Keep Your Government & Corporate Hands Off My Passwords

You may have heard that Apple has implemented a robust new security feature with its latest mobile operating system: the phone's data is now encrypted by default, and Apple retains no record of your passcode or other "backdoor." As a result, Apple cannot "unlock" your phone, even if it has physical possession of the phone, and even if it is served with a lawful warrant or subpoena. It's simply "technically infeasible" for Apple to comply. Law enforcement might as well send the iPhone to Google, which probably is just as likely to have a record of your iPhone passcode somewhere in its vast treasure trove of data about you.

There's nothing nefarious or even new about this, as this has been the standard for encrypted hard drives since forever. I'm writing this post on a 2010 MacBook Pro (with upgraded RAM and SSD drive, I might add!), and its hard drive is encrypted using Apple's standard File Vault utility. Apple offers to keep a copy of your recovery key, but it's not required. If you care about having a truly secure computer, especially as a lawyer, you decline the offer like I did.

But because lots of people have iPhones, important people have noticed the change in Apple's default iPhone security settings, and some of them are freaking out. Most notably, Professor Orin Kerr—a well-respected and influential 4th Amendment scholar who blogs at Volokh Conspiracy—called Apple's move a "dangerous game" that would "thwart" lawful warrants and probably lead to reactionary legislation far worse for privacy interests and civil liberties than simply letting Apple store a copy of your passcode.

I had a lot of thoughts in response to Prof. Kerr's post, but I'm a terrible blogger so the vast majority of them have already been ably expressed by others:

• Julian Sanchez detailed all the ways in which Apple's move is nothing new, so presents no shift in the overall "equilibrium" between privacy and law enforcement interests, and certainly is not in derogation of the public interest.
• Matthew Green at Slate did the same, pointing out in particular how any ability we give the US government can be used equally by less friendly governments.
• Windypundit explained how any backdoor Apple can exploit for the government is a backdoor bad guys can exploit. 
• Kerr himself has admirably walked back from his original overreaction ("very troubling") to a more scholarly investigatory mode ("need more information to decide" and "where do you draw the line?").

I recommend you read all these responses. But there are a few things I think have been left unsaid.

Kerr's Sense of "Public Interest" is ... Very Troubling

Kerr's original reaction was based his inability to imagine how Apple's change (encryption by default plus no backdoor) could possibly be in the "public interest." This only reveals either his impoverished imagination or his perverted sense of the "public interest." Others (above) have adequately exposed his lack of imagination, but the deeper problem, I think, is that his sense of the public interest essentially boils down to "law enforcement interests." The fact that Apple's change will make tens of millions of Americans more secure in their papers, effects, documents, photos, etc., apparently doesn't register for Kerr as something that could possibly count as in the public interest. That's really weird. Maybe this is a cheap shot, but Kerr's mindset makes it hard for me to imagine how the 4th Amendment's warrant requirement would meet his definition of the "public interest" if it were up for debate today.

Indeed, Kerr's initial response to Apple's move was suspicion because he thinks anything that makes warrants—the "gold standard" of privacy protection—less effective is presumed illegitimate. Apple's move therefore could not possibly be in the "public interest" because it would make it harder for law enforcement and counter-terrorist officials to crack cases, and Apple's old way already protected people from government snooping without a warrant.

But the existence of the 4th Amendment warrant requirement proves that there is indeed a "public interest" in respecting people's privacy: making millions and millions of Americans more secure in their possessions adds up to an almost insurmountable public interest. Warrants are the minimum constitutional requirement for an invasion of privacy.  It does not follow that there is no freestanding public interest in allowing people to maximize the security of their own possessions. 

Consider, for example, a law that imposed criminal penalties for the destruction of any electronic documents. From Kerr's perspective, this would seem to be obviously beneficial to the public interest. After all, allowing people to destroy documents makes it inevitably less likely that future crimes will be solved. And all of these documents would be protected from government snooping without a valid warrant, and nowadays there's no practical limitation to the number of documents that a person can store so there's no legitimate reason to destroy an electronic document.

Perhaps there's some basis for finding such a law unconstitutional, but my belief is that most people confronted with such a proposal would recoil in terror at such an intrusion on their privacy and autonomy. Such a law, which would decrease the "private interests" of millions, has a huge bar to clear to be considered in the "public interest" overall because for the most part the public interest is just the sum of private interests. And I think this analysis applies almost directly to the question of any policy to make mobile phones less secure than is technically feasible (which is what Kerr's conception of the public interest would require).

If Backdoors are in the Public Interest, Why Require Private Companies to Possess Them?

Now let's consider what would seem to be the natural response if you accept Kerr's premise that Apple's move is in derogation of the public interest: legislation to fix it. That's how we usually advance public interests. He proposes a simple amendment to a 90s law that essentially required cell-phone makers to let law enforcement tap them. Kerr thinks we'll see a movement to change that law just to require smartphone manufacturers to keep a backdoor or a copy of your decryption key so they can crack open a phone's data if served with a lawful warrant.

But even if Kerr is right that it's in the public interest for law enforcement to have this capability (he's not, of course), it's unclear to me why the answer is that people should be forced by government mandate to trust private, profit-maximizing companies with the their secrets. I'm aware of no analogous legislation, and I think it would be quite radical.

