AP, USA Today, Vice Sue FBI Over Refusal To Release Information About Contractor Who Cracked iPhone For It
from the exemption-(b)ecause-shut-up dept
USA Today, the Associated Press, and Vice News have joined forces to sue the FBI over its refusal to release even the most minimal amount of information on the hack it purchased to crack open the iPhone seized during its San Bernardino shooting investigation.
The DOJ certainly seemed adamant that Apple disclose all sorts of inside info to the government during the heated litigation. It turned down offers of assistance from hackers and security researchers before finally shelling out an unknown amount of money to an Israeli firm to gain access to the phone's contents. It also ensured it would never have to discuss the technical details of the hacking by not demanding this information be included in the purchase price.
Now, it refuses to even discuss the purchase price. Educated guesses that put it north of $1 million are based on a James Comey comment in which he said it was several times his annual salary. Somehow, the actual amount paid -- if revealed -- would somehow prevent the FBI's investigation from reaching its conclusion.
This FOIA lawsuit [PDF] targets other innocuous information the FBI refuses to release: contractor info on the party used to open up the seized iPhone (and discover nothing of investigative use on it).
This action is brought pursuant to the Freedom of Information Act (“FOIA”), 5 U.S.C. §§ 552, et seq., for basic contracting information from the Federal Bureau of Investigation (“FBI”) regarding one of its most publicly-discussed and controversial acquisitions: a technological tool openly purchased from a third-party vendor that was used to circumvent the need for a court order to access the locked iPhone of Syed Rizwan Farook, one of the perpetrators of the mass killings in San Bernardino, California.
As the lawsuit cleverly points out by using FBI director James Comey's own words against him, the public's interest in this information should easily outweigh the FBI's stated reasons for withholding it.
[T]he News Organizations seek to compel the FBI to provide records of the publicly-acknowledged business transaction that resulted in the purchase this March of the so-called iPhone access tool. The public interest in receiving this information is significant. The FBI’s purchase of this tool allowed government access to Mr. Farook’s phone, providing new information about one of the deadliest attacks on American soil in recent years, but also apparently failing to reveal any evidence of links between Mr. Farook and foreign terrorists or terrorist organizations...
FBI Director James Comey has himself stressed the essential importance of a nationwide “adult conversation” about whether and when law enforcement should be able to access encrypted devices because, “‘We’ve got to get to a point where we can reach [wrongdoers] as easily as they can reach us and change behavior by that reach-out.’” Mr. Comey also noted the need for increased information sharing with the public, an acknowledgment particularly critical given the potential of future legislative action on this issue, noting, “‘We need to understand in the FBI, how is this exactly affecting our work, and then share that with folks.’”
Moreover, the FBI’s purchase of the technology – and its subsequent verification that it had successfully obtained the data it was seeking thanks to that technology – confirmed that a serious undisclosed security vulnerability existed (and likely still exists) in one of the most popular consumer products in the world. And in order to exploit that vulnerability, the FBI contracted with an unidentified third-party vendor, effectively sanctioning that party to retain this potentially dangerous technology without any public assurance about what that vendor represents, whether the vendor has adequate security measures, whether the vendor is a proper recipient of government funds, or whether it will act only in the public interest.
The complaint points out the FBI has offered up zero information on this mysterious contractor, leaving several questions unanswered. The agency has refused to turn over anything on the vetting process used to select this vendor, raising the possibility that the FBI's chosen hacking entity may also be aiding blacklisted governments, terrorist groups, or criminals with accessing communications and data.
The news agencies participating in the lawsuit have been seeking this info since the All Writs Order was vacated back in March. Every request has been denied. The lawsuit seeks an order compelling the release of this information.
The DOJ will obviously fight this but it should be an interesting case to watch… if there's anything to be seen from the outside. Despite the hack being specific to one iPhone make running one specific version of iOS -- and there being nothing of interest found on the cracked phone -- the DOJ is sure to claim that any disclosure, however minimal, will do serious damage to national security and law enforcement means and methods.