FBI Director James Comey took a rare break from the posturing typical of investigators and prosecutors in the current showdown between Apple and the FBI. While prosecutors argue that Apple’s privacy concerns are a smokescreen to avoid “assist[ing] the effort to fully investigate a deadly terrorist attack,” Comey posted a statement over the weekend in which he took the position that the tension between security and privacy “should not be resolved by corporations that sell stuff for a living. It also should not be resolved by the FBI, which investigates for a living. It should be resolved by the American people deciding how we want to govern ourselves in a world we have never seen before.”
Comey’s statement highlights a crucial problem with the development of privacy law: it often is developed in the context of important criminal cases. This comes at a real cost. We all know that Syed Farook committed a horrific crime, and any rights he once had against government searches are now forfeit. But though Apple may have chosen to serve as a limited proxy for its consumers in the San Bernardino case, often the interests of private citizens are wholly absent from the courtroom (or, often, judge’s chambers) when issues of fundamental privacy are debated.
This leads to a serious imbalance: Apple is talking about the diffuse privacy rights of its consumers and the risks of potential incursions by more restrictive, less democratic governments such as China. On the other hand, Manhattan District Attorney Cyrus Vance can point to 175 Apple devices that he cannot physically access even though those devices may contain evidence helpful to the government.
New York Police Commissioner Bill Bratton and one of his deputies put an even finer point on it in an Op-Ed in The New York Times, citing a specific case of a murder victim in Louisiana (more than one thousand miles outside of Mr. Bratton’s jurisdiction) whose murder is unsolved because officers cannot unlock her iPhone, which is believed to contain her killer’s identity. “How is not solving a murder, or not finding the message that might stop the next terrorist attack, protecting anyone?” asks Bratton.
But in assuming that private citizens have no greater fear than whether the police can investigate and prevent crimes, Bratton begs the question. In reality, citizens may see law enforcement as a threat of itself. Learning that the NSA was engaging in comprehensive warrantless surveillance likely has given many law-abiding Americans a greater incentive to protect their data from being accessed by the government. Indeed, in light of the NYPD’s record over the last few years—including a finding by a federal judge that they were systematically violating the rights of black New Yorkers and a lawsuit over religion-based spying on Muslims—it is not hard to see why citizens might want protection against Bratton’s police force.
But even if the police were the angels they purport to be, opening a door for a white hat can easily allow access to a black one. Less than a year ago, hackers used a “brute force” approach to exploit a flaw in iCloud’s security, and dozens of celebrities had their private photos shared with the world. These sex crimes are all but forgotten in the context of the San Bernardino shootings, even though the security weakness the FBI wants installed in Farook’s iPhone is markedly similar to that exploited with respect to iCloud.
Nor do those who wish for privacy need to invoke hackers or criminals. A private, intimate moment with a spouse or loved one; a half-finished poem, story, or work of art; or even a professional relationship with a doctor or mental health professional cannot exist unless they can remain private. Once these interactions took place in spoken, unrecorded conversations or on easily discarded paper; now many of our daily activities are carried out on our mobile devices. Even if one has nothing to hide, many citizens might balk at the prospect of having to preserve their private conversations in a format readily accessible by the police.
But if Mr. Comey has shown unusual insight, Mr. Bratton’s one-sided, myopic question illustrates the importance of Apple’s position and the inability of law enforcement officials to be objective about the interests at stake. Police and prosecutors are not always your friends or your defenders. Their goals are—and always will be—investigating and solving crimes and convicting suspected criminals. The less an officer knows, the harder it will be to investigate a case. As a result, privacy rights—even when asserted by innocent, law-abiding citizens—make their job more difficult, and many officers see those rights as simply standing in their way.
This is hardly news. Nearly sixty years ago the Supreme Court observed that officers, “engaged in the often competitive enterprise of ferreting out crime,” are simply not capable of being neutral in criminal investigations. For precisely that reason, the Fourth Amendment requires them to seek approval from a “neutral and detached magistrate” before a search warrant may issue.
That is why Mr. Comey’s acknowledgement that the FBI is not a disinterested party is so refreshing. Pro-law-enforcement voices have been clamoring to require Apple to compromise the security it built into the iPhone, invoking their role as public servants to buttress their credibility. But when it comes to privacy, the police do not—and cannot—represent the public interest. As Comey acknowledged, they are “investigators,” and privacy rights will always stand as an obstacle to investigation.
It is a well-known maxim that “bad facts make bad law.” And as anybody even casually browsing social media this week likely has seen, the incredibly tragic facts surrounding the San Bernadino attacks last December have led to a ruling that jeopardizes the privacy rights of all law-abiding Americans.
