U.S. technology companies unite behind Apple ahead of iPhone encryption ruling

each industry leaders including Alphabet Inc's Google, Facebook Inc, Microsoft Corp , AT&T and more than two dozen other Internet and technology companies filed legal briefs on Thursday asking a judge to support Apple Inc in its encryption battle with the U.S. government.

The rare display of unity and support from Apple's sometime-rivals showed the breadth of Silicon Valley's opposition to the government's anti-encryption effort.

Apple's battle became public last month when the Federal Bureau of Investigation obtained a court order requiring the company to write new software to disable passcode protection and allow access to an iPhone used by one of the shooters in the December killings in San Bernardino, California.

Apple pushed back, arguing that such a move would set a dangerous precedent and threaten customer security, and asked that the order be vacated. The clash has intensified a long-running debate over how much law enforcement and intelligence officials should be able to monitor digital communications.

Amicus briefs

Apple's industry allies, along with several privacy advocates, filed amicus briefs — a form of comment from outside groups common in complex cases — to U.S. District Judge Sheri Pym, in Riverside, California, who had set a Thursday deadline.

Six relatives of San Bernardino attack victims on Thursday weighed in with their own amicus brief opposing Apple. Three California law enforcement groups, three federal law enforcement groups and the San Bernardino district attorney also filed in favour of the government.

The companies backing Apple largely echo the iPhone maker’s main argument, that the 1789 All Writs Act at the heart of the government's case cannot be used to force companies to create new technology.

One amicus filing, from a group of 17 Internet companies including Twitter Inc and LinkedIn Corp, asserted that Congress has already passed laws that establish what companies could be obliged to do for the government, and that the court case amounted to an "end run" around those laws.

Apple, and some of the other briefs, did not go quite that far, but also asserted that Congress, not the courts, needed to address the issue. Congress has struggled without success for years to address law-enforcement concerns about encryption.

Victims’ families

The victims' families argued that Apple's arguments were misplaced because the government had a valid warrant, and “one does not enjoy the privacy to commit a crime.” The families also asserted that Apple “routinely modifies its systems” to comply with Chinese government directives. Apple has also advanced a free speech argument, on the grounds that computer code is a form of expression and cannot be coerced. The families pushed back against that defense: “This is the electronic equivalent of unlocking a door - no expression is involved at all,” they said.

The San Bernardino District Attorney's summary argument, contained in its application to file an amicus brief, alleges the iPhone might have been “used as a weapon to introduce a lying dormant cyber pathogen that endangers San Bernardino County's infrastructure.” The court document contained no evidence to support the claim.

Two big coalitions

The tech and Internet industries largely coalesced around two filings. One includes market leaders Google, Microsoft, Facebook, Amazon.com and Cisco Systems, along with smaller, younger companies such as Mozilla, Snapchat, Slack and Dropbox.

That group noted that Congress passed the All Writs Act more than 200 years ago, and said the Justice Department's effort to use the law to force engineers to disable security protections relies on a “boundless” interpretation of the law that is not supported by any precedent.

The brief also advanced constitutional arguments, saying the order violated free speech, the separation of power and due process.

Twitter, eBay

The second industry coalition, which includes Twitter, eBay Inc and LinkedIn, contended in its filing that the Communications Assistance for Law Enforcement Act (CALEA) of 1994, along with other statutes, has already made it clear what the companies could or could not be forced to do.

CALEA requires telephone companies to allow interception of communications, but notably excludes "information service" companies from such mandates. Apple said it was rightly considered an information company in this context.

AT&T's filing, by contrast, called for a “new legislation solution” that “applies equally to all holders of personal information,” an apparent reference to the exemption for information providers in CALEA.

Semiconductor maker Intel Corp filed a brief of its own in support of Apple.

“We believe that tech companies need to have the ability to build and design their products as needed, and that means that we can't have the government mandating how we build and design our products,” Chris Young, senior vice president and general manager for the company's Intel Security Group, said in an interview. The Stanford Law School Center for Internet and Society filed a separate brief on Thursday on behalf of a group of well-known experts on iPhone security and encryption, including Charlie Miller, Dino Dai Zovi, Bruce Schneier and Jonathan Zdziarski.

Advocacy groups

Privacy advocacy groups the American Civil Liberties Union, Access Now and the Wickr Foundation filed briefs on Wednesday in support of Apple.

Salihin Kondoker, whose wife, Anies Kondoker, was injured in the San Bernardino attack, also wrote on Apple's behalf, saying he shared the company's fear that the software the government wants Apple to create to unlock the phone could be used to break into millions of other phones.

Law enforcement officials have said that Rizwan Farook and his wife, Tashfeen Malik, were inspired by Islamist militants when they shot and killed 14 people and wounded 22 others on Dec. 2 at a holiday party in San Bernardino. Farook and Malik were later killed in a shootout with police, and the FBI said it wants to read the data on Farook's work phone to investigate any links with militant groups.

Earlier this week, a federal judge in Brooklyn ruled that the government had overstepped its authority by seeking similar assistance from Apple in a drug case.

