FBI reversal in Apple fight draws critics’ ire

The FBI’s last-minute decision to press pause in their legal fight with Apple over the San Bernardino shooter’s iPhone is roiling the agency’s critics who accuse it of acting disingenuously.

For weeks, critics pressed the FBI on whether it tried hard enough to hack into the device on its own, before it sought a court order to force Apple to help.

Then on Monday, the FBI unexpectedly asked to cancel the first hearing in the case, saying it may have found a way in without the help of the company’s engineers.

{mosads}The eleventh-hour shift gave new ammunition to critics who argued that the agency’s focus was on setting a precedent on encrypted communications, not investigating shooter Syed Rizwan Farook’s device.

Others see the move as evidence of a possible solution to the broader debate: They say companies don’t need to build “backdoors” to their products; the FBI simply needs to get better at hacking.

“We’re in this situation where I think law enforcement needs to really develop those skills up by themselves,” Dr. Susan Landau, a professor of cybersecurity policy at Worcester Polytechnic Institute, told the House Judiciary Committee earlier this month.

When it called off the hearing, the FBI said that a “non-governmental third party” had found a possible way to break into the device without Apple’s help. FBI Director James B. Comey said Thursday that he was “optimistic” the unknown party’s solution would work.

Exactly who is helping the agency — and how — is a matter of rampant speculation. Some reports suggest Israeli mobile forensics firm Cellebrite is the FBI’s white knight, while others say the rumor is bunk.

The agency does have a $15,000 contract dated March 21 with the company for “information technology software,” although the “principle place of performance” is listed as Chicago.

But no matter who is helping, security experts agree: It is possible to crack into Farook’s iPhone 5C. Most cryptologists say that there is no such thing as a perfectly impenetrable security system.

“Even Apple, with all their skills — and they have terrific cryptographers — wasn’t able to quite get this right,” Johns Hopkins cryptologist Matthew Green told The Washington Post earlier this week.

The FBI has repeatedly insisted that the only viable way for investigators to break into the phone was if Apple built a piece of software that disabled a certain security failsafe.

The agency claims to have been caught off-guard by the mystery work-around. According to court transcripts, Assistant U.S. attorney Tracy Wilkison told the judge in the case that, “We only learned about this possibility today, this morning, about this possibility that Apple is not necessary.”

During the same Judiciary Committee hearing earlier this month, Rep. Darrell Issa (R-Calif.) badgered Comey on whether the agency had attempted a suite of different technological solutions before it turned to the courts.

“You’re expecting somebody to obey an order to do something they don’t want to do, and you haven’t even figured out whether you could do it yourself,” he said.

Comey appeared stymied by the questions, many of which were technical in nature — and some of which were later criticized by technologists as being inaccurate. But he ultimately insisted that although the agency had “engaged all parts of the U.S. government” and “lots of people have e-mailed ideas,” Apple remained the FBI’s only hope.

For critics operating on the premise that anything is hackable, the agency’s surprise discovery is suspicious.

“The FBI’s last minute excuse is about as believable as an undergrad who comes down with the flu the night before their paper is due,” said Evan Greer, campaign director for the digital rights advocacy organization Fight for the Future.

She suggests that the agency knew all along it was possible to find a way into the device without Apple’s help.

Bolstering that theory is the fact that the FBI has routinely contracted Cellebrite over the last five years. The company, which publicly boasts its ability to hack into Apple devices, has received over $2 million in purchase orders from the agency since 2012.

Critics have long argued that the agency is pressing forward with this case because it hopes to set a precedent that will effectively shift encryption policy in its favor.

Greer suggests the government decided to back away when it realized it might lose the case.

Others suggest the mystery hacking method did catch the FBI by surprise — but that it wants to avoid disclosing the vulnerability to Apple so that it can use it on other devices.

“I can see why the law enforcement community would be very interested in holding any vulnerabilities close to their vest for purposes of future cyber investigations, particularly in light of the manufacturers’ unwillingness to assist,” said Ed McAndrew, a former federal cybercrime prosecutor and current partner at Ballard Spahr.

Some security policy experts say that letting the authorities find and exploit vulnerabilities on their own — so-called “lawful hacking” — is the most practical solution to the broader debate over how much access law enforcement should have into encrypted communications.

“I think that’s the answer,” McAndrew said. “The techniques that have to be used to execute digital searches are evolving. These aren’t 20th-century concepts anymore — the government can’t just break down the door and rifle through a filing cabinet. Court-sanctioned hacking is the equivalent of breaking down the front door when no one unlocks it for you.”

Comey and other officials warn that “warrant-proof” encryption shields criminals and terrorists from investigation, but technologists argue that forcing companies to deliberately build a vulnerability into their products only opens the doors for criminals to exploit it, endangering all Internet users.

Rather than introducing new vulnerabilities to already-imperfect systems, some say, investigators should simply develop the tools to do it themselves.

“It’s thinking about the right way for law enforcement to develop those capabilities, the right level of funding. The funding is well below what it should be but they also don’t have the skills,” Landau said.

The cost of developing those capabilities, some say, is likely what led the FBI to try to simply force Apple to help.

Hacking into the device internally, or even with a contractor, is “harder,” said Rook Security CEO JJ Thompson, whose firm often assists the FBI in investigations. “It’s more complex. It costs more money.”

The FBI is already trying to get more money to combat the risk of “going dark.” It’s requesting $38 million in funding to develop and purchase tools to access encrypted data — a 23-percent increase over last year.

But even if the FBI is able to get into more locked and encrypted devices without forcing companies to build a backdoor, lawmakers and officials say, the country will still have to grapple with how to regulate the technology.

“It removes the necessity of going to court, but long term I think we still need to have the conversation with the technology, privacy and civil liberties groups, along with law enforcement,” Rep. Jim Langevin (D-R.I.) told The Hill. He added that he believes lawful hacking is a “legitimate solution.”

“Even if this particular technique makes that go away, that litigation, we still have to as a country resolve this conflict,” Comey said Thursday.