News organizations sue FBI to find out who & how much It paid to unlock t
By Chris Morran
In the months following the tragic Dec. 2, 2015 terrorist attack in San Bernardino, the FBI and Apple engaged in a heated legal (and publicity) battle over whether or not the tech giant could be compelled to unlock an iPhone belonging to one of the attackers. Then in March 2016, the FBI paid an unidentified third party to provide a solution this particular problem. The identity and actual cost of this unlocking is still unknown, but two of the country’s biggest media companies have sued the FBI to learn more.
The Associated Press, USA Today (in the name of parent company Gannett), and Vice Media jointly filed a Freedom of Information Act lawsuit [PDF] against the FBI today, seeking to compel the agency to turn over records related to this third-party transaction that ultimately resulted in the FBI being able to circumvent the iPhone’s security measures.
The complaint alleges that by paying for this third-party “access tool” while allowing the provider of the tool to remain anonymous, the FBI is “effectively sanctioning that party to retain this potentially dangerous technology without any public assurance about what that vendor represents, whether the vendor has adequate security measures, whether the vendor is a proper recipient of government funds, or whether it will act only in the public interest.”
After all, argue the plaintiffs, the FBI is not a private company. The money it spends are public funds.
“Understanding the amount that the FBI deemed appropriate to spend on the tool, as well as the identity and reputation of the vendor it did business with, is essential for the public to provide effective oversight of government functions and help guard against potential improprieties,” explains the complaint, which contends that the public is entitled to know more about the vendors who provide these sort of tools to federal law enforcement, especially if the FBI “feels compelled to contract with groups of hackers with suspect reputations, because it will inform the public debate over whether the current legislative apparatus is sufficient to meet the Government’s need for such information.”
After the FBI successfully unlocked the iPhone in this case, FBI Director James Comey was initially coy about how much the Bureau spent on the process.
“A lot,” he told the media in April, only adding that the amount is “More than I will make in the remainder of this job, which is seven years and four months, for sure.”
Using his salary — a known figure — and that time frame, the best reporters could come up with a figure north of $1.2 million.
Comey subsequently admitted — and regretted — being “cute” about that estimate, but nonetheless maintained that it was “a lot of money,” but that “it was well worth it,” even though he acknowledged that the tool the Bureau had purchased was created to crack the security on an iPhone 5C (released in 2013) running the iOS 9 operating system.
Thus, the applicability of that tool to other, newer devices with later versions of iOS is unknown.
The FBI’s single-minded focus raises some questions, notes the complaint.
“[T]he goal in San Bernardino was to investigate the case and get into that phone,” explained Comey in May. “We bought what was necessary to get into that phone. We tried not to spend more money than we needed to spend, but we spent the money we needed to to get into that phone.”
There is something called the vulnerabilities equities process (VEP), a system by which the federal government decides whether or not to disclose a vulnerability it discovers in a piece of technology.
By purchasing only the tool to unlock the device, was the FBI trying to avoid having to learn how the tool works or about the hackable vulnerability in the iPhone 5C? Some reporters questioned if the FBI was trying to evade VEP considerations (and possibly having to disclose the vulnerability to Apple) by avoiding knowledge of how the tool functions.
In that same statement in May, Director Comey denied this idea, saying he “would be shocked if anybody even thought about the VEP or the VEP at the time this was going on.”
Since the FBI dropped its legal effort to compel Apple’s assistance, the plaintiffs have each unsuccessfully filed FOIA requests with the FBI for more information regarding this transaction.
In June, the FBI denied USA Today’s request, saying that even though it had the sought-after documents, these are “law enforcement records” involved in a “pending or prospective law enforcement proceeding relevant to these responsive records,” and therefore exempted under FOIA. The paper’s subsequent appeal was summarily denied on Sept. 2 by the Department of Justice.
The dates vary, but the story was the same for reporters from the AP and Vice, both whom found their requests and appeals denied.
The plaintiffs accuse the FBI of violating FOIA by failing to conduct a reasonable search, and failing to make documents available.
“There is no lawful basis under FOIA for the FBI’s denial of the three Requests that are the subject of this action,” reads the complaint. “Even if parts of the requested documents are properly subject to an exemption, the FBI has an obligation to redact non-exempt portions of the documents and release those portions that are non-exempt under FOIA.”
The news organizations are asking the court to compel the FBI to fulfill its obligation to do an adequate search for requested records and to make them available in a timely manner.