The FBI, Apple, and the Importance of Jurisdiction

Jurisdiction is important when dealing with the law.  Courts as a rule do not have the power to decide every issue brought before them.  A small claims court can’t decide a million-dollar contract dispute.  An Alaskan state court can’t evict a tenant living in Manhattan.  A federal court typically does not have jurisdiction over purely state law criminal prosecutions.  Jurisdiction, in other words, is extremely meaningful.  And jurisdiction just might play an important role in deciding the present dispute between the FBI and Apple about the San Bernardino shooter’s iPhone.

The scenario reads like a thorny law school exam fact pattern.  The FBI holds a seized iPhone used by one of the terrorists who killed 14 of his co-workers in San Bernardino in December 2015.  The phone belongs to his employer, which has given its consent to a search of the phone and its data.  The data on the phone is encrypted, and cannot be read by the FBI.  The phone is password-protected, and if the FBI makes more than 10 incorrect password guesses, there is a very strong danger that the current encryption key will be destroyed and the phone’s data will, for all practical purposes, become unrecoverable. 

Apple owns the phone’s operating system.  It is uniquely positioned to help the FBI by revising the phone’s software to disable the 10-or-dead feature.  The FBI has requested Apple’s help; Apple has refused, and the FBI has secured a court order directing Apple to assist the FBI.  Apple, in an open letter to its customers, indicated it will challenge the order, citing its concerns about building what it says is a currently-nonexistent “backdoor” into its iOS operating system that could compromise security for its millions of users worldwide. 

In its application to the court, the FBI argued that the proposed software would only be usable for this one iPhone, because it would be keyed to the specific hardware id associated with that iPhone.  Apple quite clearly disagrees: “But that’s simply not true. Once created, the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks — from restaurants and banks to stores and homes. No reasonable person would find that acceptable.”

Apple’s concern for the privacy of its users appears to be reasonable.  If it is forced to develop software designed to defeat the 10-or-dead feature on this one iPhone, that software could work on any iPhone, provided that iPhone’s unique id is substituted for that of the phone used by the San Bernardino shooter – a relatively trivial change.  A flood of court orders compelling Apple to use the same software for other locked iPhones could follow.   

The dispute shines a spotlight on important privacy issues that affect all of us.  Tech companies and the government have been arguing for years about encryption.  The tug-of-war between the need to keep user information private and the government’s need to investigate crimes has been the subject of ongoing debate.  The recent revelations about the extent of warrantless government surveillance has shone a spotlight on what many believe are abuses by the government of citizen privacy, and has resulted in stronger encryption regimes for consumer communications devices and systems.

In the Apple case, the order sought by the FBI (read the FBI's application here) was signed the very same day the FBI asked for it, which suggests that the court simply accepted the FBI’s argument without giving it too much scrutiny.  (The order was sought ex-parte, without Apple’s participation.)  The FBI relies on the All Writs Act, a law dating from our nation’s infancy, to support its request.  The act is sort of a catch-all for federal courts, providing that “The Supreme Court and all courts established by Act of Congress may issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.”  The government argued, and the district court agreed, that the act empowered the court to issue its order directing Apple to help the government defeat the 10-or-dead feature on the San Bernardino iPhone so that the government may attempt to crack the phone’s password. 

Apple has not yet filed its opposition to the court’s order.  There are a number of arguments it can be expected to raise; some of them were highlighted in its customer letter: “If the government can use the All Writs Act to make it easier to unlock your iPhone, it would have the power to reach into anyone’s device to capture their data. The government could extend this breach of privacy and demand that Apple build surveillance software to intercept your messages, access your health records or financial data, track your location, or even access your phone’s microphone or camera without your knowledge.”

One potential argument not mentioned by Apple is that the court’s grant of the FBI’s request is an impermissible application of the All Writs Act because the order was not “necessary or appropriate in the aid of” the court’s jurisdiction.  This argument formed the basis of the dissent to one of the key cases the FBI relies upon,  United States v New York Telephone Co., 434 US159 (1977). 

