Apple was ordered Tuesday by a federal judge in California to provide assistance to the FBI to search a locked iPhone 5c that was used by Syed Rizwan Farook, one of the terrorists said to have been involved in an attack in San Bernardino, California, on Dec. 2.
The government's request under a statute called the All Writs Act will likely give a boost to attempts by law enforcement to look for vendor-provided backdoors to encrypted devices and communications.
Apple is fighting in a New York federal court a similar move by the Department of Justice to get the company's help in unlocking the iPhone 5s smartphone of an alleged methamphetamine dealer. On Friday, it asked the New York court to give a final order as it has received additional similar requests from law enforcement agencies, and was advised that more such requests could come under the same statute.
U.S. Attorney Eileen M. Decker had filed before U.S. Magistrate Judge Sheri Pym of the U.S. District Court for the Central District of California that despite a warrant authorizing the search and permission of Farook's employer, who owned the phone, law enforcement had not been able to access encrypted content on the device because of its passcode.
The officials said that they could not make attempts to crack the password because of a user-enabled auto-erase function in the device that would erase all encrypted data after 10 failed tries. It was not evident from the outside of the device whether the auto-erase function had been enabled.
Apple has the ability to bypass the password on some of its devices, including turning off the auto-erase function, and it would not be unduly burdensome on the company to do so as it is in the business of writing software code and would be reasonably reimbursed for its effort, according to the government filing. The phone used by Farook runs iOS 9 and the company still has the ability to assist the government despite its claims that it has written the software differently, it added.
The All Writs Act gives federal courts the authority to issue orders that are "necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law," but civil rights groups like the Electronic Frontier Foundation point to a Supreme Court order that set limits to the use of the statute, including requiring that a court cannot use it to bypass other laws or the Constitution, or require third parties to assist in ways that would be "unreasonably burdensome."
Apple has been ordered by Judge Pym to offer its technical assistance, including if required provide signed software, to bypass or disable the auto-erase function whether or not it has been turned on, enable the FBI to submit passcodes to the device for testing electronically via the physical device port available on the phone, and ensure that when the FBI tests passcodes on the phone, software running on the device will not purposefully introduce any additional delay between passcode attempts beyond what is incurred by Apple hardware.
"What the court is essentially ordering Apple to do is custom-build malware to undermine its own product’s security features, and then cryptographically sign that software so the iPhone will trust it as coming from Apple," wrote Kevin S. Bankston, director of New America's Open Technology Institute in an emailed statement.
Bankston said it wasn't clear at the point whether Apple would be technically able to do what the judge ordered. "But if a court can legally compel Apple to do that, then it likely could also legally compel any other software provider to do the same, including compelling the secret installation of malware via automatic updates to your phone or laptop’s operating system or other software," he said.
14 people were killed and 22 others were injured in the shootout at the Inland Regional Center in San Bernardino.
Apple did not immediately comment on the order. It has up to five business days from the receipt of the order to appeal to the court if it finds that compliance with the ruling could be "unreasonably burdensome."
The company is right to fight the order, Bankston said. "A line must be drawn here: the government must not be allowed to force tech companies to undermine the security of their own products, especially with nothing but a vague catch-all statute that’s over a century old to back up its argument," he added.