FBI Encryption Snafu Highlights Need for Compromise With Tech

An FBI database flaw led the agency to overstate how many encrypted mobile devices it couldn’t unlock in 2017, but even so, the government and private sector still need to solve the problem, current and former FBI and DOJ officials told Bloomberg Law.

FBI and DOJ officials in recent months have discussed the number of encrypted mobile devices that law enforcement agencies can’t access, known as the “going-dark” problem. These devices include those recovered as part of FBI investigations and those submitted to the agency by state and local law enforcement agencies. As recently as May 8, a DOJ official who spoke on the condition of anonymity told Bloomberg Law the number was approximately 7,800 for fiscal year 2017.

But according to an ongoing review confirmed to Bloomberg Law by FBI officials, those numbers are grossly overstated.

“Programming errors resulted in a significant over-counting of mobile devices reported,” an FBI official told reporters May 23.

U.S. law enforcement agencies have struggled with accessing encrypted mobile devices when authorized to do so under a valid court order. Although they have the legal right to unlock the devices, encryption methods set up by U.S. technology companies, such as Apple Inc. and Alphabet Inc.’s Google, have limited the ability to gain investigatory intelligence.

The growing schism over national security versus digital privacy came to a head after the December 2015 San Bernardino, Calif., shootings that claimed 14 lives, when the FBI waged a high-profile public fight to force Apple to unlock the slain shooter’s iPhone.

Public Flub

An ongoing review mandated by the FBI director’s office—but not FBI Director Christopher Wray himself—found that the reporting error was caused by a duplication error in the databases operated by the FBI’s Operational Technology Division (OTD), the FBI official said. Wray May 23 mandated an independent review of the miscalculation matter by the FBI’s Inspection Division, the official said.

The over-counting problem is a potential headache for the FBI as it continues to break with the tech industry about a solution to how to access important criminal intelligence that is locked within an encrypted mobile device, former federal law enforcement officials told Bloomberg Law.

“The over-counting of locked devices is an unfortunate black eye for the FBI,” Joseph Moreno, former FBI consultant and special assistant attorney for the Eastern District of Virginia, told Bloomberg Law.

The FBI’s miscalculation, though, shouldn’t cause companies and law enforcement “to lose sight of the bigger picture, which is that ‘going dark’ is a real problem in need of a real solution,” he said.

Tech companies, on the other hand, have argued that creating backdoors to mobile devices will create unnecessary device vulnerabilities and increase hacking risks for their customers. Encryption backdoors would allow law enforcement to access underlying mobile device data without—arguably—compromising the security and privacy of the device.

Disagreements over access to encrypted data stem from encrypted browser issues dating back to the late 1990s, Justin Root, former special deputy U.S. marshal on the FBI’s Cybercrime Task Force, told Bloomberg Law. The encryption problem has shown that “technology has the ability to outpace” law enforcement investigations, he said.

Mobile device makers “don’t want to insert vulnerabilities” into their technology, and law enforcement officials don’t want criminals to evade prosecution only due to advancements in tech, said Root, cybersecurity of counsel at Dickinson Wright LLP in Columbus, Ohio.

Better Path Forward

For their part, the FBI is using the encryption statistics snafu to highlight the need for tech companies to voluntarily open up encrypted mobile devices related to criminal investigations, the official said.

That may be the agency’s best course going forward, according to former officials and federal prosecutors.

“Cybersecurity is difficult enough to maintain without purposefully degrading encryption standards or creating back-doors for government investigators to utilize,” Moreno, now-national security partner at Cadwalader Wickersham and Taft LLP in Washington, said. “Asking private industry for a ‘golden key’ to allow investigators unfettered access to encrypted devices may be a step too far,” he said.

To contact the reporter on this story: Daniel R. Stoller in Washington at dstoller@bloomberglaw.com

To contact the editor responsible for this story: David Mark at dmark@bloomberglaw.com