Would Apple have to crack an iPhone’s security in Poland?
A software manufacturer’s role in criminal investigations and hacking its own programming
Under Poland’s Criminal Procedure Code, the holder of IT data is required to turn over the data, e.g. concerning the user of a device, at the demand of the competent authorities. But does this apply only to unencrypted data, or also to encrypted data, which to understand would require the holder to decode its own software? Let’s crack this conundrum using the example of the recently publicised American case of Apple Inc.
What was Apple asked to do?
In December 2015, terrorists in an attack in San Bernardino, California, were shot dead by the police. Investigators seeking to identify other people connected with the attack sought access to a smartphone carried by one of the attackers—an Apple iPhone 5C with operating system iOS 9. The telephone’s system was secured by a four-digit code, however, and after nine incorrect attempts to enter the code the access to the encrypted data on the device is permanently blocked.
Consequently the federal government applied to the court for an order requiring Apple to assist in cracking the security of its own telephone. The FBI wanted Apple to develop software (an update to the phone’s existing programming) that would turn off the security and allow an unlimited number of attempts to break the code. Then, after the FBI obtained the data, Apple could remove the new programming.
The federal district court ordered Apple to provide “reasonable technical assistance,” and Apple appealed. In the meantime, the FBI hired a private firm that managed to crack the security, and consequently the proceedings against Apple were dropped.
What if it were in Poland?
How would such a dispute go if a similar situation arose here? Would the Polish regulations provide any right to demand such encrypted data?
Formally, it appears that investigators would not need to obtain a court order—an order issued by the prosecutor heading the case, directed to the producer of the software, would suffice. After such an order were issued, the prosecutor would no doubt have to apply to the competent American authorities for international legal assistance in criminal proceedings, under the relevant treaty between Poland and the United States.
The prosecutor’s order could indicate as the legal basis Art. 217 §1 in connection with Art. 236a of the Criminal Procedure Code, which is included in the chapter governing turning over or compulsory requisition of objects. These provisions apply not only to physical items, but also for example to IT data stored in a device, system or carrier. On this basis, the law enforcement authorities can demand that the holder or user of an IT system release for example a list of connections or a record of specific messages.
For purposes of these regulations, the holder is the person authorised to control the system in his or her discretion, e.g. the owner or administrator of the system. The system must be within the holder’s control, but not necessarily physical control, which means that the data can be obtained remotely (A. Lach, “Gathering electronic evidence after amendment of the Criminal Procedure Code,” Prokuratura i Prawo 10/2003, pp. 16–25). It cannot be ruled out that Apple would be found to be such a holder for purposes of the Polish regulations.
Could the prosecutor order creation of software?
The question then arises whether this provision would authorise the investigators to demand that Apple write software that would crack the security and release the encrypted data. Unfortunately, the answer is not entirely clear.
On one hand, it might be claimed that the producer of software is capable of delivering the data, whether they are “ready” or encrypted, i.e. requiring certain decryption measures. On this assumption, it could also be argued that the producer of the software can select for itself the method for recovering the data (e.g. cracking its own security or creating a decryption update to the software).
Such an argument would be particularly compelling in the case of manufacturers who have intentionally left a “backdoor” in their software or have the technical ability to update the software remotely. The possibility of remote changes to the software supports a finding that the manufacturer is at all times the holder of the data, and obtaining and releasing the data is merely a technical question.
On the other hand, this approach is controversial, for example because of restrictions in the Telecommunications Law and purely practical limitations, such as the significant costs the producer might have to incur. Decryption of data, and subsequently turning it over, would require great initiative from the addressee of the order, which could raise doubts under Art. 217 §1 in connection with Art. 236a of the Criminal Procedure Code.
So for now the answer to the question raised in the title must be that we do not know. The doubts may ultimately be dispelled through the practice of the competent law enforcement authorities.
Wojciech Rzepiński, New Technologies Practice, Wardyński & Partners
The article is a part of the New Technologies Newsletter, May 2016