The Inspector General Should Investigate the FBI’s Crypto Credibility

Four years ago, when Apple and Google announced their plan to encrypt their devices by default, the FBI and DOJ responded immediately and critically. Top Justice Department officials warned that companies’ adoption of encryption by default would put children at risk and then-FBI Director James Comey responded that “encryption threatens to lead all of us to a very dark place…We need to fix this problem.” Since then, we’ve heard from other government officials, including the secretary of defense and director of the NSA, who have argued that encryption is essential to cybersecurity. Even the national counterintelligence and security director said that government officials should be using encryption to protect all of their phone calls. Despite this, the FBI has continued the counterproductive and never-ending debate about encryption backdoors. However, the FBI’s credibility is in question after a recent wave of news stories and a Justice Department Inspector General (IG) report that suggest the “going dark” problem isn’t nearly as bad as the FBI has claimed.

Most recently, the Washington Post revealed that the FBI’s claims that it could not unlock 7,775 devices in 2017 massively overstated the actual number, spurring a letter from 21 civil liberties groups calling for a new IG investigation. While the FBI does not yet have an accurate count, and does not know when one will be established, they estimate the number is closer to 1,200 devices. The over-count was reportedly caused by a programming error that resulted in double-counting some devices and improperly adding the number of encrypted applications that could not be accessed into the total of locked devices. This news should raise even the most law-enforcement-friendly eyebrows. It undermines the FBI’s assertions about the pervasiveness of this problem, and it is cause for concern about the Justice Department’s candor. Despite learning about this miscalculation in April, Attorney General Jeff Sessions cited the inflated number in public remarks at a May 7 event, and another official used it when speaking to a reporter the following day.

It also calls into question the FBI’s claims that if cryptographers worked hard enough, they could create a secure backdoor. The fact that this miscalculation was the result of a “programming error” reveals how the FBI fails or refuses to appreciate the technical difficulties of what it is demanding. On the scale from easy math to building a sound encryption system and implementing it securely, the FBI’s error was a failure of basic arithmetic. This isn’t a knock on the FBI’s technical expertise. They have some of the most highly regarded software engineers in the country, who develop exceedingly complex data management systems and secure them against foreign adversaries and internal threats. This calculation error is proof that whether you are writing simple queries or building complex systems, coding is really hard. It also shows that the FBI was more interested in using a figure helpful to its case than in making sure its facts were correct.

Effectively encrypting devices and services is challenging beyond measure. Just two weeks ago, we learned that certain encrypted email services have vulnerabilities resulting from flaws in how they implemented the encryption algorithm, and there have been several recent stories about companies that can hack into any iPhone, including one company selling a device to unlock an unlimited number of iPhones for just $30,000. In this light, the FBI’s demands that Silicon Valley coders nerd harder to find a technical solution show that the FBI is either willfully blind or unconcerned about the technical problems that come with that impossible task. These stories raise another question too - one that members of Congress are starting to ask: Is the FBI choosing to ignore the many hacking tools already on the market in favor of a legislative agenda or litigation? The FBI has not answered Congress’ inquiries, but this question was central to the IG investigation of the FBI’s conduct concerning the San Bernardino shooter’s iPhone.

In the San Bernardino case, the FBI made repeated statements to Congress and the Courts that it had no means of accessing the contents of the subject iPhone unless the court forced Apple to build a backdoor. Yet, shortly after making those statements, the FBI dropped the case because it found a third-party that could get into the device. The Inspector General’s March report concluded that the FBI didn’t intentionally make false statements or engage in wrongdoing, but it wasn’t a model of propriety either. The Inspector General found that the FBI’s Cryptographic and Electronic Analysis Unit (CEAU) “did not pursue all possible avenues in the search for a solution.” CEAU’s chief was even frustrated when he found out the the FBI’s Remote Operations Unit had turned to trusted vendors for a solution. It appears the FBI was intentionally flat-footed in its efforts to unlock the iPhone in order to bolster its litigation position.

Instead of reassessing its position and seeking to regain public trust after the recent litany of missteps and misstatements, the FBI is digging in its heels. At the Aspen Institute, FBI Associate Deputy Director Paul Abbate recently made the unsubstantiated claim that "Each one of those [encrypted devices] represents a terrorist attack that could have been prevented or a child that could have been protected.” The Inspector General should investigate how the FBI could have made such a massive calculating error, and why Sessions and at least one other Justice Department official were still using the flawed figure after the FBI identified the mistake. Irrespective of any Inspector General findings, one thing is clear: despite the FBI’s good intentions, it no longer has any credibility when it comes to the feasibility of or the need for encryption backdoors.