Early last year, the Federal Bureau of Investigation (FBI) reported that it was unable to unlock the mobile phone used by shooter Syed Rizwan Farook in the 2015 San Bernardino terror attack. When FBI computer specialists were unable to crack the phone’s advanced security features, the bureau asked National Security Agency specialists to break into the phone, an Apple 5c. They failed. When Apple refused to create software that could disable certain security features, the FBI and the Justice Department went to court.
In March, however, the case was suddenly resolved when the FBI announced that it had unlocked the iPhone. According to news reports, the FBI paid “professional hackers” who used a zero-day vulnerability in the iPhone’s software to bypass its 10-try limitation.
The case of the San Bernardino iPhone is illustrative of the growing challenge the FBI faces when it must access devices to obtain evidence in criminal investigations. In fact, the FBI currently has a backlog of nearly 7,000 crime-connected phones that its experts are unable to crack. And it’s going to get much worse, law enforcement leaders say.
In large measure, it’s a technical problem brought on by an age in which digital technology is proliferating. The FBI calls it “going dark,” which means that law enforcement officials can’t access the evidence they need to prosecute crime and prevent terrorism. They have the legal authority to intercept and access communications and data pursuant to court orders, but often lack the technical ability to do so, FBI officials say.
In a recent speech in Philadelphia to international police chiefs, FBI director Christopher Wray said that “in the first 11 months of this fiscal year alone, we were unable to access the content of more than 6,900 mobile devices using appropriate and available tools, even though we had the legal authority to do so. I just want to pause for a second to make sure that’s actually sunk in. Sixty-nine hundred mobile devices in 11 months and each one of those 6,900 devices is tied to a specific subject, a specific defendant, a specific victim, a specific threat.”
The 6,900-plus figure is more than half of all the mobile devices the FBI attempted to access in that time frame, Wray added.
“It’s a gigantic problem and it’s an urgent problem, because as horrifying as 6,900 sounds, it’s going to be a lot worse than that in just a couple of years if we don’t come up with some responsible solution,” he said. “What that solution is, I’m open to all ideas, because the solution is not clear cut.”
Wray suggested that “a balance needs to be struck between the importance of encryption and of giving us tools we need to keep this country safe.” In the San Bernardino case, Apple officials refused the FBI’s request to create a new version of the phone’s iOS operating system that could be installed and run in the phone’s random access memory to disable certain security features. Apple declined, citing its policy to never undermine the security features of its products.
Wray said that finding solutions will require a “thoughtful and measured approach, yes, but we need that thoughtful and measured approach to get an answer fast.” He said that government and the technology sector must work together to find a way forward “because this cannot be allowed to continue.”
Adam Belsher, CEO of Magnet Forensics, agreed that a balance must be struck between reasonable expectations of citizens’ privacy and societal security.
“The current intractable positions, on both sides of the debate, have been unhelpful in developing a meaningful solution to this growing challenge,” he told MeriTalk. “Policymakers, technology vendors, including both large platform technologies and digital forensics specialists, law enforcement and national security agencies, and privacy advocates need to come together to develop meaningful legal and technological solutions that strike a balance between privacy and security. This can’t be a one-time effort as these challenges will continue to flare up in the future.”