The FBI may be allowed to withhold information about how it broke into an iPhone belonging to a gunman in the December San Bernardino shootings, despite a U.S. government policy of disclosing technology security flaws discovered by federal agencies.
Under the U.S. vulnerabilities equities process, the government is supposed to err in favor of disclosing security issues so companies can devise fixes to protect data. The policy has exceptions for law enforcement, and there are no hard rules about when and how it must be applied.
Apple Inc has said it would like the government to share how it cracked the iPhone security protections. But the Federal Bureau of Investigation, which has been frustrated by its inability to access data on encrypted phones belonging to criminal suspects, might prefer to keep secret the technique it used to gain access to gunman Syed Farook’s phone.
The referee is likely to be a White House group formed during the Obama administration to review computer security flaws discovered by federal agencies and decide whether they should be disclosed.
Experts said government policy on such reviews was not clear-cut, so it was hard to predict whether a review would be required. “There are no hard and fast rules,” said White House cybersecurity coordinator Michael Daniel, in a 2014 blog post about the process.
If a review is conducted, many security researchers expect that the White House group will not require the FBI to disclose the vulnerability it exploited.
Some experts said the FBI might be able to avoid a review entirely if, for instance, it got past the phone’s encryption using a contractor’s proprietary technology.
Explaining the policy in 2014, the Office of the Director of National Security said the government should disclose vulnerabilities “unless there is a clear national security or law enforcement need.”
The interagency review process also considers whether others are likely to find the vulnerability. It tends to focus on flaws in major networks and software, rather than individual devices.
During a press call, a senior Justice Department official declined to disclose whether the method used on Farook’s phone would work on other phones or would be shared with state and local law enforcement.
Apple declined to comment beyond saying it would like the government to provide information about the technique used.
The government reorganized the review process roughly two years ago and has not disclosed which agencies regularly participate other than the Department of Homeland Security and at least one intelligence agency. A National Security Council spokesman did not respond to a request for comment about agency participation.
In his April 2014 blog post, White House cybersecurity coordinator Daniel, who chairs the review group, said secrecy was sometimes justified.
“Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack stop the theft of our nation’s intellectual property,” Daniel wrote.
On Tuesday, a senior administration official said the vulnerability review process generally applies to flaws detected by any federal agency.
Paul Rosenzweig, a former deputy assistant secretary at the Department of Homeland Security, said he would be “shocked” if the Apple vulnerability is not considered by the group.
“I can’t imagine that on one of this significance that the FBI, even if it tried to, would succeed in avoiding the review process,” said Rosenzweig, founder of Red Branch Consulting, a homeland security consulting firm.
He predicted the FBI would not be forced to disclose the vulnerability because it appears to require physical possession of a targeted phone and therefore poses minimal threat to Internet security more broadly.
Many security researchers have suggested that the phone’s content was probably retrieved after mirroring the device’s storage chip to allow data duplication onto other chips, effectively bypassing limitations on the number of passcode guesses.
Kevin Bankston, director of the think tank Open Technology Institute, said there is no public documentation of how the review process has worked in recent years. He said Congress should consider legislation to codify and clarify the rules.
Stewart Baker, former general counsel of the NSA and now a lawyer with Steptoe & Johnson, said the review process could be complicated if the cracking method is considered proprietary by the third party that assisted the FBI.
Several security researchers have pointed to the Israel-based mobile forensics firm Cellebrite as the likely third party that helped the FBI. That company has repeatedly declined comment.
If the FBI is not required to disclose information about the vulnerability, Apple might still have a way to pursue details about the iPhone hack.
The Justice Department has asked a New York court to force Apple to unlock an iPhone related to a drug investigation. If the government continues to pursue that case, the technology company could potentially use legal discovery to force the FBI to reveal what technique it used, a source familiar with the situation told Reuters.
At least one expert thinks a government review could require disclosure. Peter Swire, a professor of law at the Georgia Institute of Technology who served on the presidential intelligence review group that recommended the administration disclose most flaws, said there is “a strong case” for informing Apple about the vulnerability under the announced guidelines.
“The process emphasizes the importance of defense for widely used, commercial software,” he said.