What a difference two words can make. Just ask the Center for Competitive Politics (CCP) or Americans for Prosperity (AFP), two organizations that filed separate lawsuits against the same defendant, California Attorney General Kamala Harris, over the same issue: whether Harris’s office had the right to access the organizations’ donor information. (The cases are Center for Competitive Politics v. Harris and Americans for Prosperity v. Harris.)
The plaintiffs’ arguments in each case were basically the same: the state’s request to access donor information would violate the first and fourteenth amendments of the U.S. Constitution. But there the similarities stopped: the CCP never got to trial, whereas the AFP did—and won! Was the CCP the victim of a miscarriage of justice? Nah. It all came down to two words: “as applied.”
You know the saying “go big or go home?” Well, unfortunately the CCP did both: it tried to get the court to rule that Harris’s probe of donor information would be unconstitutional for all organizations. The AFP took a different approach: it asked the court to call the probe unconstitutional “as applied” to the AFP alone.
The AFP’s narrower approach enabled the court to provide relief without upsetting Harris’s authority and potentially affecting thousands of other organizations. Courts generally hesitate to invalidate a state’s actions when they can provide individual relief to the plaintiff instead. If the CCP had taken this course, it might have had a flying chance. But now it had the added burden of proving how the state’s actions would adversely affect all organizations subject to the same request.
Meanwhile, the AFP coasted without having to prove any such thing. All it had to show was how the state’s request had already affected the organization and could continue to do so. This was no fun task, though. Several individuals testified that they suffered reprisals, assaults, and even death threats due to their association with the AFP—a strongly conservative organization. Clearly, being publicly linked to the AFP could lead to serious fallout. For her part, Harris tried to argue that the state would keep donor information confidential, but the AFP was able to show how this had failed before, citing over one thousand instances of donor information being improperly disclosed on the AG’s own website!
The AFP showed that the risk of scaring, and therefore discouraging, would-be donors was real. The chilling effect on individuals’ freedom of association would be too steep a price to pay for a nominal benefit to the state.
It was a strong case—unlike the defendant’s. Harris claimed that accessing donor information was in the state’s best interest; reviewing the findings would help uncover potential irregularities tied to fraud, waste, or abuse. Maybe it would—but it doesn’t pass the “exacting scrutiny” test, which requires states to protect their interests by the least restrictive means in situations like this. More importantly, Harris could not produce any evidence or testimony to corroborate her argument that access to donor information was important to state law enforcement. Although several state-employed investigators and attorneys took the stand, none could claim that they needed, or even used, donor information to do their work—and if they did need it, they could generally get it elsewhere. This evidentiary failure undercut Harris’s arguments and called into question the state’s overall scheme.
In the end, it was not a tough decision: with so strong a case by the plaintiff, and so weak one by the state, the court sided plainly with the plaintiff. It could have gone a step further and declared the state’s actions broadly unconstitutional, but instead it judged the state’s actions to be improper as applied to the AFP alone. This was a good idea, because Harris will have a harder time challenging the decision on appeal.
So the AFP trial didn’t set a huge precedent for everyone—but that’s kind of the point. If you’re going to file suit, and there’s a path of least resistance, take it. Those sweeping courtroom victories you see in the movies are rare. In real life, justice takes baby steps.
Rather than confront accusations of baseless zeal and prosecutorial overreach, New York federal prosecutor Preet Bharara would rather spend his energy dodging accountability.
In 2010, Bharara launched a crusade against Wall Street, prosecuting several hedge funds he suspected of insider trading. Highly publicized raids followed. In the wake of the financial meltdown, Bharara was hailed as a hero. A Time cover story proclaimed, “This Man Is Busting Wall St.”
But many of those prosecutions went nowhere. A federal appellate court rejected the legal theory that the prosecutions were built on, and many cases were simply dropped. The SEC even agreed to return some of the money it had seized from several hedge funds.
This was cold comfort to people like David Ganek, the manager of Level Global—one of several hedge funds shut down by Bharara’s inquisition. Even while the case was pending, Bharara all but acknowledged that he meant to shutter Level Global, without regard for the presumption of innocence.
Sadly, even when defendants are harmed by prosecutorial overreach, broad immunity doctrines make it nearly impossible for the wrongly prosecuted to get justice.
