Law enforcement agencies including the FBI have long criticized data encryption as a threat to their ability to fight crime. They argue that encryption allows bad actors to “go dark,” impeding agents’ ability to access the data of suspects, even with court orders or warrants. After years of raising the alarm about the going dark problem, though, officials have yet to convince privacy advocates that undermining encryption protections would do more good than harm. And critics say that the FBI in particular has failed to show that the problem is significant.
A Tuesday report in the Washington Post fueled this debate, revealing that the FBI had vastly overstated the number of devices to which it could not gain access. For months, FBI officials including director Christopher Wray have said publicly—including to Congress—that in the fiscal year ended September 2017 the FBI was locked out of 7,775 cellphones it had the legal authority to access. Privacy advocates have been skeptical, noting that the FBI’s figure for fiscal year 2016 was 880 inaccessible devices. The FBI confirmed on Tuesday evening that the 2017 figure was flawed.
The FBI said the error stemmed from an April 2016 move to combine information from three distinct databases. “The FBI recently became aware of flaws with the methodology implemented in April 2016, and has determined the previously reported FY 2017 statistics are incorrect,” the statement said, blaming “programming errors” that “resulted in significant over-counting of mobile devices reported” through the databases.
An official elaborated on Wednesday that the false number came from an error that over-counted entries in one of the three databases, resulting in a gradual but consistent swell in the number of devices reported as the months went on. The official says that this slow compounding is why the FBI didn’t identify the mistake sooner. Yet it quickly raised red flags outside the agency. “Frankly, we’re not surprised,” Electronic Frontier Foundation staff attorney Andrew Crocker wrote on Tuesday.
The FBI discovered the mistake in April and has been reviewing the situation over the last month, but the official wouldn’t say when the agency will release updated statistics. In fact, the bureau is considering changing how it tracks the “going dark” problem, and may switch to using case studies or other specifics as an alternative to aggregate figures. The official noted that it is difficult to know how to account for things like locked devices that are initially relevant to an investigation, but later become inconsequential, or devices that seem inaccessible at first but are eventually unlocked.
The latter situation speaks to a point privacy advocates have raised for years in arguing that the FBI overstates the threat that encryption poses to investigations. “A number of companies offer technical solutions at bargain basement prices to access even cellphones that are among the most secure,” says Greg Nojeim, director of the Freedom, Security, and Technology Project at the Center for Democracy & Technology. These workarounds aren’t ideal from a user security and privacy standpoint, but their existence is at odds with the FBI’s assertion that there is an urgent need for additional law enforcement access mechanisms.
The miscounting will further erode trust that the FBI’s “Going Dark” initiative is a good faith effort to protect public safety. Another recent blow stems from a March Department of Justice Inspector General investigation into the FBI’s extremely public quest in early 2016 to have Apple build a tool to unlock one of the San Bernardino shooters’ iPhones. The IG report found that the FBI didn’t fully evaluate its third-party unlocking options before seeking a court order to compel Apple to unlock the phone. After the tech giant resisted building such a master key—the existence of which could dangerously undermine iPhone security around the world, according to Apple CEO Tim Cook—the FBI found a contractor within weeks to unlock the phone for less than a million dollars.
“It is amazing to me that the FBI has not been able to figure out the scope of the going dark problem and this [miscounting] really calls into question the FBI’s credibility when it comes to going dark claims,” CDT’s Nojeim says. “It’s important that policymakers have data that they can rely on and when that doesn’t happen there needs to be some accountability. The Inspector General should investigate.”
Some cases are undoubtedly complicated, but it’s unclear why it has been so difficult for the FBI to offer even a revised scale or range for how many devices the Bureau was actually locked out of in fiscal year 2017. The cryptowars have been raging for decades, and analysts on both sides of it are watching as the FBI attempts to improve its “Going Dark” methodology.