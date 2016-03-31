(Repeats story that originally appeared on March 30)
By Dustin Volz
WASHINGTON, March 30 The FBI may be allowed to
withhold information about how it broke into an iPhone belonging
to a gunman in the December San Bernardino shootings, despite a
U.S. government policy of disclosing technology security flaws
discovered by federal agencies.
Under the U.S. vulnerabilities equities process, the
government is supposed to err in favor of disclosing security
issues so companies can devise fixes to protect data. The policy
has exceptions for law enforcement, and there are no hard rules
about when and how it must be applied.
Apple Inc has said it would like the government to
share how it cracked the iPhone security protections. But the
Federal Bureau of Investigation, which has been frustrated by
its inability to access data on encrypted phones belonging to
criminal suspects, might prefer to keep secret the technique it
used to gain access to gunman Syed Farook's phone.
The referee is likely to be a White House group formed
during the Obama administration to review computer security
flaws discovered by federal agencies and decide whether they
should be disclosed.
Experts said government policy on such reviews was not
clear-cut, so it was hard to predict whether a review would be
required. "There are no hard and fast rules," said White House
cybersecurity coordinator Michael Daniel, in a 2014 blog post
about the process.
If a review is conducted, many security researchers expect
that the White House group will not require the FBI to disclose
the vulnerability it exploited.
Some experts said the FBI might be able to avoid a review
entirely if, for instance, it got past the phone's encryption
using a contractor's proprietary technology.
Explaining the policy in 2014, the Office of the Director of
National Security said the government should disclose
vulnerabilities "unless there is a clear national security or
law enforcement need."
The interagency review process also considers whether others
are likely to find the vulnerability. It tends to focus on flaws
in major networks and software, rather than individual devices.
During a press call, a senior Justice Department official
declined to disclose whether the method used on Farook's phone
would work on other phones or would be shared with state and
local law enforcement.
Apple declined to comment beyond saying it would like the
government to provide information about the technique used.
PROTECTING "CRUCIAL INTELLIGENCE"
The government reorganized the review process roughly two
years ago and has not disclosed which agencies regularly
participate other than the Department of Homeland Security and
at least one intelligence agency. A National Security Council
spokesman did not respond to a request for comment about agency
participation.
In his April 2014 blog post, White House cybersecurity
coordinator Daniel, who chairs the review group, said secrecy
was sometimes justified.
"Disclosing a vulnerability can mean that we forego an
opportunity to collect crucial intelligence that could thwart a
terrorist attack stop the theft of our nation's intellectual
property," Daniel wrote.
On Tuesday, a senior administration official said the
vulnerability review process generally applies to flaws detected
by any federal agency.
Paul Rosenzweig, a former deputy assistant secretary at the
Department of Homeland Security, said he would be "shocked" if
the Apple vulnerability is not considered by the group.
"I can't imagine that on one of this significance that the
FBI, even if it tried to, would succeed in avoiding the review
process," said Rosenzweig, founder of Red Branch Consulting, a
homeland security consulting firm.
He predicted the FBI would not be forced to disclose the
vulnerability because it appears to require physical possession
of a targeted phone and therefore poses minimal threat to
Internet security more broadly.
Many security researchers have suggested that the phone's
content was probably retrieved after mirroring the device's
storage chip to allow data duplication onto other chips,
effectively bypassing limitations on the number of passcode
guesses.
Kevin Bankston, director of the think tank Open Technology
Institute, said there is no public documentation of how the
review process has worked in recent years. He said Congress
should consider legislation to codify and clarify the rules.
Stewart Baker, former general counsel of the NSA and now a
lawyer with Steptoe & Johnson, said the review process could be
complicated if the cracking method is considered proprietary by
the third party that assisted the FBI.
Several security researchers have pointed to the
Israel-based mobile forensics firm Cellebrite as the likely
third party that helped the FBI. That company has repeatedly
declined comment.
If the FBI is not required to disclose information about the
vulnerability, Apple might still have a way to pursue details
about the iPhone hack.
The Justice Department has asked a New York court to force
Apple to unlock an iPhone related to a drug investigation. If
the government continues to pursue that case, the technology
company could potentially use legal discovery to force the FBI
to reveal what technique it used, a source familiar with the
situation told Reuters.
At least one expert thinks a government review could require
disclosure. Peter Swire, a professor of law at the Georgia
Institute of Technology who served on the presidential
intelligence review group that recommended the administration
disclose most flaws, said there is "a strong case" for informing
Apple about the vulnerability under the announced guidelines.
"The process emphasizes the importance of defense for widely
used, commercial software," he said.
(Reporting by Dustin Volz in Washington; Additional reporting
by Dan Levine and Joseph Menn in San Francisco; Editing by Sue
Horton, Peter Henderson and David Gregorio)