The FBI, Apple, and the Importance of Jurisdiction

Jurisdiction is important when dealing with the law.  Courts as a rule do not have the power to decide every issue brought before them.  A small claims court can’t decide a million-dollar contract dispute.  An Alaskan state court can’t evict a tenant living in Manhattan.  A federal court typically does not have jurisdiction over purely state law criminal prosecutions.  Jurisdiction, in other words, is extremely meaningful.  And jurisdiction just might play an important role in deciding the present dispute between the FBI and Apple about the San Bernardino shooter’s iPhone.

The scenario reads like a thorny law school exam fact pattern.  The FBI holds a seized iPhone used by one of the terrorists who killed 14 of his co-workers in San Bernardino in December 2015.  The phone belongs to his employer, which has given its consent to a search of the phone and its data.  The data on the phone is encrypted, and cannot be read by the FBI.  The phone is password-protected, and if the FBI makes more than 10 incorrect password guesses, there is a very strong danger that the current encryption key will be destroyed and the phone’s data will, for all practical purposes, become unrecoverable. 

Apple owns the phone’s operating system.  It is uniquely positioned to help the FBI by revising the phone’s software to disable the 10-or-dead feature.  The FBI has requested Apple’s help; Apple has refused, and the FBI has secured a court order directing Apple to assist the FBI.  Apple, in an open letter to its customers, indicated it will challenge the order, citing its concerns about building what it says is a currently-nonexistent “backdoor” into its iOS operating system that could compromise security for its millions of users worldwide. 

In its application to the court, the FBI argued that the proposed software would only be usable for this one iPhone, because it would be keyed to the specific hardware id associated with that iPhone.  Apple quite clearly disagrees: “But that’s simply not true. Once created, the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks — from restaurants and banks to stores and homes. No reasonable person would find that acceptable.”

Apple’s concern for the privacy of its users appears to be reasonable.  If it is forced to develop software designed to defeat the 10-or-dead feature on this one iPhone, that software could work on any iPhone, provided that iPhone’s unique id is substituted for that of the phone used by the San Bernardino shooter – a relatively trivial change.  A flood of court orders compelling Apple to use the same software for other locked iPhones could follow.   

The dispute shines a spotlight on important privacy issues that affect all of us.  Tech companies and the government have been arguing for years about encryption.  The tug-of-war between the need to keep user information private and the government’s need to investigate crimes has been the subject of ongoing debate.  The recent revelations about the extent of warrantless government surveillance has shone a spotlight on what many believe are abuses by the government of citizen privacy, and has resulted in stronger encryption regimes for consumer communications devices and systems.

In the Apple case, the order sought by the FBI (read the FBI's application here) was signed the very same day the FBI asked for it, which suggests that the court simply accepted the FBI’s argument without giving it too much scrutiny.  (The order was sought ex-parte, without Apple’s participation.)  The FBI relies on the All Writs Act, a law dating from our nation’s infancy, to support its request.  The act is sort of a catch-all for federal courts, providing that “The Supreme Court and all courts established by Act of Congress may issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.”  The government argued, and the district court agreed, that the act empowered the court to issue its order directing Apple to help the government defeat the 10-or-dead feature on the San Bernardino iPhone so that the government may attempt to crack the phone’s password. 

Apple has not yet filed its opposition to the court’s order.  There are a number of arguments it can be expected to raise; some of them were highlighted in its customer letter: “If the government can use the All Writs Act to make it easier to unlock your iPhone, it would have the power to reach into anyone’s device to capture their data. The government could extend this breach of privacy and demand that Apple build surveillance software to intercept your messages, access your health records or financial data, track your location, or even access your phone’s microphone or camera without your knowledge.”

One potential argument not mentioned by Apple is that the court’s grant of the FBI’s request is an impermissible application of the All Writs Act because the order was not “necessary or appropriate in the aid of” the court’s jurisdiction.  This argument formed the basis of the dissent to one of the key cases the FBI relies upon,  United States v New York Telephone Co., 434 US159 (1977). 