But Ganek’s case involved more than just excessive zeal: the warrant used to raid Level Global depended on a false statement. A former employee of Level Global had told federal agents that Ganek did not know he was using information from corporate insiders, but the warrant application falsely said that Ganek did know. That gave Ganek a rare opportunity: federal agents can be shielded for overreaching, but there is no protection for lying.
Ganek sued officials from both the U.S. Attorney’s Office and the FBI (Ganek v. Leibowitz), claiming that the use of the false statement to prosecute him had violated his constitutional right against unreasonable searches and his due process rights. In March, a federal judge ruled that Ganek’s claim could go forward, rejecting claims of governmental immunity.
In most civil cases, overcoming this initial step is a big deal. It would allow Ganek to conduct discovery—that is, to investigate the facts behind his case by methods that can include obtaining documents from prosecutors and the FBI and depositions of federal officials under oath. This process can be extremely onerous—the cost of document production and the risks of laying bare a defendant’s inner workings to a hostile adversary have forced many defendants into settling dubious lawsuits. In addition to uncovering misrepresentations tied to his own case, Ganek also could investigate the conduct of federal officials more generally and, perhaps, even the supervisory practices of prosecutors and the FBI.
In a typical case, there would be no way to avoid this except by an expensive settlement—likely including a premium for avoiding discovery. But this is no typical case, and Preet Bharara is no typical litigant. Although most of us in Bharara’s position would have to wait until the end of a federal case before filing a single, final appeal, Bharara has relied on a narrow legal doctrine that allows him to appeal the court’s decision immediately, based on his claims of immunity. As a result, the court has delayed discovery and other proceedings indefinitely. Instead of accepting the need for transparency and letting Ganek be made whole for his wrongful prosecution, Bharara’s office will get a second bite at the apple by rearguing the issue of immunity in front of the U.S. Court of Appeals for the Second Circuit.
It is hard to imagine that Bharara will prevail on appeal—immunity does not cover outright lies by federal agents. Yet by belaboring a weak immunity argument, Bharara can postpone having to answer for the actions of his office for months, if not longer, while creating additional costs and burdens for Ganek.
This case goes beyond Ganek’s personal quest for justice. Civil suits like this are important for holding public officials accountable and can provide a window into how they operate. Bharara’s resistance sends a discomforting message: however merciless he may be towards his suspects, he should bear no consequences for his actions.
We’ll see if Ganek can prove him wrong.
Data breaches are as common as the common cold—unfortunately, just as incurable. Run a news search on “data breaches” and you’ll find that all kinds of institutions—major retailers, tech companies, universities, even government agencies—have been vulnerable at some point. Now run a search on “data breaches,” but include the word “lawsuit.” You’ll find that many of these cases are going to court, but ultimately getting dismissed. What’s going on?
First, you should look at some of these lawsuits more closely: are they filed against the alleged perpetrators of the data breach? Many of them aren’t; those perpetrators are usually hackers who live outside the country or are unable to pay a money judgment. (In legal parlance, that’s known as being judgment proof.) Faced by those limitations, individual victims of data breaches frequently settle for the next best thing: going after the institutions that endured the breach.
Often, this isn’t fair—the institutions are victims too. The point here is that although going after the institutions looks like an easy win from “deep pockets,” that seldom turns out to be the case.
It’s with the third and final point—demonstrating injury—that plaintiffs have the most trouble. Why? Because courts view injury in fiscal terms; you need to show that you actually lost something, not simply that you might. So even if you were the victim of a data breach, as long your data hasn’t yet been compromised, it doesn’t really count as injury.
There have been exceptions, when the court greenlit cases based mainly on speculative injury, but these usually ended in a settlement before a legal precedent could be set. (See cases against Home Depot, Target, Adobe, and Sony.) For the most part, the fiscal view of injury has prevailed—reinforced in 2013, when the Supreme Court, weighing in on Clapper vs Amnesty Int’l, determined that a plaintiff cannot proceed with a data breach lawsuit unless he or she can demonstrate actual injury or at least imminent threat of injury, each one measurable in economic loss. Otherwise, mere perception of injury is too tenuous to establish legal standing, which a case requires to go forward, and the lawsuit will probably get tossed.
