Constitutional Law

The Federal Government Wants Your iPhone Passcode: What Does the Law Say?

Tim Joyce, MJLST Staffer

Three months ago, when MJLST Editor Steven Groschen laid out the arguments for and against a proposed New York State law that would require “manufacturers and operating system designers to create backdoors into encrypted cellphones,” the government hadn’t even filed its motion to compel against Apple. Now, just a few weeks after the government quietly stopped pressing the issue, it almost seems as if nothing at all has changed. But, while the dispute at bar may have been rendered moot, it’s obvious that the fight over the proper extent of data privacy rights continues to simmer just below the surface.

For those unfamiliar with the controversy, what follows are the high-level bullet points. Armed attackers opened fire on a group of government employees in San Bernardino, CA on the morning of December 2, 2015. The attackers fled the scene, but were killed in a shootout with police later that afternoon. Investigators opened a terrorism investigation, which eventually led to a locked iPhone 5c. When investigators failed to unlock the phone, they sought Apple’s help, first politely, and then more forcefully via California and Federal courts.

The request was for Apple to create an authenticated version of its iOS operating system which would enable the FBI to access the stored data on the phone. In essence, the government asked Apple to create a universal hack for any iPhone operating that particular version of iOS. As might be predicted, Apple was less than inclined to help crack its own encryption software. CEO Tim Cook ran up the banner of digital privacy rights, and re-ignited a heated debate over the proper scope of government’s ability to regulate encryption practices.

Legal chest-pounding ensued.

That was the situation until March 28, when the government quietly stopped pursuing this part of the investigation. In its own words, the government informed the court that it “…ha[d] now successfully accessed the data stored on [the gunman]’s iPhone and therefore no longer require[d] the assistance from Apple Inc…”. Apparently, some independent governmental contractor (read: legalized hacker) had done in just a few days what the government had been claiming from the start was impossible without Apple’s help. Mission accomplished – so, the end?

Hardly.

While this one incident, for this one iPhone (the iOS version is only applicable to iPhone 5c’s, not any other model like the iPhone 6), may be history, many more of the same or substantially similar disputes are still trickling through the courts nationwide. In fact, more than ten other federal iPhone cases have been filed since September 2015, and all this based on a 227 year old act of last resort. States like New York are also getting into the mix, even absent fully ratified legislation. Furthermore, it’s obvious that legislatures are taking this issue seriously (see NYS’s proposed bill, recently returned to committee).

Although he is only ⅔ a lawyer at this point, it seems to this author that there are at least three ways a court could handle a demand like this, if the case were allowed to go to the merits.

  1. Never OK to demand a hack – In this situation, the courts could find that our collective societal interests in privacy would always preclude enforcement of an order like this. Seems unlikely, especially given the demonstrated willingness in this case of a court to make the order in the first place.
  2. Always OK to demand a hack – Similar to option 1, this option seems unlikely as well, especially given the First and Fourth Amendments. Here, the courts would have to find some rationale to justify hacking in every circumstance. Clearly, the United States has not yet transitioned to Orwellian dystopia yet.
  3. Sometimes OK to demand a hack, but scrutiny – Here, in the middle, is where it seems likely we’ll find courts in the coming years. Obviously, convincing arguments exist on each side, and it seems possible reconcile infringing personal privacy and upholding national security with burdening a tech company’s policy of privacy protection, given the right set of facts. The San Bernardino shooting is not that case, though. The alleged terrorist threat has not been characterized as sufficiently imminent, and the FBI even admitted that cracking the cell phone was not integral to the case and they didn’t find anything anyway. It will take a (probably) much more scary scenario for this option to snap into focus as a workable compromise.

We’re left then with a nagging feeling that this isn’t the last public skirmish we’ll see between Apple and the “man.” As digital technology becomes ever more integrated into daily life, our legal landscape will have to evolve as well.
Interested in continuing the conversation? Leave a comment below. Just remember – if you do so on an iPhone 5c, draft at your own risk.


Requiring Backdoors into Encrypted Cellphones

Steven Groschen, MJLST Managing Editor

The New York State Senate is considering a bill that requires manufacturers and operating system designers to create backdoors into encrypted cellphones. Under the current draft, failure to comply with the law would result in a $2,500 fine, per offending device. This bill highlights the larger national debate concerning privacy rights and encryption.