In New York Telephone, the Supreme Court in a 5-4 decision held that the district court had the power to issue an order under the All Writs Act directing New York Telephone to lease certain phone lines to the FBI to permit it to secretly install a pen register to record phone numbers dialed by a suspected gambling operation in New York City.  In his dissent, Justice  Stevens argued that this was an improper extension of the act’s scope because the order requested by the FBI in that case was not one that would “be in the aid of [the court’s] duties and [the court’s] jurisdiction.”  434 US at 189.  “The fact that a party may be better able to effectuate its rights or duties if a writ is issued never has been, and under the language of the statute cannot be, a sufficient basis for issuance of the writ.” Id. (my emphasis).    

The following paragraph from the dissent could have been written to cover this very situation: 

Nowhere in the Court's decision or in the decisions of the lower courts is there the slightest indication of why a writ is necessary or appropriate in this case to aid the District Court's jurisdiction. According to the Court, the writ is necessary because the Company's refusal "threatened obstruction of an investigation . . . ."  Concededly, citizen cooperation is always a desired element in any government investigation, and lack of cooperation may thwart such an investigation, even though it is legitimate and judicially sanctioned.  But unless the Court is of the opinion that the District Court's interest in its jurisdiction was coextensive with the Government's interest in a successful investigation, there is simply no basis for concluding that the inability of the Government to achieve the purposes for which it obtained the pen register order in any way detracted from or threatened the District Court's jurisdiction. Plainly, the District Court's jurisdiction does not ride on the Government's shoulders until successful completion of an electronic surveillance.

Id. at 190 (my emphasis). 

Admittedly, this was the losing side’s argument in the New York Telephone case.  But it has the attractiveness of being rooted in the actual language of the All Writs Act.  Given recent revelations about the extent to which the government has abused the privacy rights of its citizens, Justice Stevens’s prescient concern in the New York Telephone dissent is apt today:  “Nevertheless, the order is deeply troubling as a portent of the powers that future courts may find lurking in the arcane language of Rule 41 [covering Search and Seizure] and the All Writs Act.”

NSA Agents Reduced to Conducting E-Discovery on Citizens?

New allegations from Russell Tice, the former NSA analyst who earlier revealed the agency's role in warrantless eavesdropping on international phone calls, suggest that the NSA has also been compiling a vast database of information about the domestic communications of US citizens.  In two interviews with MSNBC's Keith Olbermann -- who is probably not the most objective person to be hosting the discussion -- Tice described in fairly rough terms a practice of data collection and analysis that sounds very much like some forms of electronic discovery.  Wired has a good summary of the assertions here.   

In particular, Tice describes a system of information gathering that is less direct eavesdropping than it is data mining: "This is garnered from algorithms that have been put together to try to just dream-up scenarios that might be information that is associated with how a terrorist could operate," Tice said. "And once that information gets to the NSA, and they start to put it through the filters there . . . and they start looking for word-recognition, if someone just talked about the daily news and mentioned something about the Middle East they could easily be brought to the forefront of having that little flag put by their name that says 'potential terrorist'."  The process he talks about is similar to earlier speculation as to how such surveillance would operate.   

If true, Tice's claims raise obvious Fourth Amendment issues.  They also paint the rather sad picture of some of our country's best intelligence analysts toiling away at tasks that are little different than those practiced by junior associates and contract attorneys in law firms and e-discovery companies from New York to New Dehli.  It would be adding insult to injury, of course, if Tice's allegations are true and the analysis is being directed at the analysts' fellow citizens.  

RIAA Fights Internet Broadcast of File-Sharing Hearing

As you may have heard, a Massachusetts federal district court judge recently granted the motion of the defendant in a file-sharing copyright infringement case brought by the RIAA to broadcast a pre-trial hearing over the Internet. Yesterday, that order was stayed so that the RIAA could appeal it to the First Circuit. The RIAA's mandamus petition is interesting reading. The main ground of the petition is essentially that the judge's order is against the rules, namely rule 83.3 of the local rules.