The challenge of establishing legal standing recently made its way to the Supreme Court in Spokeo v. Robins. In that case, a plaintiff filed suit against the “people search engine” Spokeo for publishing false information about him. The issue before the Court was this central question of how much injury must be shown for a case to go forward. Prospective plaintiffs were optimistic that the high court would affirm a lower court’s decision that speculative injury was indeed enough. Alas, the Supreme Court sidestepped the issue and punted it back to the lower court for further review. The Court nonetheless reinforced the general tenets that, for a plaintiff to have standing to bring a case, he must allege an “injury in fact” that is both “concrete and particularized.” There is still room for the lower court to broaden the approach to what constitutes an injury, but the Supreme Court’s ruling keeps the status quo in place.
For now, individuals whose data has been compromised generally must be satisfied with what the institutions offer them after a breach occurs: free credit checks and/or access to credit monitors. Do checks and monitoring seem inadequate? Not if you think about what type of harm people face after a data breach. Individuals can detect and report problems in the event someone actually misuses their data. If they keep on top of it, their credit scores will not be impacted. Moreover, credit card companies and other financial institutions will bear the cost of any unapproved charges. In the event of further problems, plaintiffs can then take their injury to the legal system and have their day in court. But at this point, the courts are right to keep this type of class action litigation at bay.
Public schools and libraries in the U.S. can save a lot of money on Internet service by applying for the Schools and Libraries Program, a federal subsidy better known as E-Rate.
E-Rate funding, capped yearly at $3.9 billion, helps eligible institutions cover costs of Internet service. Participants can save anywhere from twenty to ninety percent of their Internet expenses—the precise amount being dictated by the economic standing of both the participating institution and the school district where it is located.
E-Rate and three other programs are part of the Universal Service Fund (USF), a system of subsidies born out of the Telecommunications Act of 1996 as a way to ensure affordable telecom rates across the country. Although the Federal Communications Commission (FCC) oversees the USF, the fund is managed by a nonprofit corporation called the Universal Service Administrative Company (USAC).
Detailed information on how to apply for E-Rate can be found in the Schools and Libraries Program overview. Basically it works as a bidding process. An applicant fills out FCC Form 470, requesting specific services, and submits it to the USAC. The USAC then issues an RFP for telecom providers who want to bid for the requested services. After 28 days, the applicant can study the bids. When it selects one, it requests E-Rate funding by filing FCC Form 471 within a deadline set by the FCC (for FY2016 it is May 26).
The discount rate is generally determined by the size of the population, in the applicant’s school district, that qualifies for the National School Lunch Program. The applicant must also file Form 486, listing services for which funds are requested and ensuring compliance with the Children’s Internet Protection Act.
There are limits to what E-Rate can cover. The applicant is solely responsible for end-user equipment, like hardware and software, and also for any non-discounted portions of Internet services.
While it is a great opportunity to save money, E-Rate isn’t a free-for-all. To discourage abuse and misuse of the program, the FCC requires applicants to comply with a series of rules, notably:
- Compliance with state and local law. It’s not enough to follow the FCC standards only.
- Applicants cannot seek discounts for services not requested. In other words, services listed on Form 471 must match (or not exceed) services requested on Form 470.
- Fair, competitive bidding. Applicants are responsible for ensuring an open, fair, and competitive bidding process to select the most cost-effective provider.
- Document retention. Applicants must save all competing bids for services to demonstrate they selected the most cost-effective bid, with price being the primary consideration. Records should be kept for at least ten years after the last date of service delivered.
- CIPA compliance. Applicants must confirm compliance with the Children’s Internet Protection Act, which requires schools and libraries that receive federal funding to employ Internet filters that protect children from harmful content.
In spite of these rules, the wealth of funds in the E-Rate program can attract abuse. In response, the FCC created the USF Strike Force in 2014 and tasked it with combatting waste, fraud, and abuse of the USF programs. Federal agents have shown that they are serious about investigating alleged abuses. One widely publicized case in Ramapo, NY, recently led to several raids. We will look at that case and others like it in upcoming posts.
Does the federal government have the right to seize a domain name without notice? With growing frequency, the feds have seized the domain names of thousands of websites for alleged criminal wrongdoing. The latest example is the seizure earlier this week of 67 website domain names for the alleged illegal sale and distribution of counterfeit and prescription drugs.
There still is little information publicly available on the recent seizure. The Justice Department issued a short new release with a statement from U.S. Attorney Bill Nettles, in which he noted,
It’s important for consumers to understand the significant risks involved in purchasing pharmaceutical drugs from these websites. The generic versions of these prescription drugs are not approved by the Food and Drug Administration and cannot be distributed in the United States legally. To be safe and effective, prescription drugs must be taken under the care and supervision of appropriate health care professionals; not purchased off the internet from unknown and unregulated foreign sources.
