Apple Strikes A Blow For Privacy

A recent change by Apple is good news for advocates of privacy and civil liberties in the Internet Age.

iPhone 6 launch

Apple is announcing a new change in its privacy policy, as well as changes to the operating system for iPhones and iPads that will make it impossible for government agencies to force the company to unlock user’s phones and tablets, even with a search warrant:

Apple said Wednesday night that it is making it impossible for the company to turn over data from most iPhones or iPads to police — even when they have a search warrant — taking a hard new line as tech companies attempt to blunt allegations that they have too readily participated in government efforts to collect user information.

The move, announced with the publication of a new privacy policy tied to the release of Apple’s latest mobile operating system, iOS 8, amounts to an engineering solution to a legal quandary: Rather than comply with binding court orders, Apple has reworked its latest encryption in a way that prevents the company — or anyone but the device’s owner — from gaining access to the vast troves of user data typically stored on smartphones or tablet computers.

The key is the encryption that Apple mobile devices automatically put in place when a user selects a passcode, making it difficult for anyone who lacks that passcode to access the information within, including photos, e-mails and recordings. Apple once maintained the ability to unlock some content on devices for legally binding police requests but will no longer do so for iOS 8, it said in the new privacy policy.

“Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data,” Apple said on its Web site. “So it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.”

As the new operating system becomes widely deployed over the next several weeks, the number of iPhones and iPads that Apple is capable of breaking into for police will steadily dwindle to the point where only devices several years old — and incapable of running iOS 8 — can be unlocked by Apple.

As the article goes on to note, this move does not affect Apple’s legal duty to turn over user data that is stored on third party services that it has control over such as iCloud, but that is merely a recognition of long-standing Fourth Amendment law that says that material that an individual does not have a Fourth Amendment expectation of privacy in information and material stored with a third party. While there have been some indications that the Federal Courts may be revising that ruling as it applies to technology, such as a December ruling on the N.S.A’s metadata collection program and the Supreme Court ruling on police searches of smartphones, that principle has been a part of Fourth Amendment law for decades.  This means that anything storied in “the cloud” is capable of being acquired by law enforcement without the knowledge of the person who “owns” the data, and in some cases even without a search warrant.  Nothing that Apple announced Wednesday changes their legal responsibility in this situation, so anything you store in the cloud is capable of being obtained by the state and there’s really not much that you can do about.

The new privacy policy, along with the engineering changes that were apparently made to iOS 8, however, are significant because it will mean that the police will no longer be able to force Apple to assist them in unlocking a locked iPhone or iPad in order to access the data that might be on the device. Now, even if it is served with a subpoena, Apple can report to law enforcement that there’s nothing that it can do because it is technologically impossible for it do what the search warrant is requesting. Obviously, how you feel about that depends on where you stand in the civil liberties v. law enforcement debate:

Although the company’s security took a publicity hit with the leak of intimate photos of celebrities from their Apple accounts in recent weeks, the move to block police access to the latest iPhones and iPads will thrill privacy activists and frustrate law enforcement officials, who have come to rely on the extensive evidence often found on personal electronic devices.

“This is a great move,” said Christopher Soghoian, principal technologist for the American Civil Liberties Union. “Particularly after the Snowden disclosures, Apple seems to understand that consumers want companies to put their privacy first. However, I suspect there are going to be a lot of unhappy law enforcement officials.”

Ronald T. Hosko, the former head of the FBI’s criminal investigative division, called the move by Apple “problematic,” saying it will contribute to the steady decrease of law enforcement’s ability to collect key evidence — to solve crimes and prevent them. The agency long has publicly worried about the “going dark” problem, in which the rising use of encryption across a range of services has undermined government’s ability to conduct surveillance, even when it is legally authorized.

“Our ability to act on data that does exist . . . is critical to our success,” Hosko said. He suggested that it would take a major event, such as a terrorist attack, to cause the pendulum to swing back toward giving authorities access to a broad range of digital information.

This doesn’t mean that a locked phone is beyond law enforcement’s reach, of course. Wired’s Andy Greenberg notes that it would still be possible for law enforcement to attempt to unlock the phone itself by cracking the passcode, and that would not violate Fourth Amendment as long as they obtained custody of the phone legally. Additionally, police and prosecutors faced with this dilemma will no doubt attempt to obtain court orders forcing users to unlock their phones.  As I’ve noted in the past, however, that is an area of law that is still quite undeveloped. Some courts have ruled that requesting a passcode to an electronic device is akin to being required to unlock a locked storage box, which is something that Courts have held that can be required under the Fourth Amendment provided that there is a proper warrant for the contents of the box, and therefore that a Defendant must comply with such a request. Others have held that it is similar to being asked to provide the combination to a safe, which Courts have held would be covered by the Fifth Amendment right against self-incrimination, and thus that a suspect cannot be compelled to unlock an electronic device secured by a passcode. To date, that issue has not made it to the Supreme Court, so this is an area of the law that remains uncertain. With this move by Apple, which is likely to be followed by other smartphone manufacturers if, as suspected, it proves to be a marketing success, those types of cases are likely to become more prevalent.

