Round One Goes to the FBI, But the Crypto War Isn’t Over

The Justice Department may have abandoned its fight with Apple over accessing the iPhone of one of the San Bernardino shooters. The war over government access to encrypted technologies, however, is far from over.

In the wake of the deadly attacks in Brussels and Paris, U.S. and European intelligence agencies are under intense pressure to intercept communications between terrorists who use secure modes of communication to plan and carry out their strikes. Key U.S. senators say they will try to force tech companies to help the government access scrambled data. Apple, meanwhile, has pledged to fight to find out how the government broke into its phone and remains embroiled in a series of legal disputes with law enforcement agencies over access to other encrypted iPhone data.

The government has so far refused to reveal how it hacked the phone, saying only that it was approached about a week ago by a third party with a possible method for breaking into the device. “This tees up a really interesting question for the government. They know something that Apple doesn’t,” said Chris Inglis, the former deputy director of the National Security Agency. “Do they share that?”

According to unconfirmed media reports, the FBI relied on the Israeli firm Cellebrite, a computer forensics company, to hack the San Bernardino gunman’s phone. The FBI has refused to confirm that report, but yesterday the bureau signed a $281,000 purchase order with the company for unspecified IT services. Computer security experts say that is below the going rate for a so-called “zero day” vulnerability — a previously unknown weakness — on an iPhone, but that it matches market prices for what such companies charge for hacking into phones.

“Your best bet if you need to come up with a solution in a pinch is a company like Cellebrite,” said Jonathan Zdziarski, an iPhone security expert who has developed forensic tools used by intelligence and law enforcement agencies.

Cellebrite’s website says it can provide “forensically sound data extraction, decoding and analysis techniques to obtain existing and deleted data” from devices like the iPhone 5c used in the San Bernadino case. The company didn’t return calls seeking comment. The FBI did not answer questions about its contract with Cellebrite.

The question now is what comes next. The knowledge that a phone running a recent version of its mobile operating system has been hacked will likely force Apple to redouble its efforts to find and shore up any vulnerabilities. The FBI, for its part, will try to avoid alerting Apple to the specific hole in its defensive systems by refusing to share the tool with local law enforcement and keeping it in reserve only for the bureau’s more valuable cases.

Unless, that is, the FBI is forced to reveal its method. The White House has published a set of guidelines for when the government discloses computer vulnerabilities — and civil liberties groups have sued to obtain the internal policy documents describing the so-called “vulnerabilities equities.” Generally speaking, the U.S. government says it will disclose vulnerabilities when they affect large numbers of users, critical infrastructure systems, or do little to improve the government’s data collection abilities.

The NSA has said that it discloses 91 percent of the computer vulnerabilities it discovers, but whether the FBI will reveal how it hacked the iPhone remains an open question. FBI Director Jim Comey has spoken in apocalyptic terms about how his investigations are “going dark” as a result of terrorists and criminal groups using sophisticated encryption methods for their phone and email communications. In the Apple case, Inglis said he favors disclosure. 

On Capitol Hill, Sens. Richard Burr (R-N.C.) and Dianne Feinstein (D-Calif.), the chairman and ranking member of the Senate Intelligence Committee have drafted a bill that would reportedly impose civil penalties on companies that refuse to comply with court orders mandating assistance to law enforcement in accessing encrypted data. That measure is unlikely to pass in an election year, but the threat of a heavy-handed law has many tech companies fearful.

While Apple’s lawyers have said they may use the courts in attempt to force the government to reveal the vulnerability used to hack the San Bernardino shooter’s phone. As of last month, the company was involved in at least 11 legal disputes with the Justice Department over iPhone access, according to a tally compiled by an Apple lawyer. The company’s high-powered legal team has said they may use their multitude of court appearances to get the government tip its hand.

But legal experts say Apple face an uphill battle in court, as the company lacks much leverage with which to force disclosure, said Lisa Hayes, a vice president for programs and strategy at the Center for Democracy and Technology, a progressive think tank. “If I were Apple I might be playing more to the court of public opinion,” she said.

Indeed, while public opinion polls show the American public divided but backing the government, the company and its executives have received glowing press. CEO Tim Cook was featured on the cover of Time, where he was described as a member of new generation of Silicon Valley executives “acting like statesmen and policymakers.” 

The Justice Department’s decision to abandon the San Bernardino case is in some ways a stunning reversal. Comey has said that scores of investigations have been hampered by Apple’s encryption technology, and the San Bernardino case offered the government a highly favorable set of facts with which to establish a favorable precedent. With 14 dead Americans and a phone belonging to a man with possible links to the Islamic State, the government had a case tailor-made to swing the pendulum between police powers and civil liberties toward the FBI.

With the Islamic State placing an emphasis on communications security and the use of encryption, moreover, the debate won’t go away with the conclusion of the San Bernardino case. On Tuesday, the New York Times revealed that Islamic State operatives in Europe had used a program called TrueCrypt to protect its data and uploaded messages to a Turkish storage site to evade the NSA and other signals intelligence agencies. Those operatives carried out attacks that killed 130 people in Paris and another 35 in Brussels.

Inglis, the former NSA official, said the Islamic State operatives are far from encryption whizzes, but summed up their abilities as “sophisticated enough.” And that’s enough to keep the crypto war alive.

That’s also because the fundamental legal issue at play in San Bernardino — whether the government can compel a company to write a piece of software to defeat its own security features — remains unsettled. The FBI is going to use its newfound capability until it can’t, said Chris Soghoian, the principal technologist at the American Civil Liberties Union, and then “we’ll be back in court.”

In the short term, the most active legal dispute is playing out in a federal courtroom in Brooklyn, where prosecutors are asking Apple to unlock an iPhone connected to a drug case. On Tuesday, the government said it will decide in the next two weeks whether it will continue in its attempt to force Apple’s cooperation. Last month, a lower-court judge ruled in Apple’s favor and said the company could not be compelled to defeat its own encryption.

As the legal battle continues, technical developments ensure that disputes over the government’s ability to access encryption won’t go away. Messaging platforms such as WhatsApp have embraced strong encryption, and according to the New York Times, the Justice Department is weighing its options for how to intercept messages in real time. WhatsApp’s encryption has undermined the government’s wiretapping abilities, and law enforcement authorities say such technology has aided terror groups. (Technologists point out that the more widespread availability of encryption also helps protects data of all kinds, from ordinary individuals’ financial records to companies’ intellectual property.)

Facing increasingly sophisticated technology, the government has turned toward legalized hacking to defeat digital security measures, said Riana Pfefferkorn of the Stanford Center for Internet and Society. In order to catch pedophiles masking their identities using Tor, a program first built for the U.S. Navy and now the basic building block of the dark web, the FBI took over and ran a child porn site for two weeks and infected users’ computers with malware that allowed the bureau to identify users.

“Whether there should be better established boundaries around lawful hacking — that’s the next thing that deserves to be in the public spotlight,” Pfefferkorn said.

Patrick Lux/Getty Images