FBI chief calls unbreakable encryption ‘urgent public safety issue’

FILE PHOTO: FBI Director Christopher Wray delivers remarks to a graduation ceremony at the FBI Academy on the grounds of Marine Corps Base Quantico in Quantico, Virginia, U.S. December 15, 2017.

By Dustin Volz

NEW YORK (Reuters) – The inability of law enforcement authorities to access data from electronic devices due to powerful encryption is an “urgent public safety issue,” FBI Director Christopher Wray said on Tuesday as he sought to renew a contentious debate over privacy and security.

The Federal Bureau of Investigation was unable to access data from nearly 7,800 devices in the fiscal year that ended Sept. 30 with technical tools despite possessing proper legal authority to pry them open, a growing figure that impacts every area of the agency’s work, Wray said during a speech at a cyber security conference in New York.

The FBI has been unable to access data in more than half of the devices that it tried to unlock due to encryption, Wray added.

“This is an urgent public safety issue,” Wray added, while saying that a solution is “not so clear cut.”

Technology companies and many digital security experts have said that the FBI’s attempts to require that devices allow investigators a way to access a criminal suspect’s cellphone would harm internet security and empower malicious hackers. U.S. lawmakers, meanwhile, have expressed little interest in pursuing legislation to require companies to create products whose contents are accessible to authorities who obtain a warrant.

Wray’s comments at the International Conference on Cyber Security were his most extensive yet as FBI director about the so-called Going Dark problem, which his agency and local law enforcement authorities for years have said bedevils countless investigations. Wray took over as FBI chief in August.

The FBI supports strong encryption and information security broadly, Wray said, but described the current status quo as untenable.

“We face an enormous and increasing number of cases that rely heavily, if not exclusively, on electronic evidence,” Wray told an audience of FBI agents, international law enforcement representatives and private sector cyber professionals. A solution requires “significant innovation,” Wray said, “but I just do not buy the claim that it is impossible.”

Wray’s remarks echoed those of his predecessor, James Comey, who before being fired by President Donald Trump in May frequently spoke about the dangers of unbreakable encryption.

Tech companies and many cyber security experts have said that any measure ensuring that law enforcement authorities are able to access data from encrypted products would weaken cyber security for everyone.

U.S. officials have said that default encryption settings on cellphones and other devices hinder their ability to collect evidence needed to pursue criminals.

The matter came to a head in 2016 when the Justice Department tried unsuccessfully to force Apple Inc to break into an iPhone used by a gunman during a mass shooting in San Bernardino, California.

The Trump administration at times has taken a tougher stance on the issue than former President Barack Obama’s administration. U.S. Deputy Attorney General Rod Rosenstein in October chastised technology companies for building strongly encrypted products, suggesting Silicon Valley is more willing to comply with foreign government demands for data than those made by their home country.

(Reporting by Dustin Volz; Editing by Will Dunham)

FBI may have lost critical time unlocking Texas shooter’s iPhone

FBI may have lost critical time unlocking Texas shooter's iPhone

By Stephen Nellis and Dustin Volz

SAN FRANCISCO/WASHINGTON (Reuters) – For about 48 hours after a deadly rampage at a Texas church, the FBI and other law enforcement agencies did not ask Apple Inc to help them unlock the gunman’s iPhone or associated online accounts, a person familiar with the situation told Reuters on Wednesday.

A cellphone belonging to Devin Kelley – accused of killing 26 people on Sunday before taking his own life – was sent to the Federal Bureau of Investigation’s Quantico, Virginia, crime lab because authorities could not unlock it, Christopher Combs, head of the FBI’s San Antonio field office, said on Tuesday.

Combs did not specify what kind of phone Kelley had during the attack in Sutherland Springs, Texas, but a second person familiar with the situation confirmed to Reuters that it was an iPhone.

The first source said that in the 48 hours between the shooting and Combs’ news conference, Apple had received no requests from federal, state or local law enforcement authorities for technical assistance with Kelley’s phone or his associated online accounts at Apple.

The delay may prove important. If Kelley had used a fingerprint to lock his iPhone, Apple could have told officials they could use the dead man’s finger to unlock his device, so long as the phone had not been powered off and restarted.

But iPhones locked with a fingerprint ask for the user’s pass code after 48 hours if they have not been unlocked by then.

Officials also could have asked for data from Kelley’s iCloud online storage account if he had one. If Apple receives a warrant or court order, it will give law enforcement authorities iCloud data, as well as the keys needed to decrypt it.

If an iPhone user backs up an iPhone using iCloud, the online data can contain texts, photographs and other information from the phone.

