- The FBI did not exhaust possible options before trying to compel Apple to unlock an iPhone used in a 2015 shooting.
- That’s according to a new report from a Department of Justice internal watchdog.
- The findings could weaken the government’s push for tech companies to build special tools for law enforcement to unlock smartphones.
Two years ago, the FBI was trying to extract all the data from the iPhone owned by Syed Farook, the gunman who killed 14 people during an attack in San Bernardino, California. There was one problem – the phone had a passcode and Farook had died in a shootout with the police. The FBI went to court to compel Apple, the maker of the iPhone 5C, to help it access the data.
Apple fought back, CEO Tim Cook posted an open letter on Apple.com, and the whole affair became international news before the FBI said that actually, it didn’t need Apple’s help to crack the device anyway – it found a vendor that could do the job.
Now, a new report from the Inspector General of the Justice Department takes a closer look at the internal FBI deliberations from those months in late 2015 and early 2016, and it even suggests that the FBI could have done more to break into the phone before trying to force Apple to help.
The report is full of acronyms and jargon, but one thing is clear – the FBI could have done more to exhaust all options before turning to Apple. Specifically, it should have checked with an internal group, called “Remote Operations Unit,” that works to build or buy tools to break into devices.
The technical group working with the investigation “should have checked with … trusted vendors for possible solutions before advising … that there was no other technical alternative and that compelling Apple’s assistance was necessary to search the Farook iPhone,” the report found.
Here’s a critical passage from the report:
“We believe all of these disconnects resulted in a delay in seeking and obtaining vendor assistance that ultimately proved fruitful, and that as a result of the belatedly-obtained technical solution, the government was required to withdraw from its previously stated position that it could not access the iPhone in this critical case, and by implication in other cases, without first compelling cooperation from the manufacturer.”
Basically – the group inside the FBI that breaks into mobile devices only began seeking outside assistance to crack the Farook iPhone right before the FBI demanded Apple’s help in February 2016. (The public still doesn’t know who was eventually able to crack the iPhone.)
The report was written because a senior FBI official was worried that both she and then-FBI Director James Comey may have given “inaccurate testimony to Congress on the FBI capabilities.”
The official, Amy Hess, was called “the woman in charge of the FBI’s most controversial high-tech tools” by the Washington Post, and she testified in front of Congress on April 16, 2016, less than a month after the FBI was able to crack the phone.
“Hess expressed concern about an alleged disagreement between units within the FBI Operational Technology Division (OTD) over the ‘capabilities available to the national security programs’ to access the Farook iPhone following its seizure, and concerns that this may have resulted in her or Comey giving inaccurate testimony to Congress on the FBI’s capabilities,” according to the report.
The report’s conclusions may make it harder for government officials to force companies to crack encrypted devices in the future. If the bureau doesn’t exhaust all options, why should big tech companies build special back doors for law enforcement?
That’s a particularly timely question. The New York Times reports that a new effort to force Apple and similar companies to build special software for law enforcement is brewing. Current efforts inside the government are focused on a new, safe way to unlock data on encrypted devices.
Apple is already pushing back. In a statement published with the New York Times story, Apple’s top engineering executive, Craig Federighi, said that those kind of proposals “inject new and dangerous weaknesses into product security.”
Then he mentioned that the people who run critical infrastructure need secure iPhones, too.
“Weakening security makes no sense when you consider that customers rely on our products to keep their personal information safe, run their businesses or even manage vital infrastructure like power grids and transportation systems.”