Law enforcement will complain that this move by Apple makes it more difficult to do their job, but it strikes me that this argument has little merit. In some sense, all of the civil liberties protections that the Fourth And Fifth Amendments protect make it more difficult for law enforcement to do their job. After all, it would be a lot easier to investigate crimes if you could search people’s homes without warrants, confiscate their property without probable cause, coerce confessions out of them without the presence of counsel, and force them to testify against themselves in Court. That, however, is the entire point of these protections. On some level, we have made the decision that it is worth hamstringing law enforcement to some degree in order to protect the liberties of the people, even if that means that, sometimes, a “guilty” person go free. In the end, that is a small price to pay for the freedoms that are protected. In this case, while Apple’s actions aren’t a Constitutional Law matter per se they are likely to go a long way toward resetting the balance between privacy and surveillance in the age of technology, and that’s a good thing.

Good job, Apple. Now, the ball is in your court, Google.

FILED UNDER: Economics and Business, Law and the Courts, Science & Technology
Doug Mataconis
About Doug Mataconis
Doug holds a B.A. in Political Science from Rutgers University and J.D. from George Mason University School of Law. He joined the staff of OTB in May 2010. Before joining OTB, he wrote at Below The BeltwayThe Liberty Papers, and United Liberty Follow Doug on Twitter | Facebook

Comments

  1. Paul L. says:

    After all, it would be a lot easier to investigate crimes if you could search people’s homes without warrants, confiscate their property without probable cause, coerce confessions out of them without the presence of counsel, and force them to testify against themselves in Court.

    According to,the nation’s foremost Constitutional Law professor, Those are only privileges we get for our required responsibility to our Country.

    Our Constitution reflects the values we cherish as a people and the ideals we strive for as a society. It secures the privileges we enjoy as citizens, but also demands participation, responsibility, and service to our country and to one another.

  2. Eric says:

    Good job, Apple. Now, the ball is in your court, Google.

    Google will most likely not take this route. Google and Apple are totally different companies in how they make their money. As Tim Cook was saying about Apple, they sell hardware products (iPhones, iPads, Macs, etc). Google makes their money off of having users’ data through all of the services they offer (Gmail, Android phones, Google searches, etc).

    I doubt Google would stop collecting data on users unless they change their entire business model.

  3. stonetools says:

    Good job Apple. I knew there was a reason why I was an Apple customer [let the flame wars begin;-)]. Hopefully, all the other tech companies will follow Apple’s, er, innovation. ( Heh, that will set off more flames).
    In real life, the customers-the half who bother the lock their phones at all- use a four digit code (I do.) Dunno if that will keep the FBI out for long.
    Now touch ID poses an interesting legal question. I would argue forcing a person to use his finger to unlock a phone violates his privilege against self-incrimination. And can a person refuse to get fingerprinted as part of the booking process on those grounds?
    I see some interesting criminal and constutional law issues coming up in the area of smartphones . Good job, Doug. Looking forward to more posts on this issue.

  4. rudderpedals says:

    Behold the birth of the newest breed of malware, iOS8 keyloggers.

    Cloud storage doesn’t inspire a lot of confidence for mission critical use. The concept works great however for moving game saves across a Steam account

  5. Grewgills says:

    Here’s hoping Google and Microsoft will follow suit. If they don’t I may switch with my next phone purchase to support this move.

  6. Matt Bernius says:

    @Eric:

    As Tim Cook was saying about Apple, they sell hardware products (iPhones, iPads, Macs, etc). Google makes their money off of having users’ data through all of the services they offer (Gmail, Android phones, Google searches, etc).

    THIS!

    What’s staggering to appreciate about Apple is that all of their Media and App related revenue pails in comparison to what they make on Hardware.

    There’s no way that Google could make the same move without risking their current business model.

  7. PJ says:

    Newest Androids will join iPhones in offering default encryption, blocking police:

    The next generation of Google’s Android operating system, due for release next month, will encrypt data by default for the first time, the company said Thursday, raising yet another barrier to police gaining access to the troves of personal data typically kept on smartphones.

    Android has offered optional encryption on some devices since 2011, but security experts say few users have known how to turn on the feature. Now Google is designing the activation procedures for new Android devices so that encryption happens automatically; only somebody who enters a device’s password will be able to see the pictures, videos and communications stored on those smartphones.

  8. PJ says:

    @Eric:
    Apple is, through iAd, showing targeted ads based on at least the following:
    Demographics
    Application preferences
    Music passions
    Movie, TV and audiobook genre interests
    Location
    Device (iPhone, iPad, iPod touch)
    Network (WiFi, 3G)

    Now you can opt out of that. But then you can opt out of interest based ads in Android too.

  9. PJ says:

    @PJ:
    About that list, if Apple had owned the most used search engine, does anyone actually believe that Apple wouldn’t have used information based on searches for targeted ads?

  10. Matt says:

    @Matt Bernius: Well that’s what happens when you sell hardware that is seriously overpriced. Cheap components with a pretty box slapped around it.