The first Reuters source said the FBI had yet to ask as of Wednesday for assistance unlocking the device. It could not be learned whether Apple had received a court order to turn over iCloud account data. It also could not be learned whether the FBI had tried to use Kelley’s fingerprint and failed to unlock his phone despite not contacting Apple.

The FBI declined to comment when asked about the type of phone used by Kelly. A spokeswoman referred to Combs’ news conference on Tuesday.

The FBI has criticized Apple for how difficult it is to obtain data from its devices when they are locked. The phones contain a so-called “secure enclave” that makes it difficult to crack their encryption, and too many errant attempts to unlock an iPhone can erase all data.

The FBI challenged Apple in court over access to an iPhone after a 2015 mass shooting in San Bernardino, in which a couple authorities said was inspired by Islamic State killed 14 people. The couple died in a shootout with police hours after the massacre. An iPhone 5C, recovered by authorities, did not have a fingerprint sensor.

The legal issues in the case were never settled because the FBI found third-party software that allowed it to crack the device.

But federal authorities were accused of missteps in unlocking the San Bernardino phone.

Last year, Apple executives who briefed reporters on condition of anonymity criticized government officials who reset the Apple identification associated with the phone, which closed off the possibility of recovering information from it through the automatic cloud backup.

(Reporting by Stephen Nellis in San Francisco and Dustin Volz and David Shepardson in Washington; Editing by Jonathan Weber, Jonathan Oatis and Howard Goller)

FBI paid more than $1.3 million to break into San Bernardino iPhone

Apple Logo

By Julia Edwards

WASHINGTON (Reuters) – Federal Bureau of Investigation Director James Comey said on Thursday the agency paid more to get into the iPhone of one of the San Bernardino shooters than he will make in the remaining seven years and four months he has in his job.

According to figures from the FBI and the U.S. Office of Management and Budget, Comey’s annual salary as of January 2015 was $183,300. Without a raise or bonus, Comey will make $1.34 million over the remainder of his job.

That suggests the FBI paid the largest ever publicized fee for a hacking job, easily surpassing the $1 million paid by U.S. information security company Zerodium to break into phones.

Speaking at the Aspen Security Forum in London, Comey was asked by a moderator how much the FBI paid for the software that eventually broke into the iPhone.

“A lot. More than I will make in the remainder of this job, which is seven years and four months for sure,” Comey said. “But it was, in my view, worth it.”

The Justice Department said in March it had unlocked the San Bernardino shooter’s iPhone with the help of an unidentified third party and dropped its case against Apple Inc <AAPL.O>, ending a high-stakes legal clash but leaving the broader fight over encryption unresolved.

Comey said the FBI will be able to use software used on the San Bernardino phone on other 5C iPhones running IOS 9 software.

There are about 16 million 5C iPhones in use in the United States, according to estimates from research firm IHS Technology. Eighty-four percent of iOS devices overall are running iOS 9 software, according to Apple.

The FBI gained access to the iPhone used by Rizwan Farook, one of the shooters who killed 14 people in San Bernardino, California on Dec. 2.

The case raised the debate over whether technology companies’ encryption technologies protect privacy or endanger the public by blocking law enforcement access to information.

(Reporting by Julia Edwards in Washington; additional reporting by Julia Love in San Francisco; Editing by Simon Cameron-Moore)

FBI Unlocking Method Won’t Work on Newer Phones

The Apple logo is pictured at its flagship retail store in San Francisco

Reuters) – The Federal Bureau of Investigation’s secret method for unlocking the iPhone 5c used by one of the San Bernardino shooters will not work on newer models, FBI Director James Comey said.

“We have a tool that works on a narrow slice of phones,” Comey said at a conference on encryption and surveillance at Kenyon University in Ohio late on Wednesday.

Apple’s shares were down 1.3 percent at midday.

Comey added that the technique would not work on the iPhone 5s and the later models iPhone 6 and 6s. The iPhone 5c model was introduced in 2013 and has since been discontinued by Apple as newer models have become available.

The Justice Department said in March it had unlocked the San Bernardino shooter’s iPhone with the help of an unidentified third party and dropped its case against Apple Inc, ending a high-stakes legal clash but leaving the broader fight over encryption unresolved.

As the technique cannot be used to break into newer models, law enforcement authorities will likely have to lean on Apple to help them access the devices involved in other cases.

The Justice Department has asked a New York court to force Apple to unlock an iPhone 5s related to a drug investigation. Prosecutors in that case said they would update the court by April 11 on whether it would “modify” its request for Apple’s assistance.

If the government continues to pursue that case, the technology company could potentially use legal discovery to force the FBI to reveal what technique it used, a source familiar with the situation told Reuters.