Whether or not the sites facilitated the alleged criminal behavior remains to be decided by a judicial proceeding (if the case ever gets to that point). Federal agents can obtain a seizure order based merely upon probable cause set forth in an affidavit. That’s a relatively low bar considering the consequences of domain name seizures.
The only recourse for the sites at this point is to file a petition with a federal court to contest the forfeiture. Contesting a forfeiture is an uphill—and oftentimes protracted—battle. In the meantime the businesses operating through those domain names are effectively shut down, if the seized websites were their main channel of business. Once the feds carry out a domain name seizure, the “offending” sites will show a seizure banner notifying any visitors that the domain name has been seized by federal authorities for violations of federal laws. No business can be done on the site and the chances of visitors returning are slim.
So how is it okay for a domain name to be seized based on the allegation of a crime, before proper notice and hearing? The feds are taking advantage of a process known as an in rem proceeding, whereby they can file suit against the offending property itself for its alleged role in facilitating criminal conduct. Typically in rem proceedings are filed against tangible assets like a car involved in a drug deal or a bank account used to funnel illegal funds. But in recent years, in rem proceedings have been used by both state and federal agencies against domain names in order to crack down on alleged criminal behavior carried out through the websites. Examples include (1) the Justice Department’s “In Our Sites” operation in which it seized the domain names of thousands of sites accused of violating U.S. copyright laws and (2) the state of Kentucky’s attempt to seize 141 domain names of online poker sites.
Despite the increasing use of pretrial domain name seizures, the legality is still hotly debated by civil liberties groups, free market advocates, and international organizations. These groups raise constitutional concerns, such as due process and restraint on free speech, as well as jurisdictional concerns, such as federal or state authority to reach domain names owned by foreign individuals or entities. The biggest issue is that an in rem proceeding is inappropriate against domain names because a domain name is not property – it is a contractual right that, as such, should not be subject to seizure. We will discuss these concerns in more detail in a coming post once we learn more about the Justice Department’s recent actions against the 67 pharmaceutical domain names.
There are limits to what the government can take from you. The Supreme Court recently ruled that the Constitution forbids the government from freezing a defendant’s “untainted” assets in advance of prosecution. The ruling is a significant victory for those caught in the government’s crosshairs. It is also a significant victory for a traditional concept of justice, which prefers to err on the side of the accused over government agents.
In its decision in Luis v. U.S., the high court agreed with a criminal defendant who argued that her Sixth Amendment right to counsel was violated when the government froze assets unrelated to allegedly criminal behavior. Without access to those funds, the defendant would be unable to retain the attorney of her choice.
The Court considered the government’s interest in preserving funds to pay restitution and criminal penalties, but concluded that a defendant’s right to counsel is “fundamental,” outweighing any interest the government mightultimately have: “[The government’s] interests are important, but — compared to the right to counsel — they seem to lie somewhat further from the heart of a fair, effective criminal justice system.”
In a 5-3 ruling, the Court based its decision on this balancing test, as well as on traditional understandings of common law, which distinguish between assets directly related to alleged criminal behavior and assets considered “innocent” or untainted. The Court found no legal precedent to authorize “unfettered, pretrial forfeiture of the defendant’s own ‘innocent’ property.” Moreover, the Court highlighted concerns that the government’s position has no obvious stopping point and could erode defendants’ right to counsel considerably.
Encroaching on the Sixth Amendment is but one of the several concerns posed by the government’s growing love of forfeiture — it has become too handy of a tool in prosecutors’ pockets — but it is perhaps the gravest concern, as it threatens an individual’s ability to effectively defend him or herself. It puts defendants at a significant disadvantage: they want to obtain the best representation they can afford in order to defend themselves, but they may not be able to afford any if the government freezes all their assets in the hope of confiscating them after a conviction. They may be left begging friends and family to help fund their defense or relying upon overburdened public defenders to represent them. The government’s tactic is the courtroom equivalent of inviting an opponent to a boxing match and then tying one hand behind his back.