Read More

What Apple versus FBI means for India

Law schools across India illustrate the difference between “culpable homicide” and “murder” through the famous K.M. Nanavati case of 1961. Nanavati, a commander with the Indian Navy, was informed by his wife of her affair with Prem Ahuja and her desire to end the marriage. An enraged Nanavati barged into Ahuja’s house, and after an angry exchange of words, shot and killed him. In the trial that followed, Nanavati’s punishment hinged upon whether his act was premeditated. If it was, he would be guilty of murder. But were the shooting unplanned and truly a “crime of passion”, as the tabloids referred to it, Nanavati would be punished for the lesser offence of culpable homicide. The Supreme Court found him guilty of murder, but not after a protracted drama that involved a jury exonerating him.

Let’s tailor the Nanavati case to a modern setting. In the 2016 adaptation of the crime, the police retrieve Ahuja’s iPhone, which purportedly contains a draft tweet suggesting he feared for his life. The tweet was never published, and Mumbai cops need it to prove Nanavati had threatened him previously. The Information Technology (IT) Act (specifically, Section 69) confers sweeping powers on the Maharashtra government to retrieve such information but Twitter claims it cannot extract unpublished tweets. The cops turn to Apple Inc. with a request to unlock Nanavati’s phone, but it refuses, suggesting that building a backdoor for one iPhone will compromise the security of all.

What options do the Mumbai police have? Apple is not an Indian company and can refuse to comply with Section 69 of the IT Act, claiming the provision violates California law (where it is based). Apple India Private Ltd, its Indian subsidiary, is registered under the Companies Act but mostly performs administrative and financial functions. Apple does not provide Internet services, and has no software licensing agreement with Indian telecom operators. What’s more, Indian developers whose content is featured in the App Store sign agreements directly with the parent company. Short of proceeding legally against an Apple India director or revoking its import licence — neither of which would be sound measures — the Government of India has limited options to secure its compliance.

For these reasons, the Indian debate over encryption is very different from the discussion that Apple’s ongoing tussle with the U.S. Federal Bureau of Investigation (FBI) has generated. The FBI sought access via a court warrant to the locked iPhone of Syed Rizwan Farook — a U.S. citizen who in December 2015 killed 14 people and injured scores in a mass shooting in San Bernardino, California — which Apple has refused to provide. Technologies that allow the FBI to force its way into the shooter’s iPhone will compromise the operating systems of all iPhones, Apple’s CEO Tim Cook argued in a letter to consumers. The legal precedent set by this case will be closely studied, but what lessons does the San Bernardino case hold for India, where Apple’s market share is less than 1 per cent?

Lessons for India

The first lesson is for Indian regulators: find the right mix between protecting user data, while allowing law enforcement agencies to retrieve it for investigation. The U.S. does not have high data protection standards but law enforcement agencies have met with increasingly steep judicial barriers — thanks to the Snowden revelations — to extract electronic data. As a result, companies like Apple have been encouraged to invest in strong encryption, as the evolution of its operating system iOS shows.

India, on the other hand, has low data protection standards as well as low legal thresholds for intercepting information. Measures necessary to intercept information have had the unintended consequence of stalling the development of indigenous high-security devices like the iPhone. For instance, the Department of Telecommunications continues to prescribe low encryption standards for Internet Service Providers (ISPs), while subjecting them to liability for attacks on the network. ISPs are faced with a catch-22 situation, with little room to strengthen their security. The dangerous mix of low data protection standards and legal barriers against monitoring puts India alongside China

The second lesson is for Internet companies based abroad: cooperate with law enforcement agencies on legitimate requests for user data. Popular Internet applications and social media platforms in India today are all based in the U.S. or Europe, and host data in servers abroad. To retrieve information from Nanavati’s hypothetical iPhone, Apple would need to create a sophisticated “backdoor” to break its encryption protocols. This is an extraordinary instance, involving a drastic solution. But even in the majority of cases where law enforcement agencies can solve crimes based on information available with data giants, their compliance with government requests has been abysmal. Research by Rebecca MacKinnon and Elonnai Hickok suggests the Indian government in 2013 placed 3,598 requests for user data from Facebook with a 53 per cent compliance rate, while the U.S. government made nearly 12,600 requests with a compliance rate of 81 per cent. There is simply no basis or justification for the differential treatment of compliance requests but for the fact that Facebook is a U.S.-based company. Given desperate times, the Indian government took desperate measures: in its draft encryption policy released (and withdrawn subsequently) last year, it sought backdoors into all Internet applications based abroad.

Price breeds compromise

The ‘Apple v. FBI’ debate in the U.S. has generated much controversy because nearly half of America’s mobile users today own an iPhone. Encryption is commonplace, while courts, law enforcement agencies and tech companies — all based in the U.S. — debate the optimal mix of interception and data protection. The Indian context is far from comparable. Most Indians, especially first-generation Internet users, own unencrypted devices. The competing pressures of the market have only contributed to the overall insecurity of India’s Internet infrastructure. The rush towards cheap smartphones like Freedom 251 — whose vendors could not even offer a secure website to process phone bookings — has seriously compromised the integrity of user data. What’s more, to secure their data and to retrieve it for investigation, Indian authorities need the assistance of foreign Internet companies, who appear more interested in bottom lines than law enforcement.

There is no side to choose in this fight, since India needs its own variants of Apple and the FBI: high-security devices that protect data, and a law enforcement agency that can effectively retrieve electronic information.

Read More