The successful hack of a phone linked to the San Bernardino terror attacks is unlikely to help police win greater access to encrypted data in thousands of smartphones sitting in evidence lockers nationwide, legal experts and law enforcement officials say.
The process used to gain access to Syed Rizwan Farook’s iPhone 5c might not work on other devices, according to an FBI official with knowledge of the investigation.
Though the FBI might want to use the new tool to help solve other criminal cases, doing so would also make the process subject to discovery during criminal trials and place the information in the public domain, according to the official, who was not authorized to discuss the case and spoke on the condition of anonymity.
Any application of the method used to access Farook’s phone would probably be limited to investigations that are unlikely to result in criminal cases, the official said.
“A technical option developed for a particular computing device may not work on other devices,” the FBI official said. “The effectiveness of these lawful methods may be limited by time and resources, and may lack the scalability to be a viable option for most investigations.”
On Wednesday, an Arkansas prosecutor said the FBI has agreed to help his office gain access to an iPhone 6 and an iPod that might hold evidence in a murder trial. It was not clear if the FBI would employ the method it used to access Farook’s phone.
News that the FBI found a way into Farook’s phone Monday thrilled police, who have long complained that encrypted data represents a major roadblock to routine police investigations. Thousands of smartphones sit in police evidence lockers across the country. At least 400 locked devices are in the possession of the Los Angeles Police Department and the L.A. County Sheriff’s Department.
But as it became clear that the FBI’s success in the San Bernardino case wouldn’t translate to broader access for law enforcement, officials once again called on Congress to settle the issue.
“We cannot ask crime victims across 3,000 local jurisdictions to stake their hope for justice on an unending technological arms race between the government and Apple,” Manhattan Dist. Atty. Cyrus Vance Jr., one of the leading national voices decrying encryption, said in a statement issued Tuesday. “The ongoing public safety challenge posed by warrant-proof encryption demands a comprehensive, legislative solution.”
Terrence Cunningham, the police chief in Wellesley, Mass., and president of the International Assn. of Chiefs of Police, said he respects the FBI’s position but warned that criminals will continue to use encryption to deflect police investigations until a legislative solution is presented.
“The concern is that today’s technology provides criminals with powerful new tools that keep police from protecting the public,” he said. “Data that rests in emails, text messages, photos and videos stored on mobile devices can help to locate a suspect or a victim, and in some cases, save lives. Law enforcement’s mission is to keep the public safe and to protect communities, and collecting digital evidence from criminals and terrorists will help us do that.”
Federal investigators have offered few details about how they gained access to Farook’s phone. The iPhone 5c was at the center of a court battle between the FBI and Apple, which led to a court order that Apple create software that would allow the FBI to access encrypted data on the device.
Farook disabled the phone’s iCloud backup feature six weeks before the Dec. 2 attack, according to court filings. He had also enabled an auto-erase feature that would permanently destroy all data on the phone after 10 consecutive failed attempts to enter the device’s password.
A third party provided the FBI with a way to disable the password entry limit, according to another law enforcement official with knowledge of the investigation who was not authorized to discuss the case and spoke on the condition of anonymity.
Internal government policy might limit what, if anything, the FBI could share about the method used to hack Farook’s phone, said Andrew Crocker, a staff attorney with the Electronic Frontier Foundation, a digital rights advocacy group.
If the government exploited a flaw in Apple’s security measures, it could be required to disclose that information to Apple under the Vulnerabilities Equities Process, Crocker said. The policy is weighted toward disclosure, but the government has successfully fought to keep such details secret before.
Government agencies are allowed to share information about digital security flaws with one another, he said. But if the government chose not to share that information with Apple, it could also conceivably be barred from telling police agencies about the process used to unlock Farook’s phone.
“They certainly can share it within the federal government without disclosing it to Apple,” Crocker said. “The way I read the policy, sharing it with local police would be a dissemination outside the government.”
In the Arkansas case, Cody Hiland, prosecuting attorney for the state’s 20th Judicial District, said the FBI’s Little Rock field office had agreed to help prosecutors gain access to a pair of locked devices linked to suspects in the slayings of Robert and Patricia Cogdell.
Calls to the FBI’s Little Rock field office were not immediately returned. An FBI spokesman in Washington, D.C., declined to comment.
Attorneys for Apple are researching legal tactics to compel the government to tell the company what, if any, flaws it exploited in gaining access to Farook’s phone. But most experts believe the FBI has no obligation to comply. The FBI could also argue that the most crucial information is part of a nondisclosure agreement, solely in the hands of the outside party that assisted the agency, or cannot be released until the investigation is complete.
Though the debate over Farook’s phone did not land in criminal court, the fight between law enforcement and Silicon Valley over access to encrypted data is far from over. The FBI may have claimed a victory this week, but some police leaders fear it won’t take long for Apple or another company to build tougher encryption methods.
“If the FBI did in fact find some type of a flaw that they were able to exploit, clearly the industry is going to say, ‘We’ve got to find a way to plug that hole,’” Cunningham said.