Apple’s strong support of user privacy — specifically including end-to-end encryption uncrackable by the government — could be setting the company up for civil suits based on the Antiterrorism Act and other laws, a legal blog has noted in a series of controversial posts. Writing for Lawfare, Benjamin Wittes and Zoe Bedell penned a two-part article suggesting that Apple’s encryption practices could, under specific circumstances, be found by a court to have “violated the criminal prohibition against material support for terrorism.” Apple could then be held responsible for foreseeable resulting damages to victims. As Wittes and Bedell concede, the article has provoked strong reactions from privacy advocates, decrying its conclusions.
Particular trouble would arise if Apple was served with either a Title III or FISA warrant to access encrypted communications, Wittes and Bedell claim. If so, the company would be on notice that an individual under investigation for national security reasons was using Apple technology to further his aims, and if Apple refused to comply with the warrant, it would be showing indifference to the risk that it was assisting a terrorist. That indifference could make Apple liable for civil damages resulting from “any act of international terrorism” committed by the suspect.
Wittes and Bedell say that they “are not endorsing any of these theories either for adoption by the courts or for congressional imposition,” but mention that “Apple has leaned very far forward in the marketing of its encryption,” and “positively boasts about being law enforcement-proof.” While they note that Apple would have numerous potential defenses if sued either for negligence or violation of the Antiterrorism Act, they also suggest that Apple’s bold encryption policies are creating new risks that society needs to consider, and Congress may need to regulate.
FTC: We use income earning auto affiliate links. More.
There are a lot of “ifs” in that article. Apple has a building full of lawyers, and hires the best outside counsel money can buy. Am I really supposed to assume that Apple is going to continue providing services to an entity that the government has designated a terrorist? I think they would suspend service until they could sort the matter out in the courts.
How are you supposed to prove intent, as required by the statute? Is there proof somewhere that Apple designed its encryption system mainly, or even incidentally, to assist terrorists? I’ve never seen or heard of any such evidence. I assume there’s a lot more money in providing encryption and privacy services to everyone, not just terrorists.
These two writers, one of them a student at Harvard Law, are suggesting that a software company which has encryption as a feature would be held liable for terrorism. This is absurd, and so far as I know, it’s never happened. It would be like blaming Facebook because someone posted hate speech, blaming an ISP because one of its customers transmitted child pornography. PGP was never held accountable for this, and they were the first to have their feet held to the fire.
No court is ever going to hold that Apple intentionally aided terrorists, because it’s far more likely (and provable) that Apple provided the encryption to help everyone, and the terrorists were just ancillary beneficiaries of that program.
I would go so far as to lable any civil litigation against Apple, or any company, under such statute as a frivolous lawsuit. It’s just ridiculous.
I personally agree with a lot of what you’re saying, as well as the emotional thrust of your comment. But there are a couple of key details that complicate the story, including that the law apparently requires Apple to continue providing services rather than interrupting them (tipping off the subject of investigation), and that intent here would be shown by indifference to a national security-specific warrant.
The circumstances suggesting liability were written like law school exam hypotheticals, so the actual risk that Apple would be held civilly liable isn’t just dependent on very bad facts, but also on interpretations of both legislation and case law that probably wouldn’t play out in a real trial. However, the concern is that Congress — armed by these articles with fact patterns that suggest Apple could/should be held responsible if its encryption shielded communications in a manner that traditional telephones/communications protocols would not — will use this as a stepping-off point to bring pressure upon Apple to allow law enforcement access to its data. In other words, the risk is that what we might consider a ‘frivolous’ lawsuit now would be expressly allowed by Congress, or by state legislators for the tort/negligence suits suggested in the first Lawfare article.
Those are good points, but what happens when Congress tries to pass a law banning encryption, or requiring key escrow, or multiple keys? Microsoft, Facebook, Google, and Apple all crank up their lobbying efforts, threatening to cut off future lobbying money if such a law is passed.
There is already much discussion about this. Is the US going to provide the escrowed keys to China? When it doesn’t, does China block all sites and traffic from US companies using those escrowed keys? It’s a slippery slope, and a law like this could ultimately break the Internet for everyone.
