Government uses 225-year-old law to force companies to unlock phones

Government uses 225-year-old law to force companies to unlock phones
​Revelations about how governments swallow up huge amounts of data have led to consumers and companies embracing encryption like never before, but feds may have found a hidden weapon within a centuries-old law now being used in court.

Late last month, a federal magistrate in New York approved a request filed by United States attorneys and compelled an unnamed cell phone maker to unlock a mobile device that had been seized by authorities pursuant to an investigation. In ordering the company to do as much, though, the judge agreed with an argument made weeks earlier by the US government in which its lawyers said the All Writs Act, a law first put on the books 225 years ago in 1789, should be evoked.

US attorneys told the court in an Oct. 10 filing that they had seized a mobile phone while investigating alleged credit card fraud and, despite obtaining a search warrant, had been unable to bypass the phone’s password-protection. With the data otherwise inaccessible, federal prosecutors said the court could order the manufacturer to provide “reasonable technical assistance” in unlocking the device by relying on the All Writs Act.

That legislation, Judge Gabriel Gorenstein for the Southern District of New York acknowledged in his Oct. 31 response, provides that federal courts “may issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.”

Despite the sheer antiquity of the act, however, Gorenstein did not object to the government attorney’s interpretation of the law and ordered the cell phone manufacturer to comply, citing a Supreme Court case from 1977 in which the New York Telephone Co. was compelled under the All Writs Act to help authorities install a “pen register” device to log call data. In the latest case, the magistrate said the only caveat was that the cell phone company could argue within five business days that doing so would be “unreasonably burdensome.”

“Courts have held that due process requires that a third party subject to an order under the All Writs Act be afforded a hearing on the issue of burdensomeness prior to compelling it to provide assistance to the government,” the judge wrote. “To the extent the manufacturer believes the order to be unduly burdensome or that it should be reimbursed for expenses, the manufacturer should be given clear notice that is has the opportunity to object to the order.”

Yet while the rest of the case remains under seal — the name of the cell phone company is completely redacted from the document, in fact — Wall Street Journal’s Danny Yadron speculated this week that the order could likely be directed at iPhone makers Apple.

“The language of the opinion suggests it could apply to a company like Apple. The order is directed at the ‘manufacturer of the cellphone,’ and Apple is one of the few companies that produce both the phone itself and the software that would manage the encryption,” Yadron wrote.

Apple and a tech attorney for the company both declined to comment for Wednesday’s article in the Journal, Yadron reported, but a spokesperson for the US attorney’s office in the Southern District of New York, James Margolin, said, “It’s not that unusual for the government to use an All Writs order to get a phone-maker to unlock a phone.”

In the year-and-a-half since former intelligence contractor Edward Snowden started supplying journalists with details about the surveillance operations of the US government and its allies, companies that offer products like computers and cell phones have increasingly been adopting policies and protocols that aim to protect the privacy of their consumers. Internet tools that aim to preserve anonymity are being installed in record numbers, and both Apple and Google made announcements in recent months concerning heavy duty encryption mechanisms that have since become standard on their iOS and Android mobile operating systems.

Yadron’s hypothesis that Apple is the company in question being ordered to assist the government would suggest that the Silicon Valley giant wasn’t bragging when it announced a few months ago that new encryption protocols being implemented on the iPhone would render data on those devices all but impossible to recover.

“On devices running iOS 8, your personal data such as photos, messages (including attachments), email, contacts, call history, iTunes content, notes, and reminders is placed under the protection of your passcode,” Apple said in September. "Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data. So it's not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.” Google said soon after that all Android devices would come with encryption enabled out of the box, which if properly implemented would prohibit law enforcement from accessing data as well. James Comey, the director of the FBI, outright condemned both companies afterward.

Regardless of what company was compelled to assist the authorities with Gorenstein’s latest ruling, the repercussions could means that any promises made by American companies concerning privacy are at risk of being broken with only a magistrate’s signature.

“It’s part of what I think is going to be the next biggest fight that we see on surveillance as everyone starts to implement encryption,” Jennifer Granick, director of civil liberties at Stanford University’s Center for Internet and Society, told the Journal. With regards to the “technical assistance” provision ordered by the court, Granick asked, “Does this mean you have to do something to your product to make it surveillance friendly?”

Such requests aren’t restricted to solely the cell phone realm, either. Last year, encrypted email service Lavabit made headlines when a federal judge asked, under seal, for the company’s owner to provide the government with its master encryption keys because it was believed to be the only way authorities could monitor the conversations of a single user. When Lavabit’s owner, Ladar Levison, refused to immediately provide “technical assistance” in that case, prosecutors asked the court to consider charging him with contempt.

“If the government were to start coercing internet service providers to fundamentally undermine their services, on pain of obstruction of justice charges, I think a lot of companies would respond by either shutting down or designing services that are effectively impossible to wiretap in any way,” Brian Hauss, an attorney for the American Civil Liberties Union, told RT at the time. “That would be a tremendous waste of resources, and it would effectively prevent law enforcement from getting even the targeted information it needs to build a case. That’s why it’s so important for the government to show restraint when coercing service providers to assist in its investigations."

It’s unclear if the company at the center of the current Gorenstein case objected to the court’s response. Previously, Gorenstein landed in the news when he signed an order in July requiring Google to let authorities search the entire Gmail inbox of a criminal suspect.