The criminal defense bar has decried government’s overuse of asset forfeiture for years. While the government has argued that pre-trial asset seizure is justified in order to preserve its ability to recover funds and penalties, the process has been used to try to deter behavior by making an example of people. Moreover, pre-trial asset seizure looks a lot like presumed guilt, as opposed to presumed innocence. The occasional constitutionally minded congressional representative has tried to curb forfeiture overuse through legislative initiatives, but these bills keep getting left to die in committees and subcommittees. It is nice to see some effective limits placed on the practice by the Court.
Justice Thomas, in a concurring opinion, took issue with Justice Breyer’s opinion “balancing” the state’s interest against individuals’ constitutional rights. He argued the Sixth Amendment prevents the government from seizing untainted assets, period; there is no need to consider a balancing approach. But at least the plurality of the Court recognized that, when balancing the government’s interests in the outcome of a case against the individual’s right to adequately defend him or herself, you should err on the side of the individual.
If that means the state sometimes loses out on full satisfaction of a monetary judgment, that is preferable to defendants being prevented from mounting an effective defense. More wrongful convictions would result from that policy, and the seizure of a few more dollars from the truly guilty would be no consolation. If there is any question whether historically we have favored individual rights over the state’s interests in criminal prosecutions, look only to the Bill of Rights. Justice demands that if anyone’s hand is to be tied in the courtroom, it should be the hand of the government.
In light of Tax Day (note that it’s on the 18th of April this year due to a holiday on the 15th) we want to point out a curious ramification from a federal case concerning online gambling, tax reports, and foreign accounts.
In United States v. Hom , the defendant, John C. Hom, was an online poker player who had money in player accounts situated outside America. Accounts such as these are used for depositing funds, wagering them on the site, and withdrawing whatever remains; they are not generally treated as “bank accounts” proper, and Hom did not bother to file a tax return on them. Surprisingly, the court said he should have.
As explained by the court in its decision, an individual is mandated to file an FBAR (a Report of Foreign Bank and Financial Accounts) for a reporting year if all of these requirements are satisfied:
(1) he or she is a United States person;
(2) he or she has a financial interest in, or signature or other authority over, a bank, securities, or other financial account;
(3) the bank, securities, or other financial account is in a foreign country; and
(4) the aggregate amount in the accounts exceeds $10,000 in U.S. currency at any time during the year.
Id. at 1178.
In Hom’s case, three of the requirements were clearly satisfied: the defendant was a U.S. citizen (1), the accounts, like the gaming companies holding them, were located in a foreign country (3), and the aggregate amount in those accounts exceeded $10,000 (4).
Requirement (2) was the sticking point. Could an online poker account really clear the definition of “other financial account,” thus compelling Hom to file an FBAR? His team argued that it didn’t: the funds weren’t held in a bank or securities account and the defendant’s actions were limited to making deposits and withdrawals. Strikingly, the court ruled that it was a financial account because “he opened up all three accounts in his name, controlled access to the accounts, deposited money into the accounts, withdrew or transferred money from the accounts to other entities at will, and could carry a balance on the accounts.” Id. at 1179. The ability to deposit and withdraw at will sufficed to make the gaming companies “function as institutions engaged in the business of banking. Accordingly, defendant’s accounts are reportable even under the current regulations.” Id.
This is a very broad expansion of what passes for a financial institution, and it begs the question of how far it can go. For example, are funds in an attorney escrow account, or other escrowed accounts for a foreign transaction, FBAR reportable? After all, they, too, permit the client to make withdrawals and deposits and carry a balance—and possibly even control access.
Hom is only one case; other courts aren’t bound by it. However, they could still be influenced by this decision. It is therefore prudent to file an FBAR on gambling accounts located overseas that exceed $10,000. Furthermore, one should wonder whether other courts will borrow this reasoning and apply it to other forms of escrow accounts. These questions are very pertinent in light of the IRS’s continuing emphasis on the disclosure of foreign accounts.
 United States v. Hom, 45 F. Supp. 3d 1175 (N.D. Cal. 2014)
This article first appeared February 29, 2016, on FEE.org – you can access this version here.
Remember Martin Shkreli, the “pharma bro” notorious for raising the price of his company’s life-saving drug by some 5,000 percent? Did you know he was recently arrested for securities fraud (completely unrelated to the drug hike)? It didn’t take long for the Justice Department to go after the universally unpopular rapscallion.
Big government gets a bad rap for being inefficient, but it can cut to the chase rather swiftly when it wants to. In order to stop, or at least dramatically curb, behavior that goes against law or policy — or perhaps just opinion — government enforcement agents know how to employ a show of force and to make an example of someone they deem a wrongdoer. The punishment is public and can be severe.
