FBI weighs if it can share hacking tool with local law enforcement
By Ellen Nakashima and Adam Goldman
April 1, 2016
The FBI and Justice Department are debating whether the hacking tool that helped the bureau unlock the iPhone of one of the San Bernardino, Calif., terrorists can be used to help state and local law enforcement, officials said Friday.
That will be a challenge because the bureau has classified the tool, making it difficult to use in state and local criminal prosecutions requiring disclosure of evidence to defendants, officials said.
"There's a desire to be forward-leaning to help state and local law enforcement," said a senior law enforcement official, who, like others, spoke on the condition of anonymity to discuss an ongoing investigation. "But no one knows quite what the answer is."
Moreover, the tool itself likely will have a shelf life of only a few months, as tech companies may find and fix the vulnerabilities that the tool exploits, and they periodically update the underlying software.
The firm that helped the bureau -- not the Israeli company Cellebrite, as had been widely rumored -- charged a one-time flat fee, officials said.
The bureau is not releasing the company's name and has declined to discuss details of the solution. Officials last week said the approach was aimed at dismantling security features on the iPhone 5C to permit investigators to make many attempts to crack the passcode without wiping data from the device.
Since its announcement, the bureau has been peppered with inquiries from state and local law enforcement officials seeking to know whether the solution might be useful for their cases.
Manhattan District Attorney Cyrus R. Vance Jr. was among those who called. But, he said, he recognized that the solution itself may not be applicable to the more than 200 iPhones that he has sitting in a crime lab and his technicians cannot unlock.
None is a 5C running iOS 9, which is the model and operating system of the phone used by Syed Rizwan Farook, who was killed by police in December after a shooting attack that claimed 14 lives.
"The overwhelming majority of criminal investigations stalled by default device encryption will remain so until Congress intervenes," Vance said.
One-off technical solutions will result in a "cat-and-mouse cyber arms race" between the government and industry, he said in an interview. "I don't think that's the smart way to approach public safety or privacy policy."
The classification of the method highlights a tension between criminal and national security cases in which the most sophisticated tools are not always available to law enforcement. Unlike state and local courts, federal courts have procedures to protect classified information.
"It's been a challenge for law enforcement for a while," said Austin Berglas, a former assistant special agent in charge of the FBI's New York cyber branch and now head of cyber investigations at K2 Intelligence, a consultancy firm.
Berglas has worked cases on both sides of the divide, including one federal cybercrime investigation in which he was not given permission to use a classified tool because intelligence officials feared it would be disclosed in court.
"The FBI is very prudent when deploying the technologies," Berglas said. "The question is: Is it going to help the greater good by using this? Knowing that we may never have the ability to use this capability against the adversary again, are we willing to take that risk and use it?"
To referee the issue, the government has an interagency process headed by the attorney general to decide which capabilities should be classified. This is separate from the "vulnerabilities equities process" managed by the White House, which decides which software flaws should be disclosed to the software maker.
Now that the bureau owns the solution, it could conceivably have a local agency submit a phone to be unlocked to see if the solution works on it. But there would be constraints. For instance, the FBI likely would not testify about the tool in court, and the local agency would likely have to avoid using data retrieved from the phone as evidence in a criminal prosecution.
"So it would depend on how heavily that evidence weighs in that case. If it's a small part, maybe they can build a case around it," the senior official said. If not, he said, the tool is not for them.
Peter Modafferi, chief of detectives of New York's Rockland County, said he does not fault federal authorities for keeping some of their tools on a high shelf. "That's life," he said. "The bureau goes out of its way to help us when they can, but there's a difference between national security and local law enforcement."