Apple and the FBI were not immediately available for comment.

The FBI began briefing select U.S. senators this week about the method used to unlock the San Bernardino iPhone.

Up to Wednesday’s close of $110.96, Apple’s shares had risen more than 5 percent this year.

(Reporting by Narottam Medhora in Bengaluru and Dustin Volz in Washington; Editing by Saumyadeb Chakrabarty)

Apple fight could escalate with demand for ‘source code’

SAN FRANCISCO (Reuters) – The latest filing in the legal war between the planet’s most powerful government and its most valuable company gave one indication of how the high-stakes confrontation could escalate even further.

In what observers of the case called a carefully calibrated threat, the U.S. Justice Department last week suggested that it would be willing to demand that Apple turn over the “source code” that underlies its products as well as the so-called “signing key” that validates software as coming from Apple.

Together, those two things would give the government the power to develop its own spying software and trick any iPhone into installing it. Eventually, anyone using an Apple device would be unable to tell whether they were using the real thing or a version that had been altered by officials to be used as a spy tool.

Technology and security experts said that if the U.S. government was able to obtain Apple’s source code with a conventional court order, other governments would demand equal rights to do the same thing.

“We think that would be pretty terrible,” said Joseph Lorenzo Hall, chief technologist at the nonprofit Center for Democracy & Technology.

The battle between Apple and the U.S Justice Department has been raging since the government in February obtained a court order demanding that Apple write new software to help law enforcement officials unlock an iPhone associated with one of the shooters in the December attack in San Bernardino, California that killed 14 people.

Apple is fighting the order, arguing that complying with the request would weaken the security of all iPhones and create an open-ended precedent for judges to make demands of private companies.

The Justice Department’s comments about source code and signing keys came in a footnote to a filing last week in which it rejected Apple’s arguments. Apple’s response to the DOJ brief is expected on Tuesday.

Justice Department lawyers said in the brief that they had refrained from pursuing the iOS source code and signing key because they thought “such a request would be less palatable to Apple. If Apple would prefer that course, however, that may provide an alternative that requires less labor by Apple.”

The footnote evoked what some lawyers familiar with the case call a “nuclear option,” seeking the power to demand and use the most prized assets of lucrative technology companies.

A person close to the government’s side told Reuters that the Justice Department does not intend to press the argument that it could seize the company’s code, and someone on Apple’s side said the company isn’t worried enough to counter the veiled threat in its brief due Tuesday.

But many people expect the iPhone matter to reach the U.S. Supreme Court, and thus even fallback legal strategies are drawing close scrutiny.

ODDS OF SUCCESS UNCLEAR

There is little clarity on whether a government demand for source code would succeed.

Perhaps the closest parallel was in a case filed by federal prosecutors against Lavabit LLC, a privacy-oriented email service used by Edward Snowden. In trying to recover Snowden’s unencrypted mail from the company, which did not keep Snowden’s cryptographic key, the Justice Department got a court order forcing the company to turn over another key instead, one that would allow officials to impersonate the company’s website and intercept all interactions with its users.

“Lavabit must provide any and all information necessary to decrypt the content, including, but not limited to public and private keys and algorithms,” the lower court ruled.

Lavabit shut down rather than comply. But company lawyer Jesse Binnall said the Fourth Circuit Court of Appeals, which upheld the lower ruling, did so on procedural grounds, so that the Justice Department’s win would not influence much elsewhere.

In any case, full source code would be even more valuable than the traffic key in the Lavabit case, and the industry would go to extreme lengths to fight for it, Binnall said.

“That really is the keys to the kingdom,” Binnall said.

Source code is sometimes inspected during lawsuits over intellectual property, and the Justice Department noted that Apple won permission to review some of rival Samsung’s &lt;005930.KS> code in one such case. In that case and similar battles, the code is produced with strict rules to prevent copying.

No cases brought by the government have led to that sort of code production, or at least none that have come to light.

But intelligence agencies operate under different rules and have wide latitude overseas. Some advanced espionage programs attributed to the United States used digital certificates that were stolen from Taiwanese companies, though not full programs.

U.S. software code may have been sought in other cases, such as investigations relying on the Patriot Act or the Foreign Intelligence Surveillance Act (FISA), which applies within American borders.

Several people who have argued before the special FISA court or are familiar with some of its cases say they know of no time that the government has sought source code.

(Reporting by Joseph Menn; Editing by Jonathan Weber and Cynthia Osterman)

U.S. tech companies unite behind Apple ahead of iPhone encryption ruling

(Reuters) – Alphabet Inc’s Google, Facebook Inc, Microsoft Corp and several other Internet and technology companies will file a joint legal brief on Thursday asking a judge to support Apple Inc in its encryption battle with the U.S. government, sources familiar with the companies’ plans said.

