FBI Confirms it Won’t Reveal iPhone Exploit to Apple

Unable to penetrate the iPhone of San Bernardino shooter Syed Rizwan Farook, the FBI turned to a hacking firm to bypass its security measures and break into the device. But the bureau won’t tell Apple how, saying it doesn’t know enough about the hacking tool to be helpful to the company.

In a statement Wednesday, Amy Hess, the FBI’s top scientist, said the bureau has little information about the tool it paid more than $1.3 million to acquire and unlock Farook’s iPhone 5c. She said the FBI did not “purchase the rights to technical details about how the method functions, or the nature and extent of any vulnerability upon which the method may rely in order to operate.”

The Justice Department had sought a court order demanding that Apple undermine the phone’s security features. When Apple resisted the order it sparked a national debate about the government’s ability to access encrypted data. The government dropped its case after being contacted by a still-unidentified third party that provided the ability to access the phone surreptitiously.

Indeed, U.S. agencies such as the FBI and the National Security Agency routinely exploit computer vulnerabilities to carry out investigations and collect intelligence. But doing so raises an ethical question for the government: Should it disclose a vulnerability to a software or hardware manufacturer?

That decision can carry profound consequences for individuals both in the United States and abroad, as such vulnerabilities can put the data of millions of individuals at risk. Just as the government’s investigatory and intelligence arms have an interest in using computer vulnerabilities for investigations and spying, other branches responsible for cybersecurity have a competing interest in promoting a secure Internet.

To weigh these competing priorities, the Obama administration has established what it calls the “vulnerabilities equities process,” which brings together different agencies to consider whether the government has an overriding interest in keeping an exploit secret– or disclosing it to a tech company.

This month, the FBI made its first disclosure to Apple through that process, Reuters reported Wednesday.

In a 2014 blog post, White House chief cybersecurity advisor Michael Daniel outlined general guidelines for when the government will disclose a computer vulnerability. The government, he said, weighs the risk to critical infrastructure like power plants and banks against the value of the intelligence that would be obtained from the hack — and whether the information could be collected in other ways. Officials also consider whether the vulnerability can be fixed before it is revealed.

The lack of technical information about the San Bernardino vulnerability means the government cannot answer these questions, Hess said in her statement.

Photo credit: YURI GRIPAS/AFP/Getty Images