The FBI Didn’t Explore All Options Before Trying to Force Apple to Break Into an Encrypted iPhone
Ink Dro/Shutterstock.com
By
Joseph Marks
Some FBI officials were more interested in making a legal blow against cop-proof encryption than in getting into the San Bernardino shooter’s phone.
FBI officials didn’t investigate all their options and didn’t communicate effectively about possible alternatives before deciding Apple should help them crack into an encrypted iPhone used by San Bernardino shooter Syed Farook in 2015, according to a Tuesday inspector general’s report.
The FBI did not intentionally mislead either Congress or the court, according to the report, but internal miscommunication left some offices unclear whether the bureau was interested in all possible techniques to crack into the phone or just unclassified techniques that could be revealed in front of a jury.
One official who contacted the inspector general’s office was also concerned that the leader of another division, the Cryptographic and Electronic Analysis Unit, was not actually interested in finding an alternative solution to break into the phone because he wanted to set a legal precedent compelling Apple and other tech companies to assist in future crises involving warrant-proof encryption systems.
According to that official, “the problem with the Farook iPhone encryption was the ‘poster child’ case for the Going Dark challenge,” the report states, using former FBI Director James Comey’s favored phrase for terrorists and criminals’ use of end-to-end encrypted systems for communication.
In a statement released shortly after the report, Sen. Ron Wyden, D-Ore., a longtime privacy advocate, charged that the FBI exploited the San Bernardino case “to score political points.”
“The FBI’s leadership went straight to the nuclear option – attempting to force Apple to circumvent its encryption – before attempting to see if their in-house hackers or trusted outside suppliers had the technical capability to break into the San Bernardino terrorist’s iPhone,” Wyden said.
“It’s clear now that the FBI was far more interested in using this horrific terrorist attack to establish a powerful legal precedent than they were in promptly gaining access to the terrorist’s phone,” he added.
The Apple-FBI case centered around a passcode feature on the shooter’s iPhone that would wipe the phone’s contents if it was entered incorrectly 10 times. That feature prevented the FBI from using a computer program to simply try codes until it hit on the correct one – a technique known as a “brute force attack.”
The bureau tried for several weeks to force Apple to help it find a way around the passcode, but withdrew that legal request after another company offered to sell the bureau technology to bypass the code and secure access to the iPhone’s unencrypted contents.
According to the report, when the FBI filed legal papers to compel Apple’s cooperation, the chief of the FBI’s Remote Operations Unit “had only just begun the process of contacting vendors about a possible technical solution.”
Among those vendors was a company that ultimately provided the solution and that the unit’s leader knew was about 90 percent of the way to a solution already.
The head of the cryptographic analysis unit, meanwhile, had not verified that remote operations staff were engaged with the problem.
The cryptographic chief’s language when reaching out to other divisions, moreover, implied that the unit was not interested in passcode workarounds that required classified hacking tools, which are used for national security operations and could not be revealed in a courtroom, the inspector general found.
If FBI divisions had communicated better between each other and with the U.S. Attorney’s Office for the Central District of California, the government might not have brought its case against Apple, the report suggests.
After the Apple case, the FBI began consolidating its resources aimed at encryption and mobile devices, officials told the inspector general. The report recommends a status report on those efforts within 90 days.