First, it is important to clearly understand the ruling. After the horrific attack in San Bernadino on December 2, 2015, the FBI seized and searched many possessions of shooters Syed Rizwan Farook and Tashfeen Malik in their investigation of the attack. One item seized was Farook’s Apple iPhone5C. The iPhone itself was locked and passcode-protected, but the FBI was able to obtain backups from Farook’s iCloud account. These backups stopped nearly six weeks before the shootings, suggesting that Farook had disabled the automatic feature and that his phone may contain additional information helpful to the investigation.
Under past versions of iOS, the iPhone’s operating system, Apple had been able to pull information off of a locked phone in similar situations. However, Farook’s iPhone—like all newer models—contains security features that make that impossible. First, the data on the phone is encrypted with a complex key that is hardwired into the device itself. This prevents the data from being transferred to another computer (a common step in computer forensics known as “imaging”) in a usable format. Second, the iPhone itself will not run any software that does not contain a digital “signature” from Apple. This prevents the FBI from loading its own forensic software onto Farook’s iPhone. And third, to operate the iPhone requires a numeric passcode; each incorrect passcode will lock out a user for an increasing length of time, and the tenth consecutive incorrect passcode entry will delete all data on the phone irretrievably. This prevents the FBI from trying to unlock the iPhone without a real risk of losing all of its contents.
As Apple CEO Tim Cook has explained, this system was created deliberately to ensure the security of its users’ personal data against all threats. Indeed, even Apple itself cannot access its customers’ encrypted data. This creates a unique problem for the FBI. It is well-settled that, pursuant to a valid search warrant, a court can order a third party to assist law enforcement agents with a search by providing physical access to equipment, unlocking a door, providing camera footage, or even giving technical assistance with unlocking or accessing software or devices. And, as the government has acknowledged, Apple has “routinely” provided such assistance when it has had the ability to access the data on an iPhone.
But while courts have required third parties to unlock doors, they have never required them to reverse-engineer a key. That is what sets this case apart: to assist the government, Apple would have to create something that not only does not exist, but that it deliberately declined to create in the first instance.
On February 16, Assistant U.S. Attorneys in Los Angeles filed an ex parte motion (that is, without providing Apple with notice or a chance to respond) in federal court seeking to require Apple to create a new piece of software that would (1) disable the auto-erase feature triggered by too many failed passcode attempts and (2) eliminate the delays between failed passcode attempts. In theory, this software is to work only on Farook’s iPhone and no other. This would allow the FBI to use a computer to simply try all of the possible passcodes in rapid succession in a “brute force” attack on the phone. That same day, Magistrate Judge Sheri Pym signed what appears to be an unmodified version of the order proposed by the government, ordering Apple to comply or to respond within five business days.
Though Apple has not filed a formal response, CEO Tim Cook already has made waves by publicly stating that Apple will oppose the order. In a clear and well-written open letter, Cook explains that Apple made the deliberate choice not to build a backdoor into the iPhone because to do so would fatally undermine the encryption measures built in. He explains that the notion that Apple could create specialized software for Farook’s iPhone only is a myth, and that “[o]nce created, this technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key . . . .”
This has re-ignited the long-standing debate over the proper balance between individual privacy and security (and the debate over whether the two principles truly are opposed to one another). This is all to the good, but misses a key point: Judge Pym’s order, if it stands, has not only short-circuited this debate, it ignores the resolution that Congress already reached on the issue.
Indeed, a 1994 law known as the Communications Assistance for Law Enforcement Act (“CALEA”) appears to prohibit exactly what the government requested here. Though CALEA preserved the ability of law enforcement to execute wiretaps after changing technology made that more complicated than physically “tapping” a telephone line, it expressly does not require that information service providers or equipment manufacturers do anything to open their consumers to government searches. But instead of addressing whether that purpose-built law permits the type of onerous and far-reaching order that was granted here, both the government and the court relied only on the All Writs Act—the two-century-old catch-all statute that judges rely on when ordering parties to unlock doors or turn over security footage.
Though judges frequently must weigh in and issue binding decisions on fiercely contested matters of great importance, they rarely do so with so little explanation, or after such short consideration of the matter. Indeed, when the government sought an identical order this past October in federal court in Brooklyn, N.Y., Magistrate Judge James Orenstein asked for briefs from Apple, the government, and a group of privacy rights organizations and, four months later, has yet to issue an opinion. Yet Judge Pym granted a similar order, without any stated justification, the same day that it was sought.
An order that is so far-reaching, so under-explained, and so clearly legally incorrect is deeply concerning. And yet, but for Apple’s choice to publicize its opposition, this unjustified erosion of our privacy could have happened under the radar and without any way to un-ring the bell. Fortunately, we appear to have avoided that outcome, and we can hope that Apple’s briefing will give the court the additional legal authority—and the additional time—that it will need to revisit its ruling.
Several news publications have been making much ado about a tactic the FBI used in 2007 to locate an individual suspected in a series of bomb-threats to Washington state high schools. The FBI created a fake news article, falsely representing it as an Associated Press publication, and sent a link to the suspect’s MySpace account. The article headline, which was directed at the suspect, was meant to entice him to go to the link. It worked. The suspect clicked on the link, which enabled the FBI to download malware on his computer and identify his location and Internet Protocol address. The suspect was subsequently arrested, charged and prosecuted in state court.
