Push for encrypted data

Experts: iPhone unlikely to hold many clues

The FBI's push for encrypted data from a San Bernardino shooter's phone is mainly about setting a precedent, one ex-DHS official says.

By David Perera

The legal and political noise surrounding Apple’s legal battle with the FBI conceals one undramatic reality, security and law enforcement experts say: Investigators probably won’t find much useful new information even if they unlock Syed Farook’s iPhone.

That’s because they already have access to a teeming trail of digital breadcrumbs that the terror suspect inevitably left behind before he and his wife killed 14 people in the Dec. 2 shooting rampage in San Bernardino, California, according to experts familiar with the technology involved. Those include data about the websites he visited using the county-issued