    I don’t like apple because I’ve worked on far too much of the hardware to have any respect for what they build. Even the pro stuff has cheap components…

  11. Yolo Contendere says:

    Could you clarify this?

    that is merely a recognition of long-standing Fourth Amendment law that says that material that an individual does not have a Fourth Amendment expectation of privacy in information and material stored with a third party

    Because it sounds like you’re saying I don’t have an expectation of privacy in the contents of my safe deposit box at the bank. I’m pretty certain the bank is going to ask to see the warrant, and not just allow the government to sift through the contents of their vaults.

  12. Matt says:

    BTW I feel the same way about what dell did to alienware and other companies like that..

  13. Franklin says:

    @Paul L.: You’re an ass and a liar, but mostly an ass. That proclamation never uses the word “privilege” or “required responsibility”. It’s mostly just boilerplate blah blah blah. Why don’t you go back to your troll hole?

  14. Just 'nutha ig'rant cracker says:

    @Yolo Contendere: The key to your question is the word “warrant.” The question of whether the government can crack your safe (a private party storage point) is completely different from opening your safe deposit box (a third party storage). Even with a warrant, the courts have, from what I understand, ruled that the police can charge you with contempt, but not open your safe themselve. But I may be wrong; IANAL.

  15. Yolo Contendere says:

    @Just ‘nutha ig’rant cracker: Yeah, he’s either got a couple extra words in that sentence, or a couple missing, and I’m not sure what he’s asserting. I know the law occasionally has stupid stuff, like they can make you open a locked box you possess, but not open a safe in the same room (what is a safe, if not a locked box?), but I don’t understand the assertion just because it’s entrusted to a third party, it’s no longer private. Seriously, I’m trying to imagine cops walking into a bank and saying “We just want to go through some stuff” without a warrant. And didn’t that used to be an old TV trope, where the detective fed bad info to a suspect, so the suspect would go get the incriminating evidence out of their safe deposit box, then they’d grab him? Swear I’ve seen that before.

  16. Lenoxus says:

    @rudderpedals: One small advantage of the “walled garden” is that malware isn’t as huge an issue. If someone’s non-jailbroken iPhone has malware, then they probably downloaded it from the App Store, and Apple-approved Trojan horses would rightly be front-page news.

    A bigger problem, as stonetools mentioned, is that the data will typically by encrypted with only a four-digit passcode. If anyone gets that encrypted data, they have a maximum of 10,000 tries before guarenteed success, which is under three hours at one guess per second. (Hardware limitations on the number of guesses are irrelevant if they have the data itself.) Of course that assumes they use the phone’s password — they probably encrypt it with the Apple user password, which has limits to prevent quick guessability like that.

    I strongly reccomend using password managers like LastPass or KeePass, and in the case of passwords you have to manually enter frequently, just generating and memorizing something reasonably complex, since muscle memory will cover it after a while. (Using five random words, concatenated, can often be easier to memorize than letters and numbers, but your muscles will hate you for working so much instead of letting them memorize a short random string).

  17. HelloWorld! says:

    Law enforcement has all the tools they need to unlock your data, so this is a good PR move by Apple but does little for actual privacy. It boils down to CISPA (Cyber security Information Protection Act). New encryption hashing does not equal the inability for govt agencies to unlock.

    I am going with a Windows Phone because it is positioned for the coming “Internet of Things”, but I am very careful about the dangers of the lack of privacy laws, and apples choice to change security settings does not do anything to solve the root problem(CISPA).

  18. Rafer Janders says:

    @Yolo Contendere:

    that is merely a recognition of long-standing Fourth Amendment law that says that material that an individual does not have a Fourth Amendment expectation of privacy in information and material stored with a third party

    To add to Yolo Contendere’s point about safe deposit boxes above, we also routinely store sensitive personal information with third parties — letters with the Post Office, notes about our therapy sessions at the psychologist’s office, medical history at a doctor’s office, case files at our law firm, etc. — that we still maintain an expectation of privacy in.

  19. Paul L. says:

    @Franklin:

    You’re an ass and a liar, but mostly an ass. That proclamation never uses the word “privilege” or “required responsibility”.

    Looks like you are the ass and a liar

    [The Constitution] “{It} secures the privileges we enjoy as citizens, but also demands participation, responsibility, and service to our country and to one another.”

    Unless you are going to claim / pretend that the word it refers to something else like roads and bridges.

  20. Anonne says:

    1. Google already allows you to do this in your security settings, it is just off by default.

    2. With Android L, this will be on by default. That news came out yesterday and you clearly missed it. That’s easy, since Apple owns mainstream tech media and most people don’t know or care until Apple moves.

    http://www.androidcentral.com/android-l-phones-will-shut-out-nsa-increased-privacy
    http://www.washingtonpost.com/blogs/the-switch/wp/2014/09/18/newest-androids-will-join-iphones-in-offering-default-encryption-blocking-police/?hpid=z1&wp_login_redirect=0