Setting an Example
A recent show of force can be seen in federal actions against the dietary supplement industry. The industry has exploded in recent years, thanks in large part to the public’s growing love for health and homeopathy. The popularity has, predictably, attracted moneymakers of both the scrupulous and unscrupulous kind.
The government wants to rein in the industry, so to set an example it has come down hard on one company. USPlabs was one of more than 100 makers and marketers of dietary supplements against whom the Justice Department announced it was pursuing civil and criminal cases. But the company had the unfortunate luck to become the government’s example of what it can do to wrongdoers. Not only did the DOJ charge the company; it also indicted several of its executives and froze their assets — from investment accounts to homes to automobiles.
Do the Ends Justify the Meanness?
The government’s heavy hand on USPlabs is the kind of crackdown you expect against organized crime or large drug rings. What were the criminal defendants at USPlabs alleged to have done? Not exactly Sopranos-level stuff: importing ingredients with false certificates of analysis and false labeling, misrepresenting the source and nature of product ingredients, selling products without determining safety, and continuing to sell products after they told agents they would stop.
If the allegations are true, the defendants’ actions were wrong. But public arrests and asset seizure are extreme. How often do people accused of false labeling get perp walked? The DOJ’s tactics look like shock-and-awe theater for the benefit of others.
If there is any doubt whether the government wanted to use its hard-line approach against USPlabs as an example for other companies, look no further than this statement by FDA Deputy Commissioner Howard Sklamberg: “The criminal charges against USPlabs should serve as notice to industry that if products are a threat to public health, the FDA will exercise its full authority under the law to bring justice.”
In other words, makers and marketers of dietary supplements: beware!
You may think the Justice Department performed a public service by coming down so hard on Shkreli and USPlabs. Why should we care if the government crushes some scalawags and discourages others in the process?
What if the government’s show of force comes at the cost of a defendant’s due process rights? Shkreli has said that the feds targeted him because of the drug price hike, looking for anything to stop him. Now he’s been fired and his company has filed for bankruptcy. That’s a pretty high price to pay for being obnoxious.
While deterrence may be an acceptable basis for punishment, it doesn’t justify punishment that exceeds the crime. Arresting executives and seizing their personal bank accounts, homes, and cars in an instance like this is excessive. More commonly in cases like USPlabs, prosecutors will settle with the company, levy a fine against it, require it to institute controls to avoid further wrongdoing, and perhaps require it to be monitored for a while to ensure controls are being observed.
Going after the individual executives as if they were Mafia kingpins goes beyond the pale. Freezing or seizing assets is something that prosecutors more commonly do when those assets are being used to carry out criminal behavior, or when there is a great risk those assets will be disposed of before judicial proceedings. Chances are slim that the executives in the USPlabs matter were planning on liquidating their family homes or cars.
Yet Another Slippery Slope
For those who think the government is on the right side in its show of force, ask yourselves whether the government isn’t pursuing its initiatives (even reasonable initiatives like reining in fraud) a bit brutishly. Making an example of an alleged wrongdoer even before the wrongdoer’s day in court harkens back to techniques used by conquerors in days of old who put heads on pikes to show the subjugated just who was in charge.
And what if the government decides to crack down on behavior not so clearly reprehensible? Say the government decides to put speeding in check by jailing a few folks going modestly over the limit. How many of us would feel safer?
Even when we dislike the targets of prosecutorial zeal, supporting justice is in our self-interest. When the government sets aside due process and proportionality to set an example of other would-be wrongdoers, they are sacrificing justice for the sake of regulatory expediency.
FBI Director James Comey took a rare break from the posturing typical of investigators and prosecutors in the current showdown between Apple and the FBI. While prosecutors argue that Apple’s privacy concerns are a smokescreen to avoid “assist[ing] the effort to fully investigate a deadly terrorist attack,” Comey posted a statement over the weekend in which he took the position that the tension between security and privacy “should not be resolved by corporations that sell stuff for a living. It also should not be resolved by the FBI, which investigates for a living. It should be resolved by the American people deciding how we want to govern ourselves in a world we have never seen before.”
Comey’s statement highlights a crucial problem with the development of privacy law: it often is developed in the context of important criminal cases. This comes at a real cost. We all know that Syed Farook committed a horrific crime, and any rights he once had against government searches are now forfeit. But though Apple may have chosen to serve as a limited proxy for its consumers in the San Bernardino case, often the interests of private citizens are wholly absent from the courtroom (or, often, judge’s chambers) when issues of fundamental privacy are debated.
