Debate over encryption will continue in courts and Congress

29 March 2016. By Amy Miller and Mike Swift.

The US Department of Justice’s legal battle with Apple over the encrypted iPhone used by San Bernardino shooter Syed Farook is over, now that the agency has unlocked the phone without the company’s help.

But the debate over whether tech companies such as Apple and Google can be compelled to help law enforcement breach the digital walls of encryption built to secure mobile devices is far from over, and it will continue to play out in both Congress and federal court.

Congress has set up a committee to investigate the encryption issue as both Apple and Google continue to build operating systems for mobile devices in which encryption will be enabled by default. Default encryption is already the case for the majority of smartphones that run the newest operating systems, including Apple’s iOS 9, released in September 2015, and Google’s Marshmallow, the new version of Android released at about the same time.

The public’s attention has now turned to the government’s case against Apple in New York federal court over an encrypted iPhone used by a suspected drug dealer. The DOJ is trying to overturn a detailed, well-briefed order from a magistrate judge in that case that found that Apple is under no obligation to help the Federal Bureau of Investigation unlock the iPhone (see here).

The DOJ has appealed the decision to a district court judge, but the agency said on Tuesday that it is willing to accommodate Apple’s request to delay further briefing in the case (see here). Apple wanted more time to review the DOJ’s status report filed on Monday in the San Bernardino case so it can explain how the development will affect the New York case (see here).

If the method used to unlock Farook’s iPhone can also unlock the iPhone in the New York case, which uses an older operating system, the DOJ may not need to pursue the New York case, either. And Apple, for whom privacy and security have become an essential selling point, will be eager to get details about how the encrypted phone was unlocked so it can fix any vulnerability in its system.

The DOJ hasn’t provided any details publicly yet about the method it used to unlock Farook’s phone (see here), but the agency seems likely to pursue the New York case so it can try to overturn an unfavorable court decision that could be used against law enforcement in future battles over encryption.

Meanwhile, despite its chronic partisan dysfunction, Congress seems keen to wade into a debate that will define the limits of 21st century technology. The US House of Representatives has created an encryption working group composed of four Democratic and four Republican members of the US House Judiciary Committee and the House Energy and Commerce Committee. No specific legislation has been proposed yet, but working group members have been actively engaged in an ongoing discussion.

“That the government was able to gain access to the phone without Apple’s help is certainly preferable to issuing a wide-reaching court decision that would grant the government backdoor access into every American’s phone and other devices, but the fundamental question over how we, as citizens, expect our government to be able to access — or not access — our personal information still remains,” Representative Darrel Issa, a California Republican who sits on the working group, said in a statement.

At a hearing before the House Judiciary Committee on March 1, members of both parties said they believe it is the responsibility of the elected legislature, rather than the judiciary, to define the limits of privacy (see here).

“I think it’s Congress’ responsibility to determine the expectation of privacy in this high-tech world,” said Representative Ted Poe, a Republican representing the suburbs of Houston, Texas.

Representative Zoe Lofgren, a California Democrat whose district includes part of Silicon Valley, reacted to FBI Director James Comey’s statement during that hearing that Apple’s encryption creates “zones of complete privacy.” Lofgren said: “It may be that the alternative is that nothing is private.”

Although Apple has been at the center of the encryption debate, Google could be next. There are more Android-powered phones used in the US than Apple devices.

Google announced the introduction of default encryption in October 2014 when it released the fifth generation of Android, called Lollipop. But according to Google’s most recent data, only about 38.4 percent of Android phones use the newer versions of the operating system (Marshmallow and Lollipop) that support default encryption.

Encryption isn’t baked into the other 61.6 percent of Android phones using older versions of the operating system. Nevertheless, Google says it is moving toward universal encryption for all its services, including Gmail and search.

“Implementing encryption is not easy work,” the company said in a March 15 blog post. “But, as more people spend more of their time on the web, it’s an increasingly essential element of online security.”

The ACLU said Friday that it had used Freedom of Information Act requests to uncover more than 60 cases where the government had attempted to use the All Writs Act to unlock a smartphone, with many of those requests going to Apple, but a good share going to Google.