FBI exaggerated inability to access encrypted devices in promotion of ‘Going Dark’ problem

iPhone disassembled
Mobile phones can be tracked even when GPS and WiFi have been disabled, researchers have shown.

The FBI has mislead Congress and the public about the extent to which encrypted cellphones are hampering federal investigations by preventing authorities from accessing the devices–presumably to support the agency’s own agenda to gain backdoor access to them.

The FBI claimed that its investigators were locked out of nearly 7,800 devices connected to crimes last year when actually the more accurate number was between 1,000 and 2,000, according to a published report in The Washington Post.

“The FBI’s initial assessment is that programming errors resulted in significant over-counting of mobile devices reported,” the agency–which realized the error about a month ago–said in the statement.

[You might also like: Smartphone Users Tracked Even with GPS, WiFi Turned Off]

The FBI acknowledged that it isn’t entirely sure at this time how many devices actually did lock out investigators, though a rough estimate is about 1,200, according to the report. The agency plans to do an audit to determine of the exact number.

FBI Director Christopher Wray has been citing the agency’s inability to access more than 7,000 devices due to encryption last year as evidence of the agency’s Going Dark problem. The agency admitted this week that number is significantly inflated. (Source: Saul Loeb/AFP/Getty Images)

The problem with the inflated numbers, however, is that FBI Director Christopher A. Wray has been using them for months to promote the FBI’s stance against what it calls the “Going Dark” problem, and using this problem to promote the possibility of some type of “exceptional access” for authorities in these scenarios. Going Dark refers to authorities’ inability to access information on devices even when mandated by a court order because of secure encryption.

“Going Dark remains a serious problem for the FBI, as well as other federal, state, local and international law enforcement partners,” the agency continued in its statement. “The FBI will continue pursuing a solution that ensures law enforcement can access evidence of criminal activity with appropriate legal authority.”

Locked out or hidden agenda?

The way the government sees it, investigators face two key challenges with encrypted devices. The first concerns their ability to intercept data in motion, such as phone calls, e-mail, text messages and chat sessions, when mandated by the court. The second involves what the agency calls “data at rest”–court-ordered access to data stored on devices, like e-mail, text messages, photos and videos.

“Both real-time communications and stored data are increasingly difficult for law enforcement to obtain with a court order or warrant,” according to the FBI’s website on Going Dark. “This is eroding law enforcement’s ability to quickly obtain valuable information that may be used to identity and save victims, reveal evidence to convict perpetrators, or exonerate the innocent.”

Privacy and digital rights advocates disagree, however. For one thing, services offered by third-party vendors like Cellebrite and Grayshift can reportedly bypass encryption on even the newest phones, Electronic Frontier Foundation (EFF) staff attorney Andrew Crocker countered in an online post.

“Given the availability of these third-party solutions, we’ve questioned how and why the FBI finds itself thwarted by so many locked phones,” he said.

Crocker told Security Ledger that while he can’t speculate about the FBI’s motive for inflating the number of devices they claimed blocked access last year, he acknowledged that the agency’s messaging around encryption has been “seriously misleading.”

“The agency claims that increased adoption of encryption is causing its investigations to ‘go dark,’ but it’s never demonstrated the scope of the problem,” he said. “In addition, officials have repeated the claim that providers like Apple and Google can build a ‘secure’ backdoor to their encrypted devices to allow the government lawful access to these devices, but the consensus in the technical community is that that’s simply not possible.”

The reason? Building such a mechanism would vastly increase the complexity of these systems, and anyone who knows about computer security can tell you that that’s a recipe for introducing unexpected vulnerabilities,” Crocker said.

No ‘safe backdoor’

The EFF is so curious about the discrepancy between FBI messaging on Going Dark and the technical realities that it submitted a FOIA request last week to access records related to Wray’s public comments about the 7,800 unhackable phones and the FBI’s use of outside vendors to bypass encryption, Crocker revealed in his post.

The request cites and calls into question public comments Wray made that stress the severity of the problem of inability to access device information in criminal investigations. It also mentions questions raised by the Office of the Inspector General (OIG) pertaining to how the FBI gained access to data on an iPhone belonging to one of the shooters in an attack in San Bernadino, Calif., after Apple refused to help the agency. In the end, the FBI used a third party to unlock the phone’s encryption.
“The OIG report found that that there was inadequate communication within the FBI’s Operational Technology Division regarding the FBI’s capabilities to gain access to mobile devices, particularly between the Cryptographic and Electronic Analysis Unit and the Remote Operations Unit,” the EFF said in its FOIA request.

Indeed, the worry for the EFF and other security stakeholders in imposing exceptional access requirements or backdoors on encrypted devices to ensure the Feds access could open a whole Pandora’s box of security issues and invite other unwelcome guests to access devices as well.

In other words, as the EFF’s Michael Rosenbloom wrote in a post announcing the foundation’s FOIA request, “there’s no such thing as a safe backdoor.” “Any backdoor in encryption can be just as easily used by bad actors as by law enforcement if it gets leaked, and once a hard-coded backdoor is discovered, it often can’t be closed,” he said.

With the stakes so high, it seems fair that the FBI come clean and drop the propaganda–accidental or not–about how big a problem Going Dark is, Crocker said. In the meantime, the FBI’s admission of misinformation certainly warrants further investigation.

“The latest revision to Director Wray’s favorite talking point demonstrates that the case for legislation is even weaker than we thought,” he said. “We hope that the government is suitably forthcoming to our FOIA request so that we can get to the bottom of this issue.

Spread the word!