A dispute over the interpretation of a California court order may have far-reaching implications for non-litigants in civil matters.
On February 16, 2016, a Federal Court in California ordered that Apple Computers Inc. (“Apple”) provide technical assistance to the FBI in gaining access to a 2013 iPhone 5C. That iPhone belonged to one of two attackers who killed 14 people in San Bernardino California this past December. The FBI suspects that there may be evidence on the phone of, among other things, direct contact by the attacker with the ISIS terrorist group.
Apple is resisting an interpretation of the order requiring it to create the means by which its own security and encryption protocols may be overridden. The moving party, the U.S. Government, says that any such technique will only be used in one narrow circumstance.
Apple strongly objects to the FBI request, saying that once such a technique is created, there is no way to stop its broader use by cybercriminals and others. It argues that the FBI’s interpretation of the order would require Apple to create a “backdoor” for law enforcement to circumvent customer privacy and data security. In a 1,100 word open letter released on the same day as the order, Apple outlined its concerns over the order’s broader implications, taking the position that the order would require Apple to create a “master key capable of opening hundreds of millions of locks,” compromising customer privacy. It contends that it is being “forced to expose its customers to a greater risk of attack.” The company also emphasizes the breach of customer expectations that the FBI’s interpretation of the order would cause, noting: “[c]ustomers expect Apple and other technology companies to do everything in our power to protect their personal information...”
Implications for non-litigants in civil matters
The case in which this order arose is a U.S. criminal matter, but the precedent will have implications for Canadian civil proceedings. Canadian courts have expressed an increasing willingness to assert jurisdiction over technology companies who do business in Canada, even where they have no physical presence in the province and are not parties to the dispute. While courts have generally been more reluctant to impose positive obligations (i.e. mandatory orders) than prohibitions on actions (i.e. injunctions), the distinction blurs where an order not to do something requires the subject of an order to take positive steps—to invest money and manpower. For example, Canadian courts have ordered an internet search engine company that was a bystander to a commercial dispute to take steps to block search results for a defendant’s websites. An order requiring a technology company to unlock its own device to assist law enforcement or provide evidence in civil disputes would seem to be little further along a continuum of positive assistance. Moreover, courts routinely order non-litigant companies providing online services to retrieve and divulge customer records, and allow those companies’ witnesses to be subpoenaed to explain the contents of those records. These are positive obligations in themselves.
The implications of Apple-like “backdoor” orders for customers of companies handling sensitive data are obvious and are receiving due attention in the media. Less obvious are the implications for the companies themselves. These could include the following:
- Loss of competitive advantage: For companies for whom superior privacy and data security are integral to their brand, such orders may weaken customer loyalty and decrease the relative importance of privacy and security concerns in brand selection. (If no company is safe from such orders, why pay more for the most “secure” brand?)
- Chilling effect on customer sharing: Knowing their data may be made public or at least potentially available to law enforcement and the courts may make customers reticent about sharing personal information with online services providers, retailers, and other companies transacting business over the web. Such companies depend on customers’ willingness to share freely with them.
- Potential civil liability: Given the problems governments have had with data security, it is not difficult to imagine data being made available to police, government agencies, etc. and subsequently released via hacker attack. The possibility of customer information somehow becoming broadly available via a mechanism developed by companies—even at the insistence of a court—could expose such companies to individual or class action claims for breach of contract and in tort, however spurious.
- Burden of compliance: Finally, there is the cost to companies in complying with such orders. While the cost may seem negligible to Apple-sized entities, many online enterprises are thinly staffed and operate with minimal resources. The reasonable cost of compliance with such orders would most likely be refunded by parties to the disputes (the Apple order implies Apple will be compensated by the U.S. Government, for example), but this will be of little comfort to companies lacking the human or other resources to allocate to the task.
As of the date of publication of this article, senior U.S. lawmakers have begun to voice a commitment to resolving the access issues through legislation. Whether resolved by the legislature or the courts, the path taken in the U.S. will have ramifications for how these issues will be managed in Canada.