In New York Telephone, the Supreme Court in a 5-4 decision held that the district court had the power to issue an order under the All Writs Act directing New York Telephone to lease certain phone lines to the FBI to permit it to secretly install a pen register to record phone numbers dialed by a suspected gambling operation in New York City.  In his dissent, Justice  Stevens argued that this was an improper extension of the act’s scope because the order requested by the FBI in that case was not one that would “be in the aid of [the court’s] duties and [the court’s] jurisdiction.”  434 US at 189.  “The fact that a party may be better able to effectuate its rights or duties if a writ is issued never has been, and under the language of the statute cannot be, a sufficient basis for issuance of the writ.” Id. (my emphasis).    

The following paragraph from the dissent could have been written to cover this very situation: 

Nowhere in the Court's decision or in the decisions of the lower courts is there the slightest indication of why a writ is necessary or appropriate in this case to aid the District Court's jurisdiction. According to the Court, the writ is necessary because the Company's refusal "threatened obstruction of an investigation . . . ."  Concededly, citizen cooperation is always a desired element in any government investigation, and lack of cooperation may thwart such an investigation, even though it is legitimate and judicially sanctioned.  But unless the Court is of the opinion that the District Court's interest in its jurisdiction was coextensive with the Government's interest in a successful investigation, there is simply no basis for concluding that the inability of the Government to achieve the purposes for which it obtained the pen register order in any way detracted from or threatened the District Court's jurisdiction. Plainly, the District Court's jurisdiction does not ride on the Government's shoulders until successful completion of an electronic surveillance.

Id. at 190 (my emphasis). 

Admittedly, this was the losing side’s argument in the New York Telephone case.  But it has the attractiveness of being rooted in the actual language of the All Writs Act.  Given recent revelations about the extent to which the government has abused the privacy rights of its citizens, Justice Stevens’s prescient concern in the New York Telephone dissent is apt today:  “Nevertheless, the order is deeply troubling as a portent of the powers that future courts may find lurking in the arcane language of Rule 41 [covering Search and Seizure] and the All Writs Act.”

NSA Agents Reduced to Conducting E-Discovery on Citizens?

New allegations from Russell Tice, the former NSA analyst who earlier revealed the agency's role in warrantless eavesdropping on international phone calls, suggest that the NSA has also been compiling a vast database of information about the domestic communications of US citizens.  In two interviews with MSNBC's Keith Olbermann -- who is probably not the most objective person to be hosting the discussion -- Tice described in fairly rough terms a practice of data collection and analysis that sounds very much like some forms of electronic discovery.  Wired has a good summary of the assertions here.   

In particular, Tice describes a system of information gathering that is less direct eavesdropping than it is data mining: "This is garnered from algorithms that have been put together to try to just dream-up scenarios that might be information that is associated with how a terrorist could operate," Tice said. "And once that information gets to the NSA, and they start to put it through the filters there . . . and they start looking for word-recognition, if someone just talked about the daily news and mentioned something about the Middle East they could easily be brought to the forefront of having that little flag put by their name that says 'potential terrorist'."  The process he talks about is similar to earlier speculation as to how such surveillance would operate.   

If true, Tice's claims raise obvious Fourth Amendment issues.  They also paint the rather sad picture of some of our country's best intelligence analysts toiling away at tasks that are little different than those practiced by junior associates and contract attorneys in law firms and e-discovery companies from New York to New Dehli.  It would be adding insult to injury, of course, if Tice's allegations are true and the analysis is being directed at the analysts' fellow citizens.  

Verizon Employees Peek at Obama Phone Records

Some overly-curious Verizon employees took a peek at President-elect Obama's phone records and have been disciplined by the company as a result. This is yet another example of why it pays to be sceptical when a trusted party promises to keep personal information secure. There is always a way for that information to end up in front of someone who has no reason to see it, and more often than not the guilty party is someone on the inside. The same thing happened with passport records some months back.

EU Reports on Real Crimes in Virtual Worlds

ENISA, the European Network and Information Security Agency, has just issued a Position Paper following a study of criminal activity involving on-line "virtual worlds" (MMOGs). Criminals have quickly realized that there is real-world value to virtual-world assets, and have employed various ways of extracting that value from unsuspecting gamers.

