In the current legal battle between Apple and the FBI over a San Bernardino terrorist’s cell phone, critical security, technology, privacy, legal, and counterterrorism issues have all come to a head. As different judges have come to different conclusions on this issue and with Apple and the Department of Justice appealing these cases, Congress has also entered the debate. In a vigorous debate held by the House Judiciary Committee on March 1, no consensus was forthcoming and the issue cut across political lines. It is one that defies simple solutions.
There is agreement, however, that this issue is important and deserves a complete debate. Given the technical nature of this issue and the need for Congress to fully understand the costs and benefits of various courses of action, recent proposals to establish a commission to study this issue are a prudent path forward.
Basics of Apple vs. the FBI
Apple has continually improved the security of its devices. The iPhone 5C used by Syed Farook has encryption that no one can break, including Apple itself. The only way to access the device is to use the proper passcode, which only the user should know. Since the passcode is the only way into this phone, Apple has also built several protections around the passcode, such as an auto-erase protection that deletes the contents of the phone after 10 incorrect passcode attempts and a passcode delay protection that makes a user wait increasingly long times between incorrect attempts.
A court in California ordered Apple to create a new program, which Apple says does not exist, to be uploaded to the iPhone to disable the auto-erase function and other passcode protections. This would enable the FBI to try every passcode combination (1111, 1112, 1113, etc.) in rapid succession until it guesses the correct passcode, a process known as “brute-forcing.”
Apple is appealing this order and has won a separate, similar case in New York that involves different versions of iPhones and operating systems. In both cases, the Department of Justice argues that its authority to compel Apple to assist the FBI comes from the All Writs Act (AWA) of 1789. According to the Congressional Research Service, the AWA “performs a gap-filling function,” that, according to the Supreme Court, can be used “to effectuate and prevent the frustration of orders” that are duly issued by courts. But there are limits to this authority. The Supreme Court articulated three limitations in United States v. New York Tel. Co.:
- The order to comply must not be an “unreasonable burden” on the company,
- The order must be “consistent with the intent of Congress,” and
- The company’s assistance must be “essential to fulfillment of the [government’s] purpose.”
The key legal questions will focus on the first two of these limitations: whether the order is an unreasonable burden and whether it is consistent with the intent of Congress, given that Congress has mandated technological help in some areas, but not here. 
Going Dark and the Challenges of Encryption
Encryption and strong protections on devices and computers provide consumers with significant security benefits. Cyber breaches and attacks happen regularly, striking individuals, businesses, and governments. Strong encryption and strong device security are essential to keeping important information out of the hands of criminals and hackers.
However, as with any advance in technology, it is usable not only by trustworthy actors but also by malicious ones. Terrorists and criminals are taking advantage of strong encryption, making it much harder and in some cases impossible to investigate bad actors. Nearly everyone understands this to be a significant problem that in some cases makes the U.S. less safe by shielding the communications and data of these bad actors. As a result, the law enforcement community, led by the FBI, has been seeking legislative relief for the better part of 2015 that would give law enforcement some sort of special access or back door to encrypted devices when they are duly authorized by a court order. This is a reasonable and even admirable position that seeks to keep America safe.
Unintended Consequences of What the FBI Wants
Regrettably, this issue is not that simple. Many of the best technical minds and companies have stated that allowing special access or (as in this case) creating software to disable passcode protections could have at least four unintended consequences.
First, some have argued that once this software tool is created, other countries will ask for it as well. While nothing stops other countries from demanding such a workaround, Apple and other technology companies can legitimately claim that they do not have it. That ends once Apple creates the tool. Other countries could use this tool solely for legitimate law enforcement purposes, but they could also turn it against dissidents.
Second, creating software that weakens the protections around devices will result in persistent, widespread technological vulnerability. This software would enable whoever possesses it to unlock any iPhone 5c and possibly other iPhones as well. The FBI could certainly end up requesting such a workaround for other phones and devices. As a result, millions of devices would be vulnerable if the software tool were to fall into the hands of hackers or other countries.
Third, further innovation could stifle the FBI’s demands and create an encryption arms race. Apple is already designing upgrades to iPhone that would make it impossible to disable the protections the FBI wants disabled. The FBI would then have to make ever more burdensome and difficult demands on private companies. Of course, bad actors will also respond and the sophisticated ones will use encryption applications like Telegram or WhatsApp. A survey of encryption technologies available today found that there are at least 546 encrypted products designed outside the U.S. The companies designing these products, especially those in foreign countries, are not going to help the FBI work around or through their encryption, which means that bad actors will still have access to encryption regardless of the outcome of this debate.
Fourth, several legal questions have emerged in the San Bernardino case brought by the Department of Justice. These include arguments that forcing Apple to create software would run afoul of the First amendment by forcing Apple to speak. Another concern is what the limiting principle is in this case. If the government can order Apple to develop software to crack its own encryption, what is to stop it from ordering Apple to turn on the audio record function of a suspected criminal? This unclear limit on what the government could force Apple or other technology companies to do under such an AWA precedent is problematic.
The Way Forward
In response to conflicting priorities in a highly technical issue, lawmakers on both sides of the aisle, as well as Apple, have suggested the idea of an encryption commission to leverage the expertise and perspectives of different stakeholders. This issue has important security implications, but regrettably, some have been quick to dismiss the other side and question motivations as less than charitable.
Rather than Members talking past each other, Congress should:
- Not rush to a solution. Given the many implications of this issue, Congress should not rush to a decision based on one difficult case. Cooler heads and deliberation should prevail.
- Consider a commission to study the issue of encryption and the going dark problem. This commission would help Congress and all interested parties to discern what the technical realities are, what the benefits and risks of encryption are, and what the consequences of action or inaction on this issue are. While this commission would not help the FBI right now, it is worth the time to understand this complex issue. Some of these arguments and challenges will not have easy solutions, but a well-balanced commission will provide policymakers with the facts they need to make an informed judgement.
- Maintain essential counterterrorism tools. Support for important investigative tools is essential to maintaining the security of the U.S. and combating terrorist threats. Legitimate government surveillance programs are also a vital component of U.S. national security and should be allowed to continue. The need for effective counterterrorism operations does not relieve the government of its obligation to follow the law and respect individual privacy and liberty. In the American system, the government must do both equally well.
The encryption debate is an important one to have. Factual clarity and an understanding of various perspectives and arguments are important to developing beneficial policies. A commission to study this important but complicated issue would provide such clarity and create the forum for wrestling with important priorities. The deliberate way forward presents a path for advancing policy that will protect the American people and their devices.
—David Inserra is a Policy Analyst for Homeland Security and Cyber Policy in the Douglas and Sarah Allison Center for Foreign Policy, of the Kathryn and Shelby Cullom Davis Institute for National Security and Foreign Policy, at The Heritage Foundation. James Jay Carafano, PhD, is Vice President of the Davis Institute and E. W. Richardson Fellow at The Heritage Foundation. Charles D. Stimson is Manager of the National Security Law Program and Senior Legal Fellow in the Davis Institute. Steven P. Bucci, PhD, is Director of the Allison Center. David Shedd is Visiting Distinguished Fellow in the Davis Institute. Paul Rosenzweig is a Visiting Fellow in the Davis Institute.