Did the FBI engineer its iPhone encryption court showdown with Apple to force a precedent? Yes and no, say DoJ auditors

Official report blows lid on behind-the-scenes


The 'poster child' case for going dark

The ROU finally got onboard with cracking Farook's iPhone, its officials say, when they saw FBI director James Comey testifying in Congress about how the FBI could not access the phone and was doing everything in its power to do so.

ROU approached Cellebrite (the company is not named in the report) and asked it to focus on the iOS 8 crack – which it subsequently did. According to the report, Cellebrite told the FBI it had a solution on March 16, 2016.

It then demonstrated the crack to FBI leadership four days later, on March 20, and the FBI notified the court the very next day. One week later – March 28 - it formally filed in court to drop the case against Apple. We later learned that the FBI had paid approximately $1m for the crack – and found nothing of interest.

So that's the explanation: poor communication between departments, followed by a scramble, followed by the FBI doing the right thing.

Except...

Except this part of the report: "After the outside vendor successfully demonstrated its technique to the FBI in late March, EAD Hess learned of an alleged disagreement between the CEAU and ROU Chiefs over the use of this technique to exploit the Farook iPhone."

What was the disagreement? "The ROU Chief wanted to use capabilities available to national security programs, and the CEAU Chief did not. She became concerned that the CEAU Chief did not seem to want to find a technical solution, and that perhaps he knew of a solution but remained silent in order to pursue his own agenda of obtaining a favorable court ruling against Apple."

In an interview that Hess gave with the DoJ investigators she told them that the Farook phone had become "the 'poster child' case for the Going Dark challenge."

Frustration

The investigators dug into that concern and found that "CEAU did not pursue all possible avenues in the search for a solution." What's more, the person in question, the CEAU Chief – who is not named in the report – told investigators that he was "frustrated that the case against Apple could no longer go forward, and he vented his frustration to the ROU Chief."

Presumably because he knew the ROU Chief would relay his version of the conversation, the CEAU Chief also "acknowledged that during this conversation between the two, he expressed disappointment that the ROU Chief had engaged an outside vendor to assist with the Farook iPhone, asking the ROU Chief, 'Why did you do that for?'"

Further: "According to the CEAU Chief, his unit did not ask CEAU's partners to check with their outside vendors. CEAU was only interested in knowing what their partners had in hand – indicating that checking with 'everybody' did not include OTD's trusted vendors, at least in the CEAU Chief's mind."

It is here that the DoJ report inserts a rare piece of opinion – the rest of the report is largely an objective report of what people said – when it says: "We believe CEAU should have checked with OTD's trusted vendors for possible solutions before advising OTD management, FBI leadership, or the USAO that there was no other technical alternative and that compelling Apple's assistance was necessary to search the Farook iPhone."

And in an unusual addition, given the fact that the rest of the report directly quotes and sources all its information, the DoJ report then quotes anonymous "other information" that points to the CEAU going out of its way not to find a crack.

"We obtained other information suggesting that not everyone within OTD was on the same page in the search for a technical solution to the Farook iPhone problem, including varying testimony from OTD managers on whether there was a dividing line discouraging collaboration between the units that predominately do criminal and national security work in OTD," the report notes.

Upshot

In summary: did the FBI lie about its capabilities in an effort to try to force Apple into an impossible situation so it could gain a legal precedent for accessing all digital devices? No, it did not.

But did some elements within the FBI try to make the most of a bad situation, including not looking hard enough for a possible solution, in order to push the issue in the courts? Yes, they did.

Let's be honest, we all knew that's what was happening. But it is gratifying to read it in an official report, and it is good to see that FBI leadership was sufficiently concerned about having potentially lied to Congress that it subjected itself to an investigation to clear things up. That level of integrity appears to be in dangerously short supply in Washington right now.

It should be noted, however, that the FBI has not given up its efforts to be granted access to every phone. It appears to be simply biding its time until the next San Bernardino tragedy. ®


Other stories you might like

  • Saved by the Bill: What if... Microsoft had killed Windows 95?

    Now this looks like a job for me, 'cos we need a little, controversy... 'Cos it feels so NT, without me

    Veteran Microsoft vice president, Brad Silverberg, has paid tribute to former Microsoft boss Bill Gates for saving Windows 95 from the clutches of the Redmond Axe-swinger.

    Silverberg posted his comment in a Twitter exchange started by Fast co-founder Allison Barr Allen regarding somebody who'd changed your life. Silverberg responded "Bill Gates" and, in response to a question from senior cybersecurity professional and director at Microsoft, Ashanka Iddya, explained Gates' role in Windows 95's survival.

    Continue reading
  • UK government opens consultation on medic-style register for Brit infosec pros

    Are you competent? Ethical? Welcome to UKCSC's new list

    Frustrated at lack of activity from the "standard setting" UK Cyber Security Council, the government wants to pass new laws making it into the statutory regulator of the UK infosec trade.

    Government plans, quietly announced in a consultation document issued last week, include a formal register of infosec practitioners – meaning security specialists could be struck off or barred from working if they don't meet "competence and ethical requirements."

    The proposed setup sounds very similar to the General Medical Council and its register of doctors allowed to practice medicine in the UK.

    Continue reading
  • Microsoft's do-it-all IDE Visual Studio 2022 came out late last year. How good is it really?

    Top request from devs? A Linux version

    Review Visual Studio goes back a long way. Microsoft always had its own programming languages and tools, beginning with Microsoft Basic in 1975 and Microsoft C 1.0 in 1983.

    The Visual Studio idea came from two main sources. In the early days, Windows applications were coded and compiled using MS-DOS, and there was a MS-DOS IDE called Programmer's Workbench (PWB, first released 1989). The company also came up Visual Basic (VB, first released 1991), which unlike Microsoft C++ had a Windows IDE. Perhaps inspired by VB, Microsoft delivered Visual C++ 1.0 in 1993, replacing the little-used PWB. Visual Studio itself was introduced in 1997, though it was more of a bundle of different Windows development tools initially. The first Visual Studio to integrate C++ and Visual Basic (in .NET guise) development into the same IDE was Visual Studio .NET in 2002, 20 years ago, and this perhaps is the true ancestor of today's IDE.

    A big change in VS 2022, released November, is that it is the first version where the IDE itself runs as a 64-bit process. The advantage is that it has access to more than 4GB memory in the devenv process, this being the shell of the IDE, though of course it is still possible to compile 32-bit applications. The main benefit is for large solutions comprising hundreds of projects. Although a substantial change, it is transparent to developers and from what we can tell, has been a beneficial change.

    Continue reading

Biting the hand that feeds IT © 1998–2022