The effort is a rare display of unity and support for the iPhone maker from companies which are competitors in many areas, and shows the breadth of Silicon Valley’s opposition to the government’s anti-encryption effort.

The fight between Apple and the government became public last month when the U.S. Federal Bureau of Investigation obtained a court order requiring Apple to write new software and take other measures to disable passcode protection and allow access to an iPhone used by one of the San Bernardino shooters in December.

Apple has pushed back, arguing that such a move would set a dangerous precedent and threaten customer security. The clash has intensified a long-running debate over how much law enforcement and intelligence officials should be able to monitor digital communications.

The group of tech companies plans to file what is known as an amicus brief – a form of comment from outside groups common in complex cases – to the Riverside, California, federal judge Sheri Pym. She will rule on Apple’s appeal of a court order that would force it to create software to unlock the iPhone.

The companies will contest government arguments that the All Writs Act, a broad 1789 law that enables judges to require actions necessary to enforce their own orders, compels Apple to comply with its request.

In their joint brief, the tech companies will say that Congress passed the All Writs Act before the invention of the light bulb, and that it goes too far to contend that the law can be used to force engineers to disable security protections, according to a source familiar with their arguments.

Google, Facebook and others also appear to be tailoring their arguments specifically to a U.S. Supreme Court audience, where the case may end up. The brief will highlight a unanimous 2014 U.S. Supreme Court case which said law enforcement needs warrants to access smartphones snared in an arrest, the source said.

That opinion, penned by Chief Justice John Roberts, united the Supreme Court’s liberal and conservative factions.

Briefs are also expected in support of the government.

Stephen Larson, a former federal judge, told Reuters last week that he is working on a brief with victims of the San Bernardino shooting who want the FBI to be able to access the data on the phone used by Rizwan Farook. “They were targeted by terrorists, and they need to know why, how this could happen,” Larson said.

Several other tech companies are joining Google, Facebook and Microsoft.

Mozilla, maker of the Firefox web browser, said it was participating, along with online planning tool maker Evernote and messaging app firms Snapchat and WhatsApp. Bookmarking and social media site Pinterest and online storage firm Dropbox are also participating.

“We stand against the use of broad authorities to undermine the security of a company’s products,” Dropbox General Counsel Ramsey Homsany said in a statement.

A separate group including Twitter Inc, eBay Inc, LinkedIn Corp and more than a dozen other tech firms filed a brief with the court in support of Apple on Thursday. AT&T Inc filed its own brief.

Networking leader Cisco Systems Inc said it expected to address the court on Apple’s behalf, but did not say whether it was joining with the large group of companies.

Semiconductor maker Intel Corp plans to file a brief of its own in support of Apple, said Chris Young, senior vice president and general manager for Intel Security Group.

“We believe that tech companies need to have the ability to build and design their products as needed, and that means that we can’t have the government mandating how we build and design our products,” Young said in an interview.

The Stanford Law School for Internet and Society filed a separate brief on Thursday morning on behalf of a group of well-known experts on iPhone security and encryption, including Charlie Miller, Dino Dai Zovi, Bruce Schneier and Jonathan Zdziarski.

Privacy advocacy groups the American Civil Liberties Union, Access Now and the Wickr Foundation filed briefs on Wednesday in support of Apple before Thursday’s deadline set by Pym.

Salihin Kondoker, whose wife Anies Kondoker was injured in the San Bernardino attack, also wrote on Apple’s behalf, saying he shared the company’s fear that the software the government wants Apple to create to unlock the phone could be used to break into millions of other phones.

“I believe privacy is important and Apple should stay firm in their decision,” the letter said. “Neither I, nor my wife, want to raise our children in a world where privacy is the tradeoff for security.”

Law enforcement officials have said that Farook and his wife, Tashfeen Malik, were inspired by Islamist militants when they shot and killed 14 people and wounded 22 others last Dec. 2 at a holiday party. Farook and Malik were later killed in a shootout with police and the FBI said it wants to read the data on Farook’s phone to investigate any links with militant groups.

Earlier this week, a Brooklyn judge ruled that the government had overstepped its authority by seeking similar assistance from Apple in a drug case.

(Reporting by Jim Finkle in Boston and Dustin Volz in San Francisco; Additional reporting by Dan Levine, Heather Somerville, Sarah McBride, Julia Love in San Francisco; Editing by Jonathan Weber, Grant McCool and Bill Rigby)