In November of 2015, the Manhattan District Attorney’s Office (MDAO) published a report advocating for a federal statute requiring backdoors into encrypted devices. One of MDAO’s primary reasons in support of the statute is the lack of alternatives available to law enforcement for accessing encrypted devices. The MDAO notes that traditional investigative techniques have largely been ineffective. Additionally, the MDAO argues that certain types of data residing on encrypted devices often cannot be found elsewhere, such as on a cloud service. Naturally, the inaccessibility of this data is a significant hindrance to law enforcement. The report offers an excellent summary of the law enforcement perspective; however, as with all debates, there is another perspective.

The American Civil Liberties Union (ACLU) has stated it opposes using warrants to force device manufacturers to unlock their customers’ encrypted devices. A recent ACLU blog post presented arguments against this practice. First, the ACLU argued that the government should not require “extraordinary assistance from a third party that does not actually possess the information.” The ACLU perceives these warrants as conscripting Apple (and other manufacturers) to conduct surveillance on behalf of the government. Second, the ACLU argued using search warrants bypasses a “vigorous public debate” regarding the appropriateness of the government having backdoors into cellphones. Presumably, the ACLU is less opposed to laws such as that proposed in the New York Senate, because that process involves an open public debate rather than warrants.

Irrespective of whether the New York Senate bill passes, the debate over government access to its citizens’ encrypted devices is sure to continue. Citizens will have to balance public safety considerations against individual privacy rights—a tradeoff as old as government itself.


Warrant Now Required For One Type of Federal Surveillance, and May Soon Follow for State Law Enforcement

Steven Graziano, MJLST Staffer

As technology has advanced over the recent decades, law enforcement agencies have expanded their enforcement techniques. One example of these tools is cell-site simulators, otherwise known as sting rays. Put simply, sting rays act as a mock cell tower, detect the use of a specific phone number in a given range, and then uses triangulation to locate the phone. However, the recent, heightened awareness and criticism directed towards government and law enforcement surveillance has affected their potential use. Specifically, many federal law enforcement agencies have been barred from their use without a warrant, and there is current federal legislation pending, which would require state and local law enforcement agents to also gain a warrant before using a sting ray.

Federal law enforcement agencies, specifically Immigration, Secret Service, and Homeland Security agents must obtain search warrants before using sting rays, as announced by the Department of Homeland Security. Homeland Security’s shift in policy comes after the Department of Justice made a similar statement. The DOJ has affirmed that although they had previously used cell-cite simulators without a warrant, going forward they will require law enforcement agencies gain a search warrant supported by probable cause. DOJ agencies directed by this policy include the FBI and the Drug Enforcement Administration. This shift in federal policy was largely in response to pressures put upon Washington by civil liberties groups, as well as the shift in American public’s attitude towards surveillance generally.

Although these policies only affect federal law enforcement agencies, there have also been steps taken to expand the warrant requirement for sting rays to state and local governments. Federal lawmakers have introduced the Cell-Site Simulator Act of 2015, also known as the Stingray Privacy Act, to hold state and local law enforcement to the same Fourth Amendment standards as the federal government. The law has been proposed in the House of Representatives by Rep. Jason Chaffetz (R-Utah) and was designated to a congressional committee on November 2, 2015, which will consider it before sending it to the entire House or Senate. In addition to requiring a warrant, the act also requires prosecutors and investigators to disclose to judges that the technology they intend to use in execution of the warrant is specifically a sting ray. The proposed law was partially a response to a critique of the federal warrant requirement, name that it did not compel state or local law enforcement to also obtain a search warrant.

The use of advanced surveillance programs by federal, state, and local law enforcement, has been a controversial subject recently. Although law enforcement has a duty to fully enforce that law, and this includes using the entirety of its resources to detect possible crimes, it must still adhere to the constitutional protections laid out in the Fourth Amendment when doing so. Technology chances and advances rapidly, and sometimes it takes the law some time to adapt. However, the shift in policy at all levels of government, shows that the law may be beginning to catch up to law enforcement’s use of technology.


