The largest privacy case to date is currently pending in the U.S. District Court for the Central District of California between Apple and the U.S. Government. This case arises out of a request by the Department of Justice and FBI for Apple to create software installing a “backdoor” to retrieve data from an encrypted iPhone. Specifically, the government’s request is related to its attempts to access data from an iPhone that was used by a person who carried out the December 2, 2015 terrorist attacks in San Bernardino, Calif. After the attacks, law enforcement requested Apple’s help with their investigation of data stored on one of the terrorist’s phone. In Apple’s Motion to Vacate Order Compelling Apple to Assist Agents in Search, and Opposition to Government’s Motion to Compel Assistance, Apple claims the government’s request is unwarranted under the All Writs Act, violates the First and Fifth Amendments and would place a burden on Apple.
The government filed a request with the court that, if granted, would require Apple to create software that would provide access to the data stored on the phone by the government. Apple claims this technology presently does not exist and would have to be developed to provide a backdoor to the iPhone for access sought by the government. Essentially, Apple would have to create a program that defeats the security features it created in the first place. In its submission to the court, Apple claims complying with this request causes concern for at least two reasons:
- Apple does not agree with the suggestion that it can simply destroy the software after it has been used “this one time,” as argued by the government. Apple argues that this will not be a one-time request but rather law enforcement will request that the software Apple developed be used again in the future.
- Apple does not agree that once this software is developed that it could be safely kept after it is used “this one time.” Apple argues that it cannot keep the software because “criminals, terrorists and hackers will no doubt view the code as a major prize and can be expected to go to considerable lengths to steal it…”
This litigation is already shedding light on privacy law and data retention issues and will likely do so for many years to come.
Privacy Litigation Impact
From a litigation perspective, if Apple is forced to respond to the government request, it “would effectively require Apple to create full-time positions in a new ‘hacking’ department to service government requests and to develop new versions of the backdoor software every time iOS changes…” Even more troubling for Apple is its argument that this request would effectively “require Apple engineers to testify about this backdoor as government witnesses at trial.” Apple warns the government would “coercively deputize Apple and other companies to serve as a permanent arm of the government’s forensic lab.”
The issue of whether Apple engineers and staff may be required to offer testimony on the safeguards they put into their products or the methods they used to get around their own safeguards will undoubtedly present a difficult question for the court. In this specific instance, Apple personnel may not be called upon to testify concerning the iPhone used by a terrorist in the San Bernardino attack since the terrorists are dead and there may be no need for a cross-exam on the backdoor software. But it may be shortsighted for the court to not analyze this issue because it may conceivably be an issue in the near future.
From a practical standpoint, this situation presents an interesting question for any company concerned about the safety and protection of the data it stores and the best safeguards to put into place. Apple is now arguing that the government is requesting that security be compromised to some extent in order to allow access. Apple’s arguments should also cause companies to think about backdoors and how safe those backdoors may be against hackers and criminals. It also illustrates how company personnel could be called upon to testify on its safeguards and the backdoors around those safeguards.
Litigation has already surfaced concerning the “failure to follow minimum required practices” exclusion in a cyber insurance policy. This litigation was based on the premise that this exclusion required the insured to “continuously implement” its cyber security controls identified in the insurance application submitted prior to the inception of the policy. Apple is clearly concerned about its potential liability should hackers obtain the information concerning the backdoors around its safeguards. This risk may directly impact how insurers approach cyber coverage. The questions presented by the Apple litigation may result in insureds having to disclose not only the cyber controls they have adopted, but also the backdoors providing access to that stored data and the safeguards in place to secure the backdoor.
Regardless of the outcome of the Apple litigation, there should be little doubt that the arguments and the court’s ruling will impact privacy litigation for years to come.