The debut of a new iPhone is always big news, but this time it’s surrounded by unusual controversy. That’s because the iPhone6 automatically encrypts the phone’s contents. Decrypting requires a code that the user sets and does not share with Apple—which means that, if the FBI orders Apple to turn over data kept on the customer’s phone, the company will produce data that amount to “gibberish” (as the New York Times reported). The FBI then will have to decrypt the data—a process that could take years—or try to compel the user to reveal the code.
FBI director James Comey responded with outrage, claiming that companies like Apple are “marketing something expressly to allow people to hold themselves beyond the law.” Other law enforcement officials have made similar pronouncements. Yet the law doesn’t give the government any right to the contents of your phone. It’s more accurate to say that, in recent years, the advent of widespread third-party data storage has allowed the government to get around the protections afforded by the Fourth and Fifth Amendments of the Constitution. Apple’s encrypted iPhone 6 is just the latest in a series of efforts by the courts and the public to reassert those protections.
The government’s rights
The reaction of law enforcement officials to the iPhone6 suggests that encryption interferes with a governmental right of access to a smartphone’s contents. No law, however, prohibits people from using strong encryption for their communications, just as no law prohibits people from deleting them. Both actions, in theory, could frustrate the execution of a warrant, but both clearly have legitimate purposes as well, and the law permits them.
Nor does the law require Apple to keep a key to its customers’ locks. A 1994 statute, the Communications Assistance for Law Enforcement Act (CALEA), required telecommunications companies to create “back doors” into their systems to ensure the companies’ ability to comply with wiretap orders. But CALEA was limited in its reach and focused on then-existing technologies. Mandating companies’ ability to decrypt a smartphone would require amending the law, and Edward Snowden’s disclosures derailed recent efforts to do just that. At bottom, the rule that Comey is blaming Apple for flouting doesn’t exist—because Congress chose not to adopt it.
(There are good reasons not to expand CALEA, in any event. Experts note that requiring companies to be able to override security protections means building vulnerabilities into their systems, which also can be exploited by hackers and criminals. On balance, they argue, these “back doors” are a net loss for the public’s safety and security.)
The applicable law here is not CALEA, but the law of supply and demand—and the U.S. government has itself to blame for the outcome. The rising demand for encryption is largely a response to revelations about U.S. surveillance practices, such as adopting tortured interpretations of the law to justify collecting the phone and internet metadata of all Americans; covertly undermining security features by intercepting shipments of computers to insert vulnerabilities and weakening international encryption standards; and launching a program to collect every phone call going in and out of certain foreign countries. In short, customers have no confidence that the U.S. government will respect the privacy of law-abiding individuals and limit itself to narrow searches for evidence of crimes.
The people’s rights
With only narrow exceptions, the Fourth Amendment prohibits the government from accessing Americans’ personal communications and correspondence without a warrant based on probable cause of criminal activity. However, the government, until now, has managed to persuade courts that users forfeit any reasonable expectation of privacy (and thus any Fourth Amendment protection) in information stored on a company’s server or otherwise “shared” with providers. Although Congress enacted some protections for stored data, they generally fall far below the protections afforded by a regular warrant. The so-called “third-party doctrine” gives the government relatively easy access to troves of e-mails, text messages, calendars, contact lists, and other private information.
The tide may be turning. In United States v. Jones, a 2012 Supreme Court case holding that police officers violated the Fourth Amendment when they attached a GPS device to a car without a warrant, Justice Sonia Sotomayor suggested that the Court might need to revisit the third-party doctrine. More recently, in Riley v. California, the Court unanimously ruled that police officers need a warrant to search a cell phone incident to arrest.