Are Trademark’s a Medium for Free Speech?: Federal Circuit Considers Whether Section 2(a) of the Lanham Act Violates the First Amendment

Michael Laird, MJLST Staffer

The Federal Circuit recently heard arguments en banc in a case considering the relationship between intellectual property regimes, specifically trademark law, and freedom of speech under the First Amendment of the U.S. Constitution. The long-term rule comes from the U.S. Court of Customs and Patent Appeals—the predecessor to the Federal Circuit—in the case In re McGinley. 660 F.2d 481 (C.C.P.A. 1981). There, the court held: “with respect to appellant’s First Amendment rights, it is clear that PTO’s refusal to register appellant’s mark [as a trademark] does not affect his right to use it. No conduct is proscribed, and no tangible form of expression is suppressed.” Id. at 484. Under that traditional rule, trademark law was held consistent with the first amendment because an applicant is still permitted to use a mark, whether or not it is trademark eligible. However, that precedent may be at risk.

On Friday, October 3, the Federal Circuit heard arguments for In re Tam on the question of whether § 2(a) of the Lanham Act is consistent with the right of free speech. Section 2(a) bars trademark eligibility for a mark that “consists of or comprises of immoral, deceptive, or scandalous matter; or matter which may disparage or falsely suggest a connection with persons, living or dead, institutions, beliefs, or national symbols, or bring them into contempt, or disrepute.” 28 U.S.C. § 1052(a). In Tam, § 2(a) was the basis for denying trademark registration for “The Slants”, the name of an Asian-American band because of its disparagement of those of Asian descent.

The court appeared to latch on to concerns that the logic of McGinley would be applicable in the copyright regime since rejection of a copyright would also not inhibit the applicant’s right to use that material. The court asked: “would [it] be constitutional and not a first amendment violation if Congress enacted a statute that said, ‘we’re going to regulate Copyrights and not allow copyright registration to issue to scandalous, immoral, or disparaging copyrights?’” Recording of Oral Arguments, In re Tam, No. 2014-1203 at 39:13 (Fed. Cir. October 2, 2015). The Government conceded, and Court appeared to agree that Congress could not bar disparaging art from copyright registration, as it does with trademarks. See id. at 39:33.

If a work cannot be denied copyright registration because the government concludes the work is disparaging, then some distinction between a copyright and trademark must exist for the government to reject a trademark on that basis. The Government was mostly unsuccessful in providing a means to distinguish the two regimes. The court, however, discussed a few possibilities.

First, the nature of speech in copyrighted material differs from the marks which are eligible for trademark protection. Copyrightable material may involve fundamental political speech and other private speech, which is protected under a heightened scrutiny by the first amendment. Id. at 41:30. Conversely, trademarks, as a means to associate the producer of goods and a brand or logo, constitutes commercial speech.

Second, as one judge stated: “the distinction that could be made is that in copyright, if the government has these limitations it’s so coercive that it essentially…prevents you from [certain] speech. Whereas the trademark realm, although it takes away some benefits of federal registration…it’s not so coercive that the restriction is a burden on free speech.” Id. at 44:30. This argument relates to McGinley, since independent of whether a trademark is granted or denied, the mark owner has the right to use his or her mark in public. In the copyright realm however, the logic of McGinley fails because the denial of a copyright might actually chill speech because of the risk that it will be misappropriated by someone else.

Third, the court differentiated the purpose of the copyright and trademark regimes: “isn’t a copyright a forum for the expression of the arts…whereas a trademark goes to the very heart of stability in the marketplace?” Id. at 5:23. Like a distinction between the nature of a trademark and copyright, the purpose of the systems diverge. Copyright is inherently protective of speech generally. Yet, most trademarks do not concern traditional speech, but protecting an association between the producer of a good and a brand or other mark.

Whether any argument will persuade the court that trademark law is distinct from copyright in some way that permits a disparagement bar to trademark registration remains to be seen. Notably, the court need not resolve the issue, if it were to determine that § 2(a) should be upheld or rejected based on the whether a trademark constitutes private, public, or commercial speech. Either way, the implications of the court’s ruling could impact another major ongoing disparagement case concerning the Washington Redskins’ trademark which is being appealed in the Fourth Circuit. If you are interested in listening to the argument in full, you can find a copy here.


Digital Privacy in Autonomous Vehicles

Steven Groschen, MJLST Managing Editor

The introduction of autonomous vehicles is likely to have a widespread effect on laws related to road travel. Theoretically, a well-functioning driverless car will never speed or run a red light. Thus, driverless cars are less likely to be pulled over. But what if an autonomous vehicle is pulled over and the officer wishes to perform a search of the automated system? Clues to how a court might handle this scenario are contained in Riley v. California.

