Privacy advocates and digital rights proponents are leaning on the FBI to disclose the method it used to break into the iPhone of the San Bernardino shooter, but the agency so far remains mum, while also reasserting its commitment to helping state and local law enforcement with their own digital investigations.
While the FBI did not specifically promise to apply its newfound technique toward other cases, the agency did write an open letter, published on BuzzFeed, addressed to state and local law enforcement officials, stating that the law enforcement agency would “of course consider any tool that might be helpful to our partners,” so long as it was consistent with legal and policy constraints.
Signed by Kerry Sleeper, assistant director of the FBI's Office of Partner Engagement, the letter also acknowledged that “the absence of lawful, critical investigative tools due to the ‘Going Dark' problem is a substantial state and local law enforcement challenge.”
This outreach to state and local governments likely did not sit well with privacy and technology influencers who are placing mounting pressure on the FBI to reveal to Apple how it was able to circumvent or defeat the encryption on the phone belonging to terrorist Syed Rizwan Farook. (It has been widely reported that third-party contractor Cellebrite provided the method.)
"If the FBI is, in fact, sharing the technique that it used in the San Bernardino case with local law enforcement, this only increases the likelihood that bad actors will uncover the technique and the underlying vulnerability, putting ordinary iPhone users at risk," said Eliza Sweren-Becker, an attorney with the American Civil Liberties Union, in an emailed statement to SCMagazine.com.
“If they really care about public safety, they must disclose the vulnerability they used to Apple to prevent criminals, hackers, and terrorists from exploiting the same security flaw and using it to do harm,” read another online statement from digital advocacy group Fight for the Future.
Chenxi Wang, chief strategy officer for enterprise cloud security company Twistlock, told SCMagazine.com in an email interview that if the FBI truly succeeded in breaking into Farook's phone, then “by the spirit of responsible disclosure, to which most of the security industry organizations and professionals subscribe, the FBI should disclose the existence of such vulnerability to the manufacturer."
"If the FBI fails to do that, this will become an open invitation for hackers and underground profit-seekers to focus their attention on hacking iPhones in order to discover this vulnerability,” she continued.
Oren Falkowitz, CEO of anti-phishing tech firm Area 1 Security and a former NSA analyst, agreed in an email interview with SCMagazine.com, noting, “We are more secure if there are less vulnerabilities that can be exploited. There are approximately 24 million of these phones and the potential exposure is high if we don't plug known security gaps.”
Independent of this disclosure decision, Falkowitz noted that he expects the government to “use every possible method to ensure the safety of our nation and its citizens,” including potentially the same technique used on Farook's phone. Of course, should the tactic be disclosed, Apple would almost certainly develop a fix for the vulnerability behind it.
In a recent Ars Technica report, an anonymous federal law enforcement official was quoted as saying: "We cannot comment on the possibility of future disclosures to Apple.” Apple, which could try to compel the FBI in court to disclose the vulnerability, has not responded to SCMagazine.com's request for comment.