Photo via Kārlis Dambrāns/Flickr (CC-BY)
The Federal Bureau of Investigation will not submit the secret tool used to access a dead terrorist's iPhone to a government process that decides whether to disclose such flaws to tech companies.
Amy Hess, the FBI's executive assistant director for science and technology, said in a statement Wednesday that the bureau did not know enough about how the tool worked to refer it to the White House-managed Vulnerability Equities Process, an interagency working group that weighs whether to disclose hardware and software bugs so that companies can fix them.
“The FBI assesses that it cannot submit the method to the VEP,” Hess said. “The FBI purchased the method from an outside party so that we could unlock the San Bernardino device. We did not, however, purchase the rights to technical details about how the method functions, or the nature and extent of any vulnerability upon which the method may rely in order to operate.”
A VEP analysis of whether to disclose vulnerabilities, Hess said, “requires significant technical insight into a vulnerability” and cannot occur “without sufficient detail about the nature and extent of a vulnerability.”
“Currently,” she said, “we do not have enough technical information about any vulnerability that would permit any meaningful review under the VEP process.”
An FBI spokesman did not respond to an email asking when the bureau had notified the VEP board of its decision, or whether it had informed Apple ahead of time. The White House declined to comment on the FBI's decision.
Although FBI Director James Comey has said that the mysterious tool only works a “narrow slice” of iPhones, Apple is obviously interested in learning of any flaws in its products' code so that it can patch them and assure its users of their safety.
An Apple spokesman did not respond to a request for comment.
The iPhone used by Syed Farook, who with his wife killed 14 people and wounded 22 others in a shooting in San Bernardino, California, last December, became the subject of a high-profile legal battle between the U.S. government and Apple when the tech company fought a court order to help the FBI unlock it.
The government, seeking information on Farook's communications, wanted Apple to write custom software that would disable certain security features on the phone and let FBI agents flood it with passcode guesses. But Apple refused and appealed the order, arguing that compliance would weaken its users' trust and set a precedent leading to more onerous demands for technical assistance.
The day before both parties were set to argue their case in court, the Justice Department abruptly notified the judge that a third party had sold it a tool that it could use to access the phone. Later, when the FBI confirmed that the tool had worked, the government dropped its demand for the court order.
Hess said in her statement that while the government generally did not discuss whether the VEP working group would review a particular exploit, “the extraordinary nature of this particular case, the intense public interest in it, and the fact that the FBI already has disclosed publicly the existence of the method” made this case different.