The Secret History of the FBI’s Battle Against Apple Reveals the Bureau’s Mistakes

March 27, 2018, 5:37 PM UTC

With the debate over encryption on smartphones heating up yet again, one of the most important past controversies in the area needs to be revisited. According to a new report, the FBI could have unlocked the iPhone used by one of the San Bernardino shooters without Apple’s help possibly more quickly than it did. But that would have undercut the bureau’s legal efforts to force Apple’s hand and set a precedent requiring future assistance.

The history is suddenly relevant again as the Trump administration is trying to revive proposals to force smartphone makers to add a “backdoor” for law enforcement agencies to get access to users’ encrypted information. Most outside experts warn that approach would weaken the protection of sensitive data for all phone users. The new plans follow a speech in January by FBI director Christopher Wray, who said the bureau needed some kind of backdoor because it was locked out of almost 8,000 phones last year creating “a major public safety issue.” Senator Ron Wyden, who has long opposed weakening encryption, blasted Wray’s view as “ill-informed” and “debunked.”

But just as both sides are reengaging in well-worn arguments, detailed information emerged on Tuesday shedding new light on the massive legal battle between the FBI and Apple in 2016 over the difficulties of decrypting an iPhone used by one of the San Bernardino shooters.

And the new information doesn’t look good for the FBI.

After the December 2, 2015 shooting by Syed Rizwan Farook and Tashfeen Malik in San Bernardino, Calif. during which 14 people were killed, law enforcement officials found an iPhone 5C belonging to Farook. The phone was locked with a passcode. In February, 2016, the FBI went to court seeking to force Apple to rewrite the software running on iPhones to allow the bureau to crack the passcode. Without Apple’s aid, the FBI said it had no way to get past the phone’s encryption. Then-FBI-director James Comey repeated that story twice in Congressional testimony. But as the legal efforts dragged on, the FBI ultimately was able to unlock the phone without Apple’s help by relying on a technique developed by outside experts. (Though not, as was once rumored, Israeli security firm Cellebrite.)

A Secret History

On Tuesday, the Inspector General of the Justice Department released an 11-page report on the incident and posted a PDF version on the department’s web site. The report concluded that Comey and the FBI’s court filing told the truth about the bureau’s inability to unlock the phone. But that was only because top FBI officials hadn’t asked one of the bureau’s most sophisticated cyber units for help. As soon as the group, known as the Remote Operations Unit or ROU, was asked, it connected with an outside “vendor” that created a solution to crack the iPhone’s security.

According to the timeline uncovered by the Inspector General, the FBI seized Farook’s iPhone on December 3, 2015. The task of cracking the encryption fell to the bureau’s Operational Technology Division, including both the Remote Operations Unit, which tends to focus on national security matters, and a section called the Cryptographic and Electronic Analysis Unit, or CEAU, which aids most criminal inquiries. But only CEAU started working on the phone, failed to crack it, and did not seek outside assistance.

Get Data Sheet, Fortune’s technology newsletter.

The ROU wasn’t informed about the challenge until February 11, less than a week before government prosecutors went to court in their effort to force Apple to help. And the ROU already knew about an outside vendor who had a technique to crack the iPhone that was 90% complete. Once the ROU asked the vendor to prioritize finishing the cracking scheme, it was ready to use by March 16. Less than a week later, government lawyers dropped the case against Apple.

The Inspector General “found no evidence that OTD had the capability to exploit the Farook iPhone at the time of then-Director Comey’s Congressional testimony and the Department’s initial court filings,” the new report concludes. “We therefore determined that neither the Congressional testimony nor the submissions to the Court were inaccurate when made.”

But that wasn’t the whole story, the report continues:

However, FBI statements in Congressional testimony and to the (U.S. Attorney’s Office) regarding its capabilities to access the data on the Farook iPhone were based on understandings and assumptions that people and units in OTD were effectively communicating and coordinating from the outset and that CEAU had searched for all possible technical solutions, points that were not borne out by the facts, as we determined them.

And, according to the report, the head of the CEAU unit wasn’t happy that the case against Apple had to be dropped. “After the outside vendor came forward, he became frustrated that the case against Apple could no longer go forward, and he vented his frustration to the ROU Chief,” the report says. “He acknowledged that during this conversation between the two, he expressed disappointment that the ROU Chief had engaged an outside vendor to assist with the Farook iPhone, asking the ROU Chief, ‘Why did you do that for?'”

The Confrontation Could Have Been Avoided

The bottom line was that the FBI should not have gone to court against Apple before comprehensively checking for possible solutions, the Inspector General noted. “We believe CEAU should have checked with OTD’s trusted vendors for possible solutions before advising OTD management, FBI leadership, or the (U.S. Attorney’s Office) that there was no other technical alternative and that compelling Apple’s assistance was necessary to search the Farook iPhone,” the report concludes.

Apple (AAPL) declined to comment to Fortune on the new report. The company had earlier issued a statement on the government’s renewed efforts at forcing backdoors in phones. “Weakening security makes no sense when you consider that customers rely on our products to keep their personal information safe, run their businesses or even manage vital infrastructure like power grids and transportation systems,” Apple senior vice president Craig Federighi said in the statement. “Ultimately protecting someone else’s data protects all of us so we need to move away from the false premise that privacy comes at the cost of security when in truth, it’s a question of security versus security.”

In a letter accompanying the report, the FBI highlighted the conclusion that no inaccurate testimony had been given and committed to improve “communication and coordination” within the bureau’s Operational Technology Division.

Read More

Artificial IntelligenceCryptocurrencyMetaverseCybersecurityTech Forward