But even if a warrant requirement becomes standard for private information held by third parties, reliance on electronic data storage will continue to change how Fourth and Fifth Amendment rights play out. For most of this country’s history, the medium for private correspondence was paper, which could readily be destroyed. Then came telephone calls, which were ephemeral; absent a contemporaneous wiretap, their contents were beyond the reach of law enforcement. People had the ability, in other words, to erase the information they created or received. The only way for law enforcement officials to obtain that information was by convincing the communicants to tell them what they knew—and the Fifth Amendment prohibited officials from compelling statements that would be self-incriminating.
Today, regardless of a person’s wishes, the most common forms of communication—e-mails and text messages—create a semi-permanent record. Even if the information’s creator or recipient tries to delete it, it is often retrievable, either from the provider or through forensic examination of digital storage. The ability to keep one’s information to oneself—the heart of the Fifth Amendment as well as the Fourth—has been sharply curtailed.
Of course, some might celebrate the fact that technology has eroded the ability to destroy evidence. But that would miss the point. The legitimate activities that people might reasonably want to keep private dwarf the illegitimate ones, and people have always discarded information for a wide range of reasons. Third-party data storage not only makes it harder to destroy evidence of a crime; it also makes it harder to prevent information theft, to achieve peace of mind that sensitive personal information is inaccessible to others, to reinvent oneself, and to guard against government overreach and abuse. The ability to encrypt data restores the control over personal information that is the hallmark of the right to privacy.
The practical effect
The constitutional and legal issues presented by companies’ encryption of smartphones don’t turn on how law enforcement efforts are affected. It’s nonetheless worth noting that the doomsday scenarios invoked by officials—in which the government is helpless to stop an imminent terrorist attack because the critical information lies, encrypted, on the terrorist’s iPhone—are highly unlikely to materialize.
For one thing, much of the data will be accessible through other means. The most important information sought by law enforcement is often metadata—information about a person’s communications, including location, time, and numbers called. These records also are held by mobile phone network operators, out of users’ control. As for the content, most people store their data in multiple places, synching their smartphones with other devices and/or backing up their information in the cloud. Such information will remain available to law enforcement through the other places where it is stored.
In a situation in which the phone is truly the only repository of the information, the government may be able to get a warrant compelling the user to reveal his or her decryption code. One federal appeals court has held that requiring someone to divulge a password violates the Fifth Amendment’s protection against self-incrimination. Federal trial courts, however, as well as state courts, have upheld such warrants. Criminal suspects who do not comply with orders to disclose their codes may be imprisoned until they do—a strong incentive for compliance.
Of course, terrorists or others bent on wreaking destruction might refuse to supply the code. If above-board methods don’t work (and even if they do), the government may try to do what it has done successfully in the past: hack its way in. As any computer user knows, there’s no such thing as mistake-free software. The government is adept at finding these vulnerabilities and exploiting them.
In any event, the notion that Apple is providing terrorists with a new way to hide their plans ignores an obvious reality: Any terrorist sophisticated enough to pull off an attack already was encrypting his communications. There are a number of strong cryptography tools that are available, for which only the user possesses the key. Indeed, the Android mobile operating system has offered device-level encryption as an option since 2011 (and will soon offer it as the default). Apple did not invent powerful encryption; Apple simply decided to make it a default feature on the iPhone without undermining it by building a back door.
Why, then, is Comey so upset? Apple’s move won’t lead to terrorist attacks or unsolved kidnappings, but it will make FBI investigators’ jobs a bit harder. They would no doubt prefer the one-stop shopping iPhones previously provided.
The source of Comey’s pique, however, probably runs deeper. In the digital age, privacy was starting to feel like a thing of the past. The third-party doctrine and electronic data storage had all but eliminated the need for traditional warrants, and Americans seemed unfazed by the government’s easy access. But the landscape is shifting. Courts are beginning to see the need to revitalize the Fourth and Fifth Amendments, and private citizens around the world, galvanized by Snowden’s disclosures, are no longer content to let the U.S. intelligence establishment help itself. For officials who have come to see mass collection as the government’s own inalienable right, the new iPhone is a stark signal that the days of unfettered governmental access to private information may be numbered.