Newspapers and other media outlets have recently decried the FBI’s use of the AP’s name and brand recognition to further its purposes. The AP’s director of media relations noted in an October 2014 statement: “This ploy violated AP’s name and undermined AP’s credibility.” The Seattle Times complained that such action not only crosses the line, but erases it (the statement was made when the paper believed its publication was involved). The controversy is somewhat understandable: journalists want to ensure their perceived independence; they don’t want to be seen as a tool of the powers that be.
But media concern over the FBI’s use of the AP name may be slightly overstated. The FBI did not publish the fake news article for broad dissemination. It directed the article to one suspect only. Nor is it exactly unprecedented for investigators to hold themselves out as something they are not in order to gain the trust of and nab wrongdoers. Should all cool teens (however they self-describe these days) complain that Narcs are undermining their reputation and street cred? Without these undercover operations, a major tool to FBI investigations would be lost, not to mention fodder for the popular television series that made Johnny Depp famous. FBI and other enforcement agencies regularly use deception to catch criminals. Everyone knows this, including the wrongdoers at whom deceptive practices are targeted.
Some argue that there is a colorable difference between impersonating a fake individual or persona and impersonating the press. If the impersonation were on a large scale and were relatively public, the deception would be problematic. People wouldn’t know what journalism was credible and what journalism wasn’t (not that this isn’t already a subject a some debate…). But narrowly-focused operations directed exclusively at suspects who are the subject of a search warrant is a different scenario, and that’s the scenario that appears to be in play here. Where the FBI employs such tactics well enough into an investigation to support a search warrant, including having probable cause that the suspect is involved in criminal activity, using deception, which is an efficient way to locate the individual, doesn’t seem too alarming.
Of course, it is important to emphasize that legal process is everything. If the FBI were to disseminate fake news articles to gain computer access at the launch of an investigation, before it had a target, before it had probable cause, and before it had its actions approved judicially by a search warrant, such tactics would risk impacting innocent individuals and undermining news sources.
When high frequency trading (HFT) first crept into the public consciousness, it related to primarily to the question of whether rapid, computer driven trading posed risks to the safety and stability of the trading markets. Now it appears that HFT may have also been a means for some traders to gain a possible illegal advantage.
High frequency trading involves the use of sophisticated technological tools and computer algorithms to rapidly trade securities. High frequency traders use powerful computing equipment to execute proprietary trading strategies in which they move in and out of positions in seconds or even fractions of a second. While high frequency traders often capture just a fraction of a cent in profit on each trade, they make up for low margins with enormous volume of trades.
High frequency trading is viewed by many as particularly risky. While some participants disagree, the Securities and Exchange Commission and the Commodity Futures Trading Commission issued a report in which their staffs concluded that algorithmic and high frequency trading contributed to the volatility that led to the May 6, 2010 “flash crash.”
More recently, high frequency trading has come under scrutiny by law enforcement. A number of agencies are investigating such practices to determine whether high frequency traders are profiting at the expense of ordinary investors. The Justice Department and the FBI have recently announced investigations, while U.S. securities regulators and the New York Attorney General have said that they have ongoing investigations.
Heightening the recent HFT craze is renowned author Michael Lewis, who recently authored Flash Boys: A Wall Street Revolt. In the book, Lewis claims that computer-driven stock trading has taken over the market at the expense of ‘the little guy’. According to Lewis, Wall Street is rigged by a combination of insiders – stock exchanges, big Wall Street banks and HFT. Lewis claims that HFT’s advantage is so severe that traders are able to predict which stock a common investor wants to buy before he or she can buy it, and drive the price up before the investor can initiate the purchase.
Not everyone is buying the claims Lewis makes in his book. There have been many on record stating that HFT actually does not prey on mom and pop investors. Additionally, many individualsbelieve Lewis’ claims are overblown and that HFT does not provide traders with a huge profitable advantage.
Inevitably, the most pressing question about high frequency trading is whether any such businesses are given an unfair – and illegal – advantage in placing trades. On April 11, three futures traders filed a federal class action lawsuit against CME Group, the owner of the Chicago Mercantile Exchange and the Chicago Board of Trade, claiming that high frequency traders are given an improper advance look at price and market data that permits them to execute trades using the data before other market participants. While the plaintiffs claim that this practice has existed since 2007, CME denies the merits of the allegations.
Between the investigations and this lawsuit (and the others that will certainly follow), it will eventually be determined whether traders with high speed computers benefited improperly over other market participants. Regardless of the merits of these accusations, it is unquestionable that high frequency trading, like all technological advances, poses special challenges to existing rules and laws that will require special consideration and possibly require new rules and regulations.