Riley v. California, 134 S.Ct. 2473 (2014), explored the amount of protection digital content residing on an electronic device receives from unreasonable searches and seizures during a lawful arrest. The Supreme Court examined two independent fact patterns involving police officers searching an arrestee’s cellphone without a warrant. In the first fact pattern, an officer seized an individual’s cellphone in the course of an arrest and proceeded to electronically search through the contact list and pictures on the device. This search yielded evidence of gang related activity which was later used to convict the individual. In the second fact pattern, a police officer searched the phone of an individual, whom was also under arrest, and located a contact entry titled “my house.” The police used the phone number in the contact entry to discover the arrestee’s address. This information and a few other pieces of evidence taken from the phone helped the police secure a warrant to search the arrestee’s home.

The Riley decision made two holdings potentially relevant to autonomous cars. First, the court held that during a lawful arrest a warrant is generally required before searching the digital content on a cellphone. Second, the court suggested this protection is for the digital content and not necessarily the cellphone itself. These holdings can be interpreted as providing protection for digital content contained within automated driving systems. As a result, a plausible argument exists that, in the future, an officer will need a warrant before searching the digital content of an autonomous vehicle.

Predicting with any level of certainty how a court will handle digital content on an autonomous vehicle is difficult. Nonetheless, the discussion is important because autonomous vehicles are likely to become ubiquitous on the roadways in the next few decades. These vehicles will contain sensitive information such as route history and a log of the car’s actions. It is important to continue debating what privacy rights owners can and should expect regarding their future cars.

For an in-depth look at Riley and its implications for digital content contained in autonomous vehicles, see Sarah Aue Palodichuk’s article entitled “Driving into the Digital Age: How SDVs Will Change the Law and Its Enforcement.”


Fourth Circuit Revives Circuit Split over Cell Site Data

Mickey Stevens, MJLST Note & Comment Editor

In August, the United States Court of Appeals for the Fourth Circuit revived the dispute over whether the use of historical cell site location data constitutes a “search” under the Fourth Amendment, and whether obtaining that cell site data requires a warrant. That court’s decision in United States v. Graham, Nos. 12-4659, 12-4825, 2015 WL 4637931 (4th Cir. 2015), now conflicts with the Third, Fifth, and Eleventh Circuits on how to treat the use of cell site data in criminal investigations.

A September 2014 MJLST blog post discussed the then-existing circuit split between the Eleventh Circuit holding that a warrant was required to obtain cell site data and the Fifth and Third Circuits holding that a warrant was not necessary to do so. Since the time of that post, the legal landscape regarding cell site data has undergone significant changes.

First, the Eleventh Circuit vacated their initial decision in United States v. Davis, 754 F.3d 1205 (11th Cir. 2014), and granted a rehearing. Upon rehearing, the Eleventh Circuit came to the exact opposite conclusion, holding that the government did not conduct a “search” by obtaining cell site data, and that no warrant was necessary even if that conduct did constitute a search. United States v. Davis, 785 F.3d 498 (11th Cir. 2015). The Eleventh Circuit’s decision upon rehearing agreed with previous decisions from the Third and Fifth Circuits and eliminated the circuit split that was created by the initial decision.

Then, the Fourth Circuit decided Graham. The Graham opinion closely mirrors the Eleventh Circuit’s initial Davis decision, holding that the government conducts a “search” when it obtains and inspects cell site data and that a warrant is necessary to obtain cell site data. The court reasoned that the third-party doctrine, which says that information provided to third-parties such as cell phone service providers is no longer protected by a reasonable expectation of privacy, should not be applied to cell site data because cell phone users do not voluntarily share their location. This is the same approach that the initial Davis court took, thus renewing the debate over how to apply this doctrine to modern cell site data.

In July, a petition for writ of certiorari was filed with the Supreme Court of the United States asking for review of the Eleventh Circuit’s rehearing decision in Davis. The Eleventh Circuit’s own flip-flopping on these issues, combined with Graham’s revival of a circuit split, provides good reason for the Supreme Court to resolve these open questions regarding the gathering and use of cell site data in criminal investigations.