According to these reports, the government has invoked the All Writs Act in order to compel the assistance of smartphone manufacturers in unlocking devices pursuant to a search warrant. The reports are based on orders from federal magistrate judges in Oakland and New York City issued to Apple and another unnamed manufacturer (possibly also Apple) respectively, requiring them to bypass the lock screen on seized phones and enable law enforcement access.
These reports come at an interesting time. Both Apple and Google have announced expanded encryption in their mobile operating systems. If a device is running the latest version of iOS or Android, neither company will be able to bypass a user's PIN or password and unlock a phone, even if the government gets a court order asking it to do so. The announcements by Apple and Google have in turn led to calls for "golden keys"—hypothetical backdoors in devices intended to allow only law enforcement to access them. As we've explained, we think these proposals to create backdoors totally misunderstand the technology and make for terrible policy.
Amid this prospect of a second "Cryptowar" is the lurking fear that the government might force unwilling companies to include backdoors in their products, even if they're not required by Congress to do so. We sometimes hear from jaded developers and others who think that all it would take to force a backdoor is one National Security Letter. While NSLs are unconstitutional, even the government admits that they can only be used to obtain limited information, which does not include forcing anyone to backdoor a product. Nevertheless, this fear is feeding some of the interest generated by the press reports about the government's invocation of All Writs Act in the unlocking cases.
So what is the All Writs Act, and why does it allow the government to bring in third parties like phone manufacturers to require them to help in an investigation? What are the limits of a court's power under the All Writs Act? Can it be used to force developers to build backdoors into their products?
EFF has been paying attention to the All Writs Act for a while, though not quite since its enactment in 1789. As we explained in 2005, the Act gives federal courts the authority to issue the writs (court orders) that are "necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law." In other words, it's an all-purpose law that allows courts to require third parties' assistance to execute a prior order of the court. Using the Act to obtain assistance executing a search warrant is relatively common, and the Supreme Court has sanctioned the Act's use to order a telephone company to help install a pen register.Lower courts have used the Act in analogous situations, such as forcing suspects to decrypt their personal devices pursuant to a search warrant.
However, as our earlier post notes, the Supreme Court has set out limits to the Act: A court cannot use it to bypass other laws or the Constitution, nor can it require third parties to assist in ways that would be "unreasonably burdensome." Back in 2005, a federal judge issued a forceful rejection of the argument that the All Writs Act could be used to compel a provider to allow the tracking of a cell phone in real time without a search warrant.
Unlocking, Decryption, and Backdoors
In the recent cases requiring manufacturers to unlock phones pursuant to a search warrant, both judges made clear that their orders were narrow. The New York federal court allowed the company an opportunity to object if the order was unduly burdensome, while the federal court in Oakland explicitly stated that "Apple is not required to attempt to decrypt, or otherwise enable law enforcement's attempt to access any encrypted data."
It bears remembering that in both cases, the government had already obtained search warrants for the phones. Thus, the government was invoking the All Writs Act in these cases to effectuate the warrants, which don't themselves command the companies to do anything. The Act is the mechanism for getting the companies' assistance. Presumably, these orders concerned phones that the companies were capable of unlocking, though we don't know for sure.
If, on the other hand, the companies simply could not unlock the phones (as would probably be the case for the most recent versions of iOS and Android), the companies would bring that to the court's attention and that would likely be the end of the matter. A similar dynamic might play out if law enforcement obtained a warrant for an encrypted phone and sought to use the Act to compel a third party to decrypt it, though the third party might raise different arguments on the burden and legality of such an order.
This brings us to the specter of compelled backdoors. Simply put, the government cannot use an authority like the All Writs Act to force a company to backdoor its product. Compelling a company to re-engineer a product designed to provide robust encryption is the definition of unreasonably burdensome because it undermines the basic purpose of the product. What's more, forcing the installation of a generalized backdoor is not "in aid of the court's jurisdiction," since the court would be reaching beyond the specific targeted search to a generalized backdoor. Finally, there are significant arguments that using the Act this way would run afoul of statutory law—particularly the Communications Assistance for Law Enforcement Act—and the Constitution. It's very hard to imagine a court buying such a request.
As we've said before, we applaud companies that are standing up for their customers' security. Developers should be able to build strong encryption into their products without a government-mandated backdoor. If the government presents an order to the contrary, please reach out to email@example.com.
 As a small note, even in iOS 7, mail stored on an iPhone is encrypted, so a court's order compelling Apple to unlock such a phone would result in the decryption of the stored emails.
 However, it may be a different story if the product does not require re-engineering, that is if a backdoor already exists.