Locked iPhones, Apple, and changing law

Apple is in the midst of a very public legal defence of the human right to privacy, and the world’s right to electronic security. However this battle is almost lost: not in the USA, but because of changes which are in process in the UK.

The UK government, ignoring almost all the expert technical and legal advice put to it, is pressing ahead with its draconian Investigatory Powers Bill, due to undergo its second reading in the House of Commons in a week’s time. Let us suppose that this Bill, as currently before Parliament, were to come into force as it stands, becoming the Investigatory Powers Act 2016 (IPA).

It contains many invasive, oppressive, perhaps even totalitarian provisions, but as ever, the legislators have buried its greatest powers in some of its more subtle measures: in this case, what it terms the ‘technical capability notice’. Sooner, rather than later, one of the law enforcement or security agencies will have an iPhone which is locked, much as is the case in the US. How might they use the IPA to address that situation?

The first question is who those agencies can turn to, in their quest to access the information on the locked iPhone.

The IPA buries its key definitions back in section 223. There it is clear that all those who offer any service which transfers electronic data (of almost any and every kind) which is in any part provided in the UK are deemed to be “telecommunications operators”, and thus come within the scope of the Act. The definitions are sufficiently loose as to encompass those providing the hardware, software, and services. This includes not only Apple, but Facebook and Twitter, anyone offering mail client or messaging software, even perhaps those who operate online discussion forums and the like.

The next question is how the IPA would be used to gain access to locked iPhones. Although individual applications could be made by the agencies to gain such access, the Act provides for a much more powerful mechanism, under which Apple would be required to provide a ‘technical capability’ to unlock iPhones.

Under this, the law enforcement agencies will request the Secretary of State to serve a ‘technical capability notice’ on Apple under section 217, or (less likely) a ‘national security notice’ under section 216. The former would impose a legal obligation on Apple to provide the agencies with a backdoor to unlock locked iPhones, or to provide the agencies with a service to unlock locked iPhones. Either way the Secretary of State is required to consult with – but not to be directed by – a Technical Advisory Board and Apple.

There is no provision for judicial review of such technical capability notices. The only limitations are that they are “steps which the Secretary of State considers to be necessary for securing that the person has the capability to provide any assistance which the person may be required to provide in relation to any relevant authorisation” (217 (6)). Whilst the Secretary of State “must in particular take into account the technical feasibility, and likely cost, of complying with those obligations”, there is no scope for the legal review of the consequences of any obligations (218 (4)).

Furthermore, neither Apple nor any of its employees would be able to reveal “the existence or contents of the notice”, “except with the permission of the Secretary of State.” (218 (8)). However, Apple must comply with the notice, or face civil proceedings for a court injuction (218 (10)).

The only right of appeal against a technical capability notice is to refer the notice back, which requires the Secretary of State to review it following “consultation” with the Technical Advisory Board – who are constrained to consider only the technical requirements and financial consequences for Apple – and the Investigatory Powers Commissioner – who is constrained to consider only whether the notice is “proportionate” (220).

Even if its recommendations were made binding on the Secretary of State (which they are not), the Technical Advisory Board is appointed by them (211), and has neither membership nor any remit to consider legal matters. Although it is required to include some to represent the interests of those organisations on whom technical capability notices might be served, it is also required to include others representing organisations wanting the service of those notices.

The act does not provide any statutory limits to what can be demanded by technical capability notices. Their processes can take place in absolute secrecy, away from checks and balances, and the oversight of the justice system. They are the perfect tool for a despot.

So what would happen is that Apple finds itself being compelled, under total secrecy, to provide the means to unlock locked iPhones, unless the carefully selected members of the Technical Advisory Board were to be able to convince the Secretary of State that this was a technically impossible task. Judging by the Secretary of State’s open mindedness about the IPA, that would appear to be as improbable as getting Donald Trump to go on the Hajj.

There is, of course, the possibility that Apple could appeal the notice further, but the IPA clearly does not envisage that, and how this could occur under the cloak of secrecy is, well, secret.

Once Apple has been compelled in complete secrecy to provide a means to unlock iPhones in the UK, the UK security agencies would of course be happy to provide information of that to their US equivalents, who would then use that as a lever against Apple to force it to provide the same facilities in the US. Apple’s staunch defence would be shattered, and Pandora’s Box blown open.

We all stand to lose a great deal if the UK’s Investigatory Powers Bill were to become law in its present form. It is not about fighting crime or terrorism; it is a pernicious tool for mass and individual surveillance which would, in time, destroy the very fabric of trust on which the Internet depends.