This leads to a serious imbalance: Apple is talking about the diffuse privacy rights of its consumers and the risks of potential incursions by more restrictive, less democratic governments such as China. On the other hand, Manhattan District Attorney Cyrus Vance can point to 175 Apple devices that he cannot physically access even though those devices may contain evidence helpful to the government.
New York Police Commissioner Bill Bratton and one of his deputies put an even finer point on it in an Op-Ed in The New York Times, citing a specific case of a murder victim in Louisiana (more than one thousand miles outside of Mr. Bratton’s jurisdiction) whose murder is unsolved because officers cannot unlock her iPhone, which is believed to contain her killer’s identity. “How is not solving a murder, or not finding the message that might stop the next terrorist attack, protecting anyone?” asks Bratton.
But in assuming that private citizens have no greater fear than whether the police can investigate and prevent crimes, Bratton begs the question. In reality, citizens may see law enforcement as a threat of itself. Learning that the NSA was engaging in comprehensive warrantless surveillance likely has given many law-abiding Americans a greater incentive to protect their data from being accessed by the government. Indeed, in light of the NYPD’s record over the last few years—including a finding by a federal judge that they were systematically violating the rights of black New Yorkers and a lawsuit over religion-based spying on Muslims—it is not hard to see why citizens might want protection against Bratton’s police force.
But even if the police were the angels they purport to be, opening a door for a white hat can easily allow access to a black one. Less than a year ago, hackers used a “brute force” approach to exploit a flaw in iCloud’s security, and dozens of celebrities had their private photos shared with the world. These sex crimes are all but forgotten in the context of the San Bernardino shootings, even though the security weakness the FBI wants installed in Farook’s iPhone is markedly similar to that exploited with respect to iCloud.
Nor do those who wish for privacy need to invoke hackers or criminals. A private, intimate moment with a spouse or loved one; a half-finished poem, story, or work of art; or even a professional relationship with a doctor or mental health professional cannot exist unless they can remain private. Once these interactions took place in spoken, unrecorded conversations or on easily discarded paper; now many of our daily activities are carried out on our mobile devices. Even if one has nothing to hide, many citizens might balk at the prospect of having to preserve their private conversations in a format readily accessible by the police.
But if Mr. Comey has shown unusual insight, Mr. Bratton’s one-sided, myopic question illustrates the importance of Apple’s position and the inability of law enforcement officials to be objective about the interests at stake. Police and prosecutors are not always your friends or your defenders. Their goals are—and always will be—investigating and solving crimes and convicting suspected criminals. The less an officer knows, the harder it will be to investigate a case. As a result, privacy rights—even when asserted by innocent, law-abiding citizens—make their job more difficult, and many officers see those rights as simply standing in their way.
This is hardly news. Nearly sixty years ago the Supreme Court observed that officers, “engaged in the often competitive enterprise of ferreting out crime,” are simply not capable of being neutral in criminal investigations. For precisely that reason, the Fourth Amendment requires them to seek approval from a “neutral and detached magistrate” before a search warrant may issue.
That is why Mr. Comey’s acknowledgement that the FBI is not a disinterested party is so refreshing. Pro-law-enforcement voices have been clamoring to require Apple to compromise the security it built into the iPhone, invoking their role as public servants to buttress their credibility. But when it comes to privacy, the police do not—and cannot—represent the public interest. As Comey acknowledged, they are “investigators,” and privacy rights will always stand as an obstacle to investigation.
It is a well-known maxim that “bad facts make bad law.” And as anybody even casually browsing social media this week likely has seen, the incredibly tragic facts surrounding the San Bernadino attacks last December have led to a ruling that jeopardizes the privacy rights of all law-abiding Americans.
First, it is important to clearly understand the ruling. After the horrific attack in San Bernadino on December 2, 2015, the FBI seized and searched many possessions of shooters Syed Rizwan Farook and Tashfeen Malik in their investigation of the attack. One item seized was Farook’s Apple iPhone5C. The iPhone itself was locked and passcode-protected, but the FBI was able to obtain backups from Farook’s iCloud account. These backups stopped nearly six weeks before the shootings, suggesting that Farook had disabled the automatic feature and that his phone may contain additional information helpful to the investigation.
