlock the phone, that is not the case.

Even though Judge Pym ordered that Apple provide “reasonable technical assistance to assist law enforcement agents in obtaining access to the data on the SUBJECT DEVICE,” what was actually ordered would only allow investigators to “brute force” determine the password for the phone without the possibility of any data deletion.  The software ordered to be provided by Apple would have “a unique identifier of the phone so that the SIF [software image file] would only load and execute on the SUBJECT DEVICE.”  In other words, the software would purportedly not be used by the authorities for other devices.

The Order concludes with the following:  “To the extent that Apple believes that compliance with this Order would be unreasonably burdensome, it may make an application to this Court for relief within five business days of receipt of the Order.”  Given that the Order also anticipates that Apple would be compensated given it requires that Apple “shall advise the government of the reasonable cost of providing this service” it may be the case the Judge anticipates objections based on the expense or efforts related to the request – and not the significant precedent set by this equitable relief.

In an open letter to customers, Apple’s CEO has publicly challenged the request and set up the stakes as follows:

Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession.

According to Mr. Cook, “[o]nce created, the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks — from restaurants and banks to stores and homes. No reasonable person would find that acceptable.”

Judge Pym gave Apple five days to respond to the Order so a major battle is about to unfold — with various privacy groups already sharpening their amicus pencils.  Given it was prior US government mass surveillance that caused the Court of Justice of the European Union to strike down the EU Safe Harbor framework for data transfer emanating from the EU, this Order obviously holds more significance than the brute force unlocking of a single phone.  Depending on how this case unfolds it will have a direct impact far removed from Judge Pym’s courtroom and may even cause the EU-US Privacy Shield to fail before it really even got off the ground.

Replacement Safe Harbor Reached

First announced today by Bloomberg BNA, the U.S. and the European Union reached agreement on a new data transfer framework to replace the invalidated Safe Harbor program.  The European Commission press release provides details of this agreement and the new EU-US Privacy Shield:

The EU-US Privacy Shield reflects the requirements set out by the European Court of Justice in its ruling on 6 October 2015, which declared the old Safe Harbour framework invalid. The new arrangement will provide stronger obligations on companies in the U.S. to protect the personal data of Europeans and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC), including through increased cooperation with European Data Protection Authorities. The new arrangement includes commitments by the U.S. that possibilities under U.S. law for public authorities to access personal data transferred under the new arrangement will be subject to clear conditions, limitations and oversight, preventing generalised access. Europeans will have the possibility to raise any enquiry or complaint in this context with a dedicated new Ombudsperson.

By way of background, the U.S./EU Safe Harbor Program allowed U.S. companies to transfer EU citizens’ data to the U.S. if they self-certified to the U.S. Department of Commerce their compliance with privacy principles similar to those contained in the EU Data Protection Directive.  The program was invalidated by the Court of Justice of the European Union based on a claim the U.S. government’s surveillance programs necessarily showed a lack of compliance given the lack of adequate restrictions on this data gathering.  The result was widespread confusion among multi-nationals given the invalidation of Safe Harbor affected thousands of U.S. companies certified in the program as well as many more companies relying on the certification to transfer personal data to those companies.

One key takeaway of this agreement is that it continues to place enforcement power with the FTC regarding the “robust obligations on how personal data is processed and individual rights are guaranteed.”  Moreover, according to the Press Release, the U.S. “has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement.”  And, with regards complaints on possible access by national intelligence authorities, the new Ombudsperson will take charge.

It remains to be seen whether the NSA is on board or whether this agreement was a huge temporary fix simply so that all sides could save face.  What is certain, however, is that multi-nationals should have very little comfort that this fix is permanent and will be left unchanged after its inevitable challenge in the court system.