Instead, if we really think it's in the public interest for all smartphones to be crackable by government, any "key escrow" should be in public hands. In other words, the legislation should require smartphone passwords to be registered with the FBI or some other government agency. Maybe event the Supreme Court. Or maybe the legislation could require mobile operating systems to have a backdoor that only the government itself is allowed to access. The same rules would apply: e.g., law enforcement could only access this publicly held database of passwords with a lawful warrant.

Now, the black helicopter brigade will scream and moan—"Are you crazy!? Trusting the government with out secrets??" But this is a modest proposal. Would you rather trust a private corporation like Apple, or the public-spirited civil servants in the good ole United States government? 

And of course it would be made a serious crime for anyone to access this data without a warrant or for any improper purpose. To some extent we have no choice to trust the people in power, and wouldn't we rather this information be in the hands of public servants rather than private corporations, if we're going to force it to be in someone's hands? This would also alleviate the concerns about bad-guy foreign governments being able to serve warrants on Apple; they'd have no rights to the information held secure by Uncle Sam in its Fort Know bunker.

Obviously, I'm trying to illustrate the absurdity of the proposed legislation. It strikes me as absurd to legislate that people register their passwords with the government. But it's obviously more absurd to require that they register their passwords with private companies. Isn't it?

Apple's taxes

Tim Cook, Apple's CEO, testified in front of Congress the other day about Apple's tax-avoidance strategies. One of the main topics was the so called "Double Irish" scheme, which Joe Nocera describes:

This strategy, which was the primary focus of Tuesday’s hearing, involves setting up a shell subsidiary in an offshore tax haven — a k a Ireland — and transferring most of Apple’s intellectual property rights to the dummy subsidiary. The subsidiary, in turn, charges “royalties” that allows it to capture billions of dollars in what otherwise would be taxable profits in the United States. In Ireland, according to Apple, it pays an astonishing 2 percent in taxes, thanks to a deal it has with the government.

Nocera thinks this is bad business for Ireland, somehow:

Question for the government of Ireland: Do you really want your country to be known as an offshore tax haven? Indeed, at a time when your citizens are dealing with the pain of an austerity program, how can you justify allowing Apple to pay virtually no taxes on a subsidiary established solely to avoid taxes in the United States? Just wondering. 

These kind of rhetorical questions often mask stupid arguments, and that is true here. In fact, Ireland has nothing to lose by allowing Apple to do this. As noted in Nocera's column, Apple has no employees and no offices in Ireland. Yet it pays taxes there! Nocera says it is "an astonishing 2 percent," which he later calls "virtually no taxes." But two percent of a very big number is a very big number. Apparently Apple pays 2 percent of its IP royalties to the government of Ireland. I would say that is astonishing indeed—and a great deal for Ireland.

So to answer Nocera's question directly: Ireland can justify allowing Apple to pay virtually no taxes because virtually no taxes is better than actually no taxes. Isn't this pretty obvious? Just wondering.

Apple owns "pod"

[Note: Blogger ate this post when I first tried to publish it, so I am redoing it. You might notice, however, that my heart is no longer in it.]

As I happen to know from personal experience, Apple aggressively defends its trademark rights. One example is its opposition to a startup company's attempt to register the mark "Video Pod" to cover a small video projector.

The company, Sector Labs, first filed for the mark all the way back in 2003. Eventually the USPTO allowed the mark and published it for opposition. Apple opposed, claiming that: (1) the mark is merely descriptive, and therefore not eligible for registration on the principal register; and (2) the mark is confusingly similar to its "iPod" marks.

After years of litigation at the Trademark Trial & Appeal Board (TTAB) the case finally went to trial earlier this year. On March 19, the TTAB issued its decision, and it is a complete victory for Apple.

The descriptiveness issue was a slam dunk for Apple. "Video" is clearly descriptive, so the question was whether "pod" added anything suggestive. But Sector Labs had admitted in discovery responses and in depositions that the word "pod" was meant to convey the projector's pod-like shape and appearance. Only after Apple began taunting Sector Labs with these admissions did they change their tune and claim to have been "inspired by the parallels between [the inventor's] dream of a family of video products and 'pods' of whales, or even a scene involving an 'escape pod' from the movie '2001: A Space Odyssey.'" The TTAB was not amused: "We find these tardy explanations to be most unconvincing. "

But the victory on the likelihood of confusion issue is actually much more important for Apple. The Board found that "iPod" is a famous mark, and therefore entitled to broad trademark protection. Apple can now use this precedential decision to hammer anyone who tries to use what Apple calls a "pod formative mark."

Sector Labs can appeal the decision to federal court, but its prospects would be grim. It's time to just give in and admit it—Apple owns "pod."

Apple iTunes Software License

Since I'm drafting some contracts these days, I'm paying more attention to the fine print in various licenses and contracts that occasionally pop up on my computer. Today iTunes decided that it wanted me agree to a new license -- I think it was trying to auto-install an update, even though I don't use iTunes on this computer. I took a look at the software license, and was amused to read the following, in the paragraph about appropriate uses of the software:

THE APPLE SOFTWARE IS NOT INTENDED FOR USE IN THE OPERATION OF NUCLEAR FACILITIES, AIRCRAFT NAVIGATION OR COMMUNICATION SYSTEMS, AIR TRAFFIC CONTROL SYSTEMS, LIFE SUPPORT MACHINES OR OTHER EQUIPMENT IN WHICH THE FAILURE OF THE APPLE SOFTWARE COULD LEAD TO DEATH, PERSONAL INJURY, OR SEVERE PHYSICAL OR ENVIRONMENTAL DAMAGE.