Really. Let's take a look at Rule 83.3.

-- (a) Recording and Broadcasting Prohibited. Except as specifically provided in these rules or by order of the court, no person shall take any photograph, make any recording, or make any broadcast by radio, television, or other means, in the course of or in connection with any proceedings in this court, on any floor of any building on which proceedings of this court are or, in the regular course of the business of the court, may be held. [Emphasis supplied]

Looks to me like the judge has some discretion there. But, the RIAA argues, allowing recording conflicts with the policies of the Judicial Conference of the United States. This appears to be a stronger argument -- the Judicial Conference has repeatedly come out against permitting the recording or broadcast of court proceedings. In a 2007 statement to Congress, Judge John Tenheim explained the bases for the opposition:

-- The Judicial Conference position is based on a thoughtful and reasoned concern regarding the impact cameras could have on trial proceedings. This legislation has the potential to undermine the fundamental right of citizens to a fair trial. It could jeopardize court security and the safety of trial participants, including judges, U.S. attorneys, trial counsel, U.S. marshals, court reporters, and courtroom deputies. The use of cameras in the trial courts could also raise privacy concerns and produce intimidating effects on litigants, witnesses, and jurors, many of whom have no direct connection to the proceeding. In addition, appearing on television could lead some trial participants to act more dramatically, to pontificate about their personal views, to promote commercial interests to a national audience, or to increase their courtroom actions so as to lengthen their appearance on camera. Finally, camera coverage could become a negotiating tactic in pretrial settlement discussions or cause parties to choose not to exercise their right to have a trial.

While few if any of those concerns apply in this case, there's no arguing that the Judicial Conference is not a fan of broadcasting contentious courtroom proceedings.

So is the RIAA simply defending the Judicial Conference against the actions of a wayward District Court judge? No; the RIAA is concerned that allowing the hearing to be broadcast will cause "irreparable harm." The nature of that harm?

-- Here, where the district court's interpretation of the Local Rule may well open the doors to a flood of applications by broadcasters seeking to record and broadcast other proceedings throughout the District of Massachusetts, there is necessarily a "sufficient showing of irreparable harm" to merit the exercise of this Court's power of mandamus.

So the RIAA is also defending the rest of the Massachusetts Federal Judiciary from the increased burdens of having to deal with this "flood of applications" from others seeking permission to broadcast other trials. A very noble position, to be sure, but of course the RIAA is also worried on its own behalf:

-- Nor is there any doubt that Petitioners would suffer irreparable harm if the proposed broadcast of the proceedings in this case is allowed to proceed.

By way of proof, the RIAA then offers the following explanation:

-- The Judicial Conference has repeatedly expressed the view that presence of cameras in district court proceedings "can do irreparable harm to a citizen's right to a fair trial."

That, however, is by no means proof that irreparable harm would occur in this case. The RIAA's next argument is rather ironic, given the nature of the dispute:

-- Petitioners are concerned that, unlike a trial transcript, the broadcast of a court proceeding through the Internet will take on a life of its own in that forum. The broadcast will be readily susceptible to editing and manipulation by any reasonably tech-savvy individual. Even without any improper modification, statements may be taken out of context, spliced together with other statements, and broadcast rebroadcast [sic] as if it were an accurate transcript.

Of course, a written transcript is even more susceptible to manipulation than is a video or audio recording. It's laughably easy to select statements out of context from a written transcript and present them in a way that is unfavorable to one side or the other. If anything, a video record would make any such manipulation more evident, with cuts and splices to the record appearing as odd "jumps" or "skips" in the recording or in the appearance of the speaker.

The RIAA saves what to me is its strongest argument for last: that the Beekman Center, which would host the broadcast, is strongly opposed to the RIAA's suits against alleged file sharers and is closely allied with the defense team. This, however, is the issue that is easiest to fix -- allow a relatively neutral party, such as a "traditional" news organization, to host the feed.

