Skip to Content

Cybersecurity & Standards, Government Surveillance

Inspector General: FBI Chomping at the Bit for Backdoors to Encryption

For years, the Federal Bureau of Investigation has been lobbying for backdoor access to the communications of every American. The Bureau has long argued it is “going dark” and can’t access communications protected by encryption. This concern was the basis of the famous Apple v. FBI case, where the FBI attempted to force Apple to break the encryption protecting the iPhone of San Bernardino, CA terrorist Syed Rizwan Farook. Now, a damning report released by the Department of Justice Inspector General casts significant doubt on that argument and the FBI’s honesty in making it.

The report found that a key entity within the FBI was not even asked for assistance with gaining access to the encrypted Farook iPhone until a few days before the DOJ sued Apple to compel it to build a backdoor into the iPhone. The March 27 report by DOJ IG Michael E. Horowitz called into question the commitment of FBI officials to finding a technical solution to its “going dark” problem, instead of compelling device manufacturers to build in backdoors that grant law enforcement officials privileged access and undermine the cybersecurity of the device. The report was spurred by concerns from FBI Executive Assistant Director Amy Hess that the FBI may have had techniques available to exploit the Farook iPhone at the same time that FBI officials were testifying in Congress and filing affidavits in court saying that the FBI could not gain access.

The FBI entity that was not asked for timely assistance in accessing the iPhone’s contents — the Remote Operations Unit (ROU) — is responsible for providing such assistance when the FBI is conducting a national security investigation. The Farook investigation was being conducted for criminal purposes, and a different FBI entity – the Cryptographic and Electronic Analysis Unit (CEAU) – provides such assistance in criminal cases.

If the ROU had been timely asked for assistance, the FBI might never have filed its lawsuit against Apple to compel it to assist, and might never have complained to Congress about its inability to access the phone. The ROU knew all along that one of its outside vendors “was almost 90% of the way toward a solution that the vendor had been working on for many months.” This vendor was asked for assistance at some point after a February 11, 2016 division meeting – more than two months after the December 2 attack by Mr. Farook, and just two days before FBI Director Comey testified to Congress that the FBI did not have a technical solution to get into the iPhone. The FBI sought and obtained a court order to compel Apple to assist with the iPhone on February 16, just days before the FBI’s ROU was asked if it had access to a technical solution. The vendor completed the solution on March 16, demonstrated it to FBI leadership on March 20, and the DOJ notified the court on March 21, terminating the litigation.

While the IG found that the FBI did not have the capability to exploit the Farook iPhone at the time it filed the litigation against Apple and testified in Congress, it also found that the FBI did not try hard enough to develop that capability without Apple’s assistance.

Perhaps the most damning part of the report is the IG’s telling of the reaction of the FBI CEAU chief to the news that the ROU had finally sought assistance from an outside vendor who had already almost completed work on a solution.

The CEAU Chief told the [IG] that, after the outside vendor came forward, he became frustrated that the case against Apple could no longer go forward, and he vented his frustration to the ROU Chief. He acknowledged that during this conversation between the two, he expressed disappointment that the ROU Chief had engaged an outside vendor to assist with the Farook iPhone, asking the ROU Chief ‘Why did you do that for?’ [p. 8]

*                      *                      *

Further, the CEAU Chief may not have been interested in researching all possible solutions and instead focused only on unclassified techniques that could readily be disclosed in court…. [p. 9]

What conclusions should policy makers draw from the IG report? First, that not all of the FBI may be committed to finding a technical solution to the problem of accessing iPhones and other devices and may instead prefer a solution that involves building in backdoors that threaten everyone’s cybersecurity. Second, that claims that no technical solutions are available should be interrogated thoroughly. Third – and it’s difficult to say this about what should be the premier law enforcement agency in the country – when it comes to the FBI’s claims about encryption: trust, but verify.