The FBI had not fully determined whether it had the capability to crack open a terrorist’s locked iPhone before seeking a February 2016 court order to force Apple to do so, according to a Justice Department inspector general’s report.
The report, issued Tuesday, pinned the lapse on a lack of effective coordination and communication between FBI units. The case involved an encrypted iPhone recovered after the December 2015 shooting rampage in San Bernardino, California.
The inspector general’s office also found that the FBI lacked capability to break into the iPhone in February and early March 2016, consistent with then-FBI Director James Comey’s testimony to Congress. At the time, he also testified that the bureau needed Apple’s help.
The report, announced by Inspector General Michael Horowitz, raises questions about the FBI and Justice Department’s approach to the challenge of gaining access to suspects’ encrypted devices – what the FBI calls “Going Dark” – and whether the bureau sufficiently exhausts its own technical capabilities before taking more aggressive external steps, such as a court battle.
Apple had no comment on the report.
The phone was used by Syed Rizwan Farook, the terrorist who, with his wife, shot and killed 14 people. The pair were killed by police in a shootout.
On February 16, 2016, the Justice Department went to court to force Apple to find a way to unlock the phone. The move touched off a heated national debate over whether the government could or should use a court order to compel a tech company to break the encryption it builds into its devices for customer security.
On March 21, 2016, prosecutors said the FBI found a third party that had demonstrated a way to unlock the phone. A week later, they reported that the phone had been successfully cracked. Nothing of significance to the counterterrorism investigation was found, and the legal showdown was averted.
The San Bernardino case, however, was the “poster child” for the “Going Dark” challenge, a senior FBI official would later tell the inspector general’s office.
The report comes as the White House, Justice Department and FBI have renewed discussions within the government and with industry and academia about potential solutions – whether technical, legal or some combination – to the national security and public safety challenges posed by encryption. Meanwhile, Britain has a law that enables it to mandate that tech firms assist law enforcement in surveillance, possibly including decryption solutions. Other countries are debating whether to follow suit.
“One of the main hurdles that keeps getting identified on encryption is education about how encryption works and the amount of information available without needing to bypass encryption protections,” said Amie Stepanovich, U.S. policy manager at Access Now, a privacy advocacy group. “The issues identified in this report continue to stress the need for the FBI and other law enforcement to invest internally on processes and procedures.”
The report grew out of a concern that the FBI’s then-executive assistant director for science and technology, Amy Hess, raised several months after Farook’s phone was unlocked. Hess feared that one unit in her branch, the Remote Operations Unit, may have had techniques that could have opened the phone that another branch unit that was working on the case, the Cryptographic and Electronic Analysis Unit, did not know about.
She also feared that the CEAU chief did not seem to want to find a technical solution and that he may have remained silent to “pursue his own agenda of obtaining a favourable court ruling.”
The report found that no one had withheld knowledge of an existing capability, but that CEAU “did not pursue all possible avenues” in a search for solutions. In fact, it turned out that the Remote Operations Unit knew a company that was close to finding a hack for the phone. But the ROU chief had not been consulted and did not even know about the dilemma until Feb. 11, just a few days before the Justice Department sought a court order.
The ROU chief told the inspector general’s office that he believed the disconnect stemmed from “a long-standing policy” against using national security tools in criminal cases, creating a “line in the sand.” From the time he became unit chief in 2010, “he was told that ROU’s classified techniques could not be used in criminal cases,” the report said.
The ROU chief also told investigators that the CEAU chief “was definitely not happy” that the court case against Apple had been dropped.
“There’s a need for better sharing of forensic tools” in national security and criminal cases, said Jennifer Daskal, a former senior Justice Department national security official who now teaches law at American University. “This was a criminal investigation with national security implications. Before we go down the road of new legislation or mandates, we need to ensure that all FBI resources are effectively deployed.”
Sen. Ron Wyden, D-Ore., criticized the FBI for failing to explore its technical options before going to court. “It’s clear now that the FBI was far more interested in using this horrific terrorist attack to establish a powerful legal precedent than they were in promptly gaining access to the terrorist’s phone,” Wyden said in a statement.
In response to the report, the FBI told Horowitz that it is in the process of reorganizing the units within the Operational Technology Division, which houses the ROU and CEAU, to consolidate resources and improve coordination.