The paper notes that "criminals are increasingly exploiting cross-over points between virtual and real-world economies. It is the failure to recognise the importance of protecting the real-world value locked up i this grey-zone of the economy which is leading to the 'year of online world fraud.'" The paper divides the criminal exploits into three categories: (1) identity theft; (2) taking advantage of flaws in the virtual-world economies ("illegally" duplicating or creating virtual-world objects or wealth); and (3) in-game theft (stealing virtual assets from in-game characters).

The paper makes a number of recommendations, of course, many of which boil down to shining a light on the criminal activity and educating the public about the risks associated with participating in virtual worlds.

As for what it calls "Corporate Virtual Worlds," however, the paper notes that there is very little research on the security of those worlds. It recommends that "enterprise-critical data should not be processed within a virtual world that is not entirely under the company's control and that no client or server beyond a protected local area network, administered by trusted parties, should be used." That's a caution worth considering if your company is considering setting up shop in Second Life or a similar public on-line world.

Here is the press release summarizing the paper. Thanks to The Register for the post on this one.

Tough Massachusetts Data Regs Delayed

Massachusetts has elected to delay implementation of its tough new data breach regulations from January 1 to May 1, 2009.

The regulations, among the most stringent in the nation, would require any entity holding personal information on Massachusetts residents -- whether located within our outside of Massachusetts -- to, among other things, encrypt records and files containing personal information that will be transmitted over a public network or wirelessly; introduce secure user authentication protocols and other security measures; put in place an information security program, including firewall protection; monitor unauthorized use of their systems; and create an inventory of their systems that maintain defined personal information on Massachusetts residents.

While it is hard to argue with the goals of the regulations, they are an example of the difficulties faced by small and large businesses alike when trying to deal with sometimes conflicting local attempts to legislate computer security.

Nigerian Scammers Discover Facebook

HELLO MY FACEBOOK FRIEND. MAY THIS COMMUNICATION FIND YOU ROTFL WITH HEALTH AND BEST OF CHEER. I AM YOUR LONG-TIME BFF FRIEND FROM YOUR FACEBOOK PAGE ON THE INTERNETS, AND OMG I AM CURRENTLY FINDING MYSELF IN A SITUATION OF MOST CONSIDERABLE DISTRESS THAT REQUIRES THE IMMEDIATE RECEIPT OF FUDNING FROM YOUR MOST GENEROUS AND KIND SELF IN THE AMOUNT OF WTF US$524 (FIVE HUNDRED AND TWENTY-FOUR UNITED STATES DOLLARS). PLEASE CONTACT MYSELF YOUR FACEBOOK FRIEND AT YOUR EARLY CONVENIENCE TO ASSIST ME IN RESLOVING SAID DIFFICULTY IN MY PERSONAL LIFE. KTHXBAI.

If you have a Facebook page, beware of odd requests from "friends" that ask you to wire them money. Nigerian scammers are apparently using Trojan-type exploits to steal Facebook passwords and then pose as a friend in need to ask for money.

My two haikus based on other Nigerian "419" schemes follow, with a link to many more (my second one, I'm proud to say, earned a runner-up prize that I never received from The Register. The recognition, of course, is reward enough):

mysterious mail
distinguished salutation -
send account number

generous kind sir
of sterling reputation -
help with stranded funds?

No Expectation of Privacy on Work Computer

A recent New Jersey case makes the point that you need to assume that everything you store on your work computer is accessible to your employer. It also highlights the need for even small companies to employ some reasonable level of system security.

The facts read like something that could make its way in to the next season of "The Office." Employer hires ex-con employee out on probation to be a part-time bookkeeper, apparently looking past his conviction on 14 counts of forgery for stealing over $220,000 from an earlier employer. Employee is told that the computers are company property when he starts work, and soon becomes a trusted employee, rising to the level of full-time bookkeeper with broad, finance-related job duties that touch on a wide range of Employer's operations.

Employee also owns his own company, selling used computers and related items. Employer expands employee's duties further to include computers. Employer upgrades computer system and installs a network. Employees log in to the system by entering a common password -- cleverly set to be "password" -- and then their name.

