The debate about encryption continues to drag on without end.
In recent months, the discourse has largely shifted away from encrypted smartphones to focus instead on one-to-end encrypted messaging. But a recent press conference by the heads of the Department of Justice (DOJ) and the Federal Bureau of Investigation (FBI) showed that the unit encryption debate is not dead, it is just resting. And it just doesn̵
At the press, Attorney General William Barr and FBI Director Chris Wray announced that after months of work, FBI technicians had managed to unlock the two iPhones used by the Saudi military officer who conducted a terrorist shooting at Pensacola Naval Air Station in Florida in December 2019. The shooter died in attacks, which Al Qaeda quickly claimed on the Arabian Peninsula.
Early this year – a solid month after the shooting – Barr asked Apple to help unlock the phones (one of which was damaged by a bullet), which were older iPhone 5 and 7 models. Apple provided “gigabytes of information” to investigators, including “iCloud backups, account information and multi-account transaction data,” but pulled the line using the devices. The situation threatened to revive the “Apple versus FBI” show in 2016 over another locked iPhone following the San Bernardino terror attack.
After the government went to federal court to try to drag Apple in carrying out investigators’ jobs for them, the dispute ended anti-climatically as the government entered the phone itself after purchasing an exploit from an external supplier that the government refused to identify. The Pensacola case culminated in much the same way, except that the FBI apparently used an internal solution instead of a third-party exploitation.
You’d think the FBI’s success with a difficult task (remember, one of the phones had been shot) would be good news for the Bureau. Still, an unmistakable note of bitterness got the promising remarks at the press conference for the technicians that made it happen. Despite the Bureau’s impressive performance, and despite the data Apple provided, Barr and Wray set aside much of their remarks to offend Apple, with Wray going so far as to say the government “received effective help” from the company.
This diversion tactic worked: in news stories covering the press conference, headline after headline highlighted the FBI’s slam against Apple instead of focusing on what the press conference nominally was about: the fact that federal law enforcement agencies can get locked in iPhones without Apple’s help.
That should be the headline news because it is important. The inconvenient truth underpins the agencies’ long-standing claim that they are helpless to Apple’s encryption, and therefore the company should be legally forced to weaken its device encryption for access to law enforcement. No wonder Wray and Barr are so crazy that their employees continue to be good at their jobs.
By reviving the old blame-Apple routine, the two officials managed to avoid a series of questions that their press conference left unanswered. What exactly is The FBI’s ability to access locked, encrypted smartphones? Wray claimed that the technique developed by FBI technicians is “of rather limited use” in addition to Pensacola iPhones. How limited? What other phone cracking techniques does the FBI have, and which handset models, and which mobile OS versions do these techniques work reliably? In what types of cases, to what kinds of crimes are these tools used?
We also do not know what has changed internally at the Bureau since the cursing Inspector General Postmortem about the San Bernardino affair. What happened to the FBI’s plans announced in the IG report to lower the barrier within the agency to use national security tools and techniques in criminal cases? Did that change happen and did it play a part in Pensacola’s success? Does the FBI crack into criminal suspected phones using classified techniques from the national security context that may not pass patterns in a lawsuit (should their use be recognized at all)?
Further, how does the FBI’s internal capabilities complement the larger ecosystem of law enforcement tools and techniques to access locked phones? These include third-party vendors GrayShift and Cellebrite’s entities, which, in addition to the FBI, also count several U.S. state and local police departments and federal immigration authorities among their clients. When connected to a locked phone, these devices can bypass the phone’s encryption to disclose its contents, and (in the case of GrayShift) they can plant spyware on an iPhone to log its password when police trick a phone owner into entering it . These devices work on much newer iPhone models: Cellebrite claims it can unlock any iPhone for law enforcement, and the FBI has unlocked an iPhone 11 Pro Max using GrayShift’s GrayKey device.
In addition to Cellebrite and GrayShift, which has a well-established U.S. customer base, includes the ecosystem of third-party phone hacking entities that market remote-speed phone hacking software to governments around the world. Perhaps the most notorious example is the Israeli-based NSO group whose Pegasus software has been used by foreign governments against dissidents, journalists, lawyers and human rights activists. The company’s U.S. arm has been trying to market Pegasus’s domestic to U.S. police departments under a different name. Which third-party vendors provide phone hacking solutions to the FBI, and at what cost?
Finally, who else besides the FBI will be the recipient of the technique that worked on the Pensacola phones? Does the FBI share the vendor tools it buys, or its own home-rolled tools, with other agencies (federal, state, tribal or local)? What tools, which agencies, and what kind of cases? Even if it doesn’t share the techniques directly, will it use them to unlock phones for other agencies, as it did for a state attorney shortly after buying the exploit for the San Bernardino iPhone?
We have no idea the answers to any of these questions because the capabilities of the FBI are a close secret. What progress and breakthrough it has made, and what vendors it has paid, we (who provide taxpayer dollars to fund this work) are not allowed to know. And the agency refuses to answer questions about the impact of encryption on its investigations, even from members of Congress who may be interested in confidential information denied to the public.
The only public information coming out of the FBI’s phone hacking black box is nothing burgers like the recent press conference. At an event about the FBI’s phone hacking capabilities, Director Wray and AG Barr succeeded in an exciting way of diverting the press’s attention to Apple and avoiding any difficult issues, such as what the FBI’s capabilities mean for Americans’ privacy, civil liberties and data security, or even basics questions like how much does the Pensacola telephone cracking operation cost.
As the recent PR show demonstrated, a press conference is not oversight. And instead of exercising its supervisory power, demanding more transparency, or demanding an accounting and cost / benefit analysis of the FBI’s phone-hacking spending – rather than demanding a direct and definitive answer to the eternal question of, in light of the agency’s ongoing evolving capabilities that really need to force smartphone manufacturers to weaken their device encryption – Congress instead comes up with dangerous legislation like the EARN IT Act, which risks undermining encryption rights when a population forced by COVID-19 to do everything online from home at least afford it.
The best–the case scenario now is that the federal agency, which proved its untrustworthiness by lying to the Foreign Intelligence Surveillance Court, can tap into our smartphones, but maybe not all of them; that it may not share its toy with state and local police departments (which are filled with domestic abusers who would love to access their victims’ phones); that unlike third-party vendor units, the FBI’s tools may not end up on eBay where criminals can buy them; and hopefully it has not paid taxpayer money to the spyware company whose best-known government customer murdered and dismantled a journalist.
The worst case would be that between internal and third-party tools, virtually any law enforcement agency can now reliably turn on everyone’s phones, and yet it turns out to be the year they finally get their legislative victory over encryption anyway. I can’t wait to see what else 2020 has in store.