The FBI will not share the secret technique it purchased for at least $1.4 million to crack the San Bernardino iPhone, a top law enforcement official said in a statement Wednesday.
The agency’s decision leaves Apple and the public with little knowledge of the vulnerability FBI exploited to penetrate the device, an iPhone 5c used by the man behind the San Bernardino terrorist attack last year. More recently, the iPhone has been at the center of a controversial legal battle between the Justice Department and Apple over government access to encrypted communications.
Days before a scheduled courtroom showdown last month, an unidentified outside party showed the FBI how to access the device. The method, purchased by the agency, proved successful, prompting the Justice Department to abandon its case against Apple. The identity of the outside party and the details of the method used to crack the device became subjects of intense curiosity, as the Justice Department refused repeatedly to offer specifics.
Privacy experts, however, pointed to the government’s internal policy on disclosing cyber vulnerabilities. Known as an equities review, the policy was designed to balance the interests of law enforcement and intelligence agencies in keeping hacks secret, against the public interest case for disclosing them — the patching of security vulnerabilities and the shielding of consumers from malicious intruders and manipulation.
Even as legal and tech experts such as Christopher Soghoian of the ACLU, Andrew Crocker of the Electronic Frontier Foundation, and Alan Butler of the Electronic Privacy Information Center argue that the equities review process lacks accountability and transparency, the government's stated policy favors disclosure. But the FBI says it knows so little about the technical details of the San Bernardino method, it can’t submit the vulnerability to the equities review.
“The F.B.I. purchased the method from an outside party so that we could unlock the San Bernardino device,” said Amy Hess, the FBI’s executive assistant director for science and technology.
“We did not, however, purchase the rights to technical details about how the method functions, or the nature and extent of any vulnerability upon which the method may rely in order to operate. As a result, currently we do not have enough technical information about any vulnerability that would permit any meaningful review,” she said.
Apple declined to comment.