The RIAA, of course, has a legitimate reason to complain where the manner in which users copy or distribute its members' recordings reaches beyond the often-murky boundaries of fair use. Its vehement opposition to having this hearing broadcast appears to masquerade a real concern about looking bad before an Internet audience with a stated concern about protecting the integrity of the judical system. That's a little ironic in view of the RIAA's recent decision to more or less abandon the courts and let ISPs regulate offending users.

Read Wired's take on this here and here.

New York Blood Center Drops Social Security Number Requirement

Perhaps on the heels of a New York law that prohibits "[p]rint[ing] an individual's social security account number on any card or tag required for the individual to access . . . services or benefits," the New York Blood Center has finally dropped its longstanding requirement that donors give up their social security numbers to the Blood Center before they were allowed to donate blood or plasma.

I had complained about this more than four years ago, and I knew that the requirement remained in place as of this past fall. In reviewing the new statute, I decided to ask the Blood Center whether it still required its donors social security numbers. A prompt email reply informed me that, as of December 1 of last year, it did not.

Time to roll up my sleeve . . . .

Jones Day Winning and Losing in Trademark Dust-up

There has been so much written about the Jones Day trademark infringement lawsuit against BlockShopper that for me to add to the commentary would simply be piling on. According to the lawsuit, Blockshopper.com is in the business of "gathering and publishing details of private residential real estate transactions." (Presumably, what this really meant is transactions between individuals, since virtually all real estate transactions, even residential ones, are matters of public record.)

BlockShopper apparently included among its transaction listings purchases made by two Jones Day attorneys, and in those two listings linked back to the Jones Day website and included photo images of the two attorneys that the complaint says "are identical to the photographs which appear on the Jones Day web site." BlockShopper's use of the Jones Day marks in its posts, the links back to the Jones Day website, and the use of the two attorney photographs are alleged to "create the false impression that Jones Day is affiliated with and/or approves, sponsors or endorses" BlockShopper's business.

The blogosphere is predictably apoplectic over what is widely viewed as an ill-reasoned, over-aggressive attack by the large law firm against a relatively defenseless adversary. I have not seen any descriptions of the suit that take the position that it was a good idea; you can decide for yourself. Read the amended complaint; and see what SEOmozBlog, CL&P Blog, the Cleveland Plain Dealer, the Citizen Media Law Project, and TechDirt have to say.

[Update: Here's another good discussion from the Technology and Marketing Law Blog.]

Say what you will about the merits. If the case stands for anything, it serves as a reminder that when Big sues Little, Big should be prepared to fight both in and out of court. While Jones Day may have prevailed to date in Federal court, it's clearly taking a beating in the court of public opinion.

Verizon Employees Peek at Obama Phone Records

Some overly-curious Verizon employees took a peek at President-elect Obama's phone records and have been disciplined by the company as a result. This is yet another example of why it pays to be sceptical when a trusted party promises to keep personal information secure. There is always a way for that information to end up in front of someone who has no reason to see it, and more often than not the guilty party is someone on the inside. The same thing happened with passport records some months back.

EU Reports on Real Crimes in Virtual Worlds

ENISA, the European Network and Information Security Agency, has just issued a Position Paper following a study of criminal activity involving on-line "virtual worlds" (MMOGs). Criminals have quickly realized that there is real-world value to virtual-world assets, and have employed various ways of extracting that value from unsuspecting gamers.

The paper notes that "criminals are increasingly exploiting cross-over points between virtual and real-world economies. It is the failure to recognise the importance of protecting the real-world value locked up i this grey-zone of the economy which is leading to the 'year of online world fraud.'" The paper divides the criminal exploits into three categories: (1) identity theft; (2) taking advantage of flaws in the virtual-world economies ("illegally" duplicating or creating virtual-world objects or wealth); and (3) in-game theft (stealing virtual assets from in-game characters).

The paper makes a number of recommendations, of course, many of which boil down to shining a light on the criminal activity and educating the public about the risks associated with participating in virtual worlds.