Under past versions of iOS, the iPhone’s operating system, Apple had been able to pull information off of a locked phone in similar situations. However, Farook’s iPhone—like all newer models—contains security features that make that impossible. First, the data on the phone is encrypted with a complex key that is hardwired into the device itself. This prevents the data from being transferred to another computer (a common step in computer forensics known as “imaging”) in a usable format. Second, the iPhone itself will not run any software that does not contain a digital “signature” from Apple. This prevents the FBI from loading its own forensic software onto Farook’s iPhone. And third, to operate the iPhone requires a numeric passcode; each incorrect passcode will lock out a user for an increasing length of time, and the tenth consecutive incorrect passcode entry will delete all data on the phone irretrievably. This prevents the FBI from trying to unlock the iPhone without a real risk of losing all of its contents.
As Apple CEO Tim Cook has explained, this system was created deliberately to ensure the security of its users’ personal data against all threats. Indeed, even Apple itself cannot access its customers’ encrypted data. This creates a unique problem for the FBI. It is well-settled that, pursuant to a valid search warrant, a court can order a third party to assist law enforcement agents with a search by providing physical access to equipment, unlocking a door, providing camera footage, or even giving technical assistance with unlocking or accessing software or devices. And, as the government has acknowledged, Apple has “routinely” provided such assistance when it has had the ability to access the data on an iPhone.
But while courts have required third parties to unlock doors, they have never required them to reverse-engineer a key. That is what sets this case apart: to assist the government, Apple would have to create something that not only does not exist, but that it deliberately declined to create in the first instance.
On February 16, Assistant U.S. Attorneys in Los Angeles filed an ex parte motion (that is, without providing Apple with notice or a chance to respond) in federal court seeking to require Apple to create a new piece of software that would (1) disable the auto-erase feature triggered by too many failed passcode attempts and (2) eliminate the delays between failed passcode attempts. In theory, this software is to work only on Farook’s iPhone and no other. This would allow the FBI to use a computer to simply try all of the possible passcodes in rapid succession in a “brute force” attack on the phone. That same day, Magistrate Judge Sheri Pym signed what appears to be an unmodified version of the order proposed by the government, ordering Apple to comply or to respond within five business days.
Though Apple has not filed a formal response, CEO Tim Cook already has made waves by publicly stating that Apple will oppose the order. In a clear and well-written open letter, Cook explains that Apple made the deliberate choice not to build a backdoor into the iPhone because to do so would fatally undermine the encryption measures built in. He explains that the notion that Apple could create specialized software for Farook’s iPhone only is a myth, and that “[o]nce created, this technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key . . . .”
This has re-ignited the long-standing debate over the proper balance between individual privacy and security (and the debate over whether the two principles truly are opposed to one another). This is all to the good, but misses a key point: Judge Pym’s order, if it stands, has not only short-circuited this debate, it ignores the resolution that Congress already reached on the issue.
Indeed, a 1994 law known as the Communications Assistance for Law Enforcement Act (“CALEA”) appears to prohibit exactly what the government requested here. Though CALEA preserved the ability of law enforcement to execute wiretaps after changing technology made that more complicated than physically “tapping” a telephone line, it expressly does not require that information service providers or equipment manufacturers do anything to open their consumers to government searches. But instead of addressing whether that purpose-built law permits the type of onerous and far-reaching order that was granted here, both the government and the court relied only on the All Writs Act—the two-century-old catch-all statute that judges rely on when ordering parties to unlock doors or turn over security footage.
Though judges frequently must weigh in and issue binding decisions on fiercely contested matters of great importance, they rarely do so with so little explanation, or after such short consideration of the matter. Indeed, when the government sought an identical order this past October in federal court in Brooklyn, N.Y., Magistrate Judge James Orenstein asked for briefs from Apple, the government, and a group of privacy rights organizations and, four months later, has yet to issue an opinion. Yet Judge Pym granted a similar order, without any stated justification, the same day that it was sought.
An order that is so far-reaching, so under-explained, and so clearly legally incorrect is deeply concerning. And yet, but for Apple’s choice to publicize its opposition, this unjustified erosion of our privacy could have happened under the radar and without any way to un-ring the bell. Fortunately, we appear to have avoided that outcome, and we can hope that Apple’s briefing will give the court the additional legal authority—and the additional time—that it will need to revisit its ruling.