Employer begins purchasing computers from employee, starting with a $1500 tower and then employee's used laptop. The laptop sale was a double score for employee, since he had used his boss's credit card to purchase the laptop originally and then paid the bill with a check that he had employer's system issue. Employee was not entirely self-centered; he did list the laptop as a company asset on the employer's depreciation schedules.

Employee next calls employer's payroll company and gives himself a raise, from about $40,000 per year to $125,000 per year. This, finally, is discovered and employee is sent packing. He leaves the computers behind, which are searched when the police are alerted to employee's creative asset enhancement program.

Employee -- now, again, a defendant -- moves to suppress the evidence of the computer search, claiming that the laptop -- the one he had purchased for himself with company money and then sold back to the company -- belonged to him. He also claims that the $1500 tower computer was his as well.

The bottom line: the employee had "no reasonable expectation of privacy in the personal information stored in his workplace computer." Employer owned the computers, they were kept in the company's offices, the employee was so advised when he started work, the tower was connected to the company network, the laptop contained business software, and other employees had equal access to the computers.

Employees: Know your rights . . . or lack thereof, where personal information and company computers are concerned.

Employers: Secure your systems and be wary of hiring serial fraudsters.

I wrote on this workplace privacy issue some months ago.

Thanks to the e-discovery law blog for this one.

Bletchley Park Receives Preservation Funds

From the "Worth Saving" department comes word that Bletchley Park, the center of England's WW II code-breaking (and making) center, has received a much-needed £300,000 preservation grant from English Heritage. The site also houses the National Museum of Computing. The Register is selling an account of the role of cryptography in WWII, as well as a pretty cool-looking t-shirt that features the Enigma machine, used by Germany to encode its communications during the war. Profits from the sale of the shirts go to Bletchley Park and the National Museum of Computing.

Here's a short account of one visitor's trip to Bletchley.

In related news, 26 vintage Enigma machines were found last month in an old army office in Madrid.

A very clever flash-based Enigma simulator lets you code your own secret messages.

Bletchley Park is featured prominently in Neil Stephenson's Cryptonomicon.

The contribution of Bletchley Park extended beyond its role in shortening the war; it is really the birthplace of modern computing. The first programmable, digital, electronic computers -- the Colossus Mark I and II -- were implemented there and used to help decode encrypted German transmissions. Learn more here.

Junior -- Actually, Sophomore -- Black Hatter Arrested

A recent report from up Schenectady way highlights the danger that "black hat" hackers face when they advise their targets of system security problems. It also shows the difficult position that victims are put in when those hackers happen to be minor students.

According to a notice posted on the website of the Shenendehowa Central School district in Clifton Park, New York, the principal of the local high school received an email from an anonymous "student" advising him that the sender had accessed a file on the school district's computer system that included detailed personal information about present and former district employees. The district IS department was alerted, and they "discovered that two high school students had accessed the file from an internal computer using their student password. Due to a configuration error, this file was not completely secured from student password access after being moved to a new server."

In other words, the database was left unsecured and all the student had to do to access it was log in to the system as a student and go poking around.

Of course, in the fine tradition of egg-faced officials everywhere, it is the student who discovered the problem and not the IT person who caused it who will pay for the error. The student was identified (he did log on as a student, albeit according to the school district he used another student's login -- probably not a good idea if you're trying to look innocent, that), arrested, and charged with three felonies. (The second student was not charged; perhaps he was merely kibitzing.)

This has caused a minor uproar in the tech community, which generally considers that the student was more or less doing his civic duty and deserves a ribbon, not a record. Perhaps. But consider the other side of the coin -- sensitive information about present and former employees was available to anyone logged in to the system, and was viewed by at least one person -- the student -- who did not have a right to see it. That's all that it takes to confirm a security breach.

The district from that point forward had a legal obligation to notify the affected employees that the security of their personal information had been compromised (according to news reports, it did provide the notice). It also has an obligation, under New York state law, to notify the state's Office of Cyber Security, Attorney General, and Consumer Protection Board. A good summary of New York state laws and regulations relating to information security can be found here.

The point to be taken from this incident is that when personal information is compromised, the consequences must by law extend beyond simply the affected entity. Should the student be facing three felony charges for what he did? Perhaps not. Should the authorities have been notified? Absolutely.