As for what it calls "Corporate Virtual Worlds," however, the paper notes that there is very little research on the security of those worlds. It recommends that "enterprise-critical data should not be processed within a virtual world that is not entirely under the company's control and that no client or server beyond a protected local area network, administered by trusted parties, should be used." That's a caution worth considering if your company is considering setting up shop in Second Life or a similar public on-line world.

Here is the press release summarizing the paper. Thanks to The Register for the post on this one.

Nigerian Scammers Discover Facebook

HELLO MY FACEBOOK FRIEND. MAY THIS COMMUNICATION FIND YOU ROTFL WITH HEALTH AND BEST OF CHEER. I AM YOUR LONG-TIME BFF FRIEND FROM YOUR FACEBOOK PAGE ON THE INTERNETS, AND OMG I AM CURRENTLY FINDING MYSELF IN A SITUATION OF MOST CONSIDERABLE DISTRESS THAT REQUIRES THE IMMEDIATE RECEIPT OF FUDNING FROM YOUR MOST GENEROUS AND KIND SELF IN THE AMOUNT OF WTF US$524 (FIVE HUNDRED AND TWENTY-FOUR UNITED STATES DOLLARS). PLEASE CONTACT MYSELF YOUR FACEBOOK FRIEND AT YOUR EARLY CONVENIENCE TO ASSIST ME IN RESLOVING SAID DIFFICULTY IN MY PERSONAL LIFE. KTHXBAI.

If you have a Facebook page, beware of odd requests from "friends" that ask you to wire them money. Nigerian scammers are apparently using Trojan-type exploits to steal Facebook passwords and then pose as a friend in need to ask for money.

My two haikus based on other Nigerian "419" schemes follow, with a link to many more (my second one, I'm proud to say, earned a runner-up prize that I never received from The Register. The recognition, of course, is reward enough):

mysterious mail
distinguished salutation -
send account number

generous kind sir
of sterling reputation -
help with stranded funds?

No Expectation of Privacy on Work Computer

A recent New Jersey case makes the point that you need to assume that everything you store on your work computer is accessible to your employer. It also highlights the need for even small companies to employ some reasonable level of system security.

The facts read like something that could make its way in to the next season of "The Office." Employer hires ex-con employee out on probation to be a part-time bookkeeper, apparently looking past his conviction on 14 counts of forgery for stealing over $220,000 from an earlier employer. Employee is told that the computers are company property when he starts work, and soon becomes a trusted employee, rising to the level of full-time bookkeeper with broad, finance-related job duties that touch on a wide range of Employer's operations.

Employee also owns his own company, selling used computers and related items. Employer expands employee's duties further to include computers. Employer upgrades computer system and installs a network. Employees log in to the system by entering a common password -- cleverly set to be "password" -- and then their name.

Employer begins purchasing computers from employee, starting with a $1500 tower and then employee's used laptop. The laptop sale was a double score for employee, since he had used his boss's credit card to purchase the laptop originally and then paid the bill with a check that he had employer's system issue. Employee was not entirely self-centered; he did list the laptop as a company asset on the employer's depreciation schedules.

Employee next calls employer's payroll company and gives himself a raise, from about $40,000 per year to $125,000 per year. This, finally, is discovered and employee is sent packing. He leaves the computers behind, which are searched when the police are alerted to employee's creative asset enhancement program.

Employee -- now, again, a defendant -- moves to suppress the evidence of the computer search, claiming that the laptop -- the one he had purchased for himself with company money and then sold back to the company -- belonged to him. He also claims that the $1500 tower computer was his as well.

The bottom line: the employee had "no reasonable expectation of privacy in the personal information stored in his workplace computer." Employer owned the computers, they were kept in the company's offices, the employee was so advised when he started work, the tower was connected to the company network, the laptop contained business software, and other employees had equal access to the computers.

Employees: Know your rights . . . or lack thereof, where personal information and company computers are concerned.

Employers: Secure your systems and be wary of hiring serial fraudsters.

I wrote on this workplace privacy issue some months ago.

Thanks to the e-discovery law blog for this one.