Regulatory, Reputational and Techno-Legal Considerations Facing Employers and Government in the Smartphone Era

By: Vincent T. Cieslik, Esq. and Samantha J. Vander Wielen, Esq.

Over the past few months, a struggle for control over smart phone technology has emerged in federal courts in both New York and California.  In the midst of investigations into the San Bernardino mass shooting and in a drug case in New York, a new legal battle has erupted over the lengths the government may go to in compelling a private company, in this case Apple, to assist it in cracking a smart phone device to further a criminal investigation being conducted by the government.  Curiously, in the New York case Apple initially assisted the government in its investigation but only after the Magistrate Judge raised his own concerns, and solicited feedback from Apple, did Apple then vigorously oppose the Government’s request for “i-access” to the smart phone of a criminal.

For those of who read “Steve Jobs” by Walter Isaacson or saw the movie starring Michael Fassbender and Kate Winslet, you can easily imagine the fun Jobs would have had taking on the federal government, had he been alive and still at the helm of Apple.  Going off on a tangent here, but the book was fantastic and Isaacson provides incredible insight into Steve Jobs the man, providing the good, the bad and the ugly regarding Apple’s co-founder.  The movie was also fairly compelling, in a sort of action-drama style format where Job’s rants and idiosyncratic character traits (and flaws) were on full display.

But Apple now has its own new place in legal history, beyond literature and cinema, in a courtroom drama that has played out in federal courts across the country.  Ironically, flashy and interesting characters are not the subject of this legal drama, which instead has required the courts in New York and California to focus on an arcane statute, the All Writs Act — a 227 year-old law passed by our Founding Fathers.  The ancient All Writs Act was intended to assist the courts as a gap filler when no other federal statute applied – which now stage front stage with very current technological and legal issues which private sector American businesses may have never considered before.  Before iOS 8, the operating system which was introduced by Apple in 2014, Apple was able to extract important iPhone data and provide it to government officials in the course of their criminal investigations.  Apple and other providers routinely assisted the state or federal governments by providing access to their telephone technology and smart phones to assit the flow of information necessary to criminal investigations.  Following the introduction of iOS 8 in 2014, and the subsequent release of iOS 9, Apple claims it is no longer able to extract that same data because the data is now encrypted with a password protected 4-digit code that is selected by the user or operator of the iPhone itself.  Since Apple no longer has access to what a user’s 4-digit code is, only the user has access to the phone and its encrypted data.  Unless an employer had adopted a policy which required the employee to register login information with the company (which is often not the case prior to today), the investigators cannot break into a smart phone without the technology giant’s assistance.

For example, the San Bernandino investigation was hampered by the fact that the San Bernardino County technology team conducted an auto reset of the password to the phone in an attempt to gain access to information.  In the process, they eliminated the possibility of performing an iCloud backup of the iPhone.  Had the phone been taken to a location where it recognized the Wi-Fi network, like the alleged shooter’s home, it could have been backed up to iCloud and far more information could have been accessed at that time.  Thus, by re-setting the password before it was backed up, the investigation was limited in what it could search without the intervention and assistance by Apple following the iOS 9 software implementation.  Without Apple’s assistance to create a “back door” to the software, the investigation would be limited.  In addition to this miscue by the County, which may or may not have been at the investigator’s request, it is possible that the owner had disabled the auto back up function on the phone in an effort to avoid the iCloud backup function to hide evidence of the crime.  An employee’s ability to control his or her own encrypted data and iPhone raises several issues for public and private employers.

First, what types of protocols should public or private employers require for regular backups and password registrations?  While employees of public and private employers often take their smartphones with them wherever they go, who has the responsibility for regularly backing up the device to ensure that data is not lost?  As a business owner, do you know who owns or control the encrypted data contained on an iPhone you provide to an employee or, alternatively, an iPhone for which your company pays the monthly bill?  Does your employee handbook address such ownership issues? Had the County required a regular backup of the iPhone, this situation may not have occurred, as the information may have already been stored by the County, who owned the iPhone device.   Alternatively, had the County required that employees use a County-issued Apple username ID and password, the County would have been able to easily access much of the information it sought without destroying the phone or its data.

Second, the County was forced to auto reset the password.  Does this mean the County did not have the County employee’s password?  If it had the employee’s password, could it have avoided the auto reset procedure?  If not, why not?  Should public and/or private employers require their employees to register their passwords or only be able to use passwords that are provided and set by the employer?  As an employer, do you address this with your employees?  Do you have written rules regarding use of your employer-issued device?

Third, where is the line between public and private use of a smartphone given to a public employee?  Does the public use mean that the smartphone is subject to review, inspection, and evaluation by the county or public agency’s technology team?  Practically speaking, a phone is not like a government or corporate-issued vehicle, where the “rules of the road” can be clearly delineated and company versus personal use can be easily defined.  This may be reason for an employer to ban the use of a company or employer-issued smartphone for personal use, thus forcing employees to obtain a second, personal iPhone or other smartphone device for non-work related communications.

Fourth, considering public agencies and governments serve the public and public interests, do these public entities bear different responsibilities for evaluating the use of their smart phones to police usage that could potentially be criminal?  What protections should public or private employers have in place for security, passwords, usage, etc. which can provide safeguards against use for wrongful and criminal enterprises?
Further, for companies that are involved in information technology, where is the line between protection of the company’s brand, its software products, and its reputation for protecting consumers from theft and intrusion versus its obligation as a good citizen to assist the government in investigating serious crimes such as mass shootings and drug distribution?  It appears that Apple assisted the government on many similar requests for access to stored information and/or back up on iPhones for years prior to this current dispute.  Apple noted recently that it has received many more requests from government to assist with discovery into its smartphones since the New York and San Bernardino issues came to light, illustrating its concern that its business interests in protecting its consumers’ information puts it on a collision course with these criminal investigations.

Finally, should employers enact new provisions for their employment handbooks to cover these policies, and enforcement of them?  If anything, employers and businesses should make it as clear as possible who owns the company or employer-issued iPhone, as well as its password, data and encrypted information. Public and private employers alike should consider these issues, and their impact on the current business and operations.  Changes may need to be made to corporate policies and procedures, and to handbook technology and privacy provisions, to keep track with fast changing technology and times.

As you may have read, the FBI recently announced that it was able to access the alleged San Bernardino shooter’s iPhone without Apple’s assistance.  Instead, the FBI was assisted by an undisclosed third party company.  Despite having been able to unlock the iPhone at issue in California, the United States Department of Justice is pushing forward in its demands that Apple and other smart phone makers assist it in unlocking phones linked to criminal conduct.  So, the battle is not over.  In fact, it may have just begun.  As we continue to see legal battles play out across the country, we will see issues of national security, privacy, and the government’s role in each be at the forefront of the conversation.  In the meantime, you should consider the issues that are raised by the access, or lack thereof, you may or may not have to your employees’ iPhone or other devices and devise a plan to address what you would do if faced with the need to unlock one in case of emergency, investigation, or even national security.