Maybe this is just a shakedown for more campaign contributions by Congress. “Hey Apple, start making campaign contributions or we’ll destroy encryption and leave you liable.”
Some lawyers those bloggers are. If they were worth the amount of their suits, they would be suing the U.S. Government for violating every citizen’s 4th Amendment Rights,
What are you talking about? The US surveillance program has been litigated many times and has been found to comport with the 4th Amendment. The courts decide what is constitutional.
I’m in favour of this approach.
Apple and other billion dollar corporations have cynically used blocking security services as a marketing ploy, despite repeated warnings of the danger.
Lets say in some future incident multiple people are dead and permanently injured. Security services recover the attackers phone/computer. Multiple messages, prior to the attack, discuss the attack in detail. Security services should release this information and actively cooperate with victims and the relatives of the dead in their civil case.
In the UK there is talk of bans – but this approach of allowing civil law to hit the corporations pockets would be much more effective.
Think PanAm and Lockerbie – ignore warnings, people die, get sued. Seen any PanAm planes lately?
A small incident would not bankrupt the likes of Apple, but it would finish smaller firms. 3000 dead in another 9-11? Maybe even Apple would hurt from that.
(I’m in favour of good security against criminals. I’m in favour of controls against routine snooping by government. Blocking law enforcement and security services even when they have a warrant – irresponsible and greedy)
And, by your argument, what if some terrorist is found to have used the United States Postal Service as a vehicle to spread the plans for a terrorist attack that is responsible for loss of property and life. Will those victims be able to sue the USPS / US Government for allowing that action to have taken place via the US Mail system?
Perhaps – just perhaps – IF the courts were to realize what they need to do to protect the US Citizens rights and not knuckle under to all the FUD that our “Government” was spreading; require court orders for surveillance on US citizens and do away with the Mass Sweeping that the NSA and other secret, taxpayer funded agencies routinely carry out – then maybe I’d see some value to your argument. Until then – you are just another person who is willing to let the US Government chip away at your rights as a citizen. Welcome to Nazi Germany in the late-30’s.
And – as far as Lockerbie – there weren’t any of the “smart devices” that we have today – it COULD have been carried out via snail mail. And Pan Am was in deep financial problems before that tragedy ever occurred. Get your facts straight and stop spreading FUD!
If terrorists are believed to be using a postal services then law enforcement present the post service with a warrant and they allow interception. What the global tech corporations are doing is deliberately thwarting that process, despite warnings that this is allowing their systems to be used by terrorists. If a postal service did that, then yes let any victims sue them.
Mass interception is a different matter – I’m talking about corporations deliberately blocking interception which has legal basis.
Someone reading an iMessage the same as nazi Germany? – that is somewhere between ridiculous and offensive.
PanAm got sued because they were given clear warnings about terrorist activity and failed to act on them, leading to fatalities. I didn’t say anything about ‘smart devices’ The principle is clear.
I say change statute law to create a liability for the tech corporations. Let the civil courts deal with it if anyone dies or is injured.
The problem in your argument (and most of them in this article and it’s comments) is that everyone seems to be under the impression that Apple is actively blocking LE/Government access, or refusing to comply. Apple has repeatedly pointed out that the system was built without a method for them to do what these kind of warrants want. Apple isn’t refusing to decrypt the content, it designed the system in such a way that it physically doesn’t have the ability to decrypt the content. It is encrypted by the device itself with a custom key that only the designated recipient device has, and travels over the iCloud system fully encrypted. If you send an iMessage to someone with an iPhone, iPad and MacBook, then three copies of that message, all separately and uniquely encrypted, are transmitted.
So in the original theory presented, there is nothing to be able to say that Apple failed to react to, because the capability/methodology just isn’t there.
(You can read Apple’s official explanation of how their security system works here: http://www.apple.com/business/docs/iOS_Security_Guide.pdf
Hi djfriar – yes, I’m aware of that.
Apple – and other service providers – would need to change their systems to allow access on lawful basis.
I’m not in favour of routine or mass access by anyone.
If they know there is a threat to life due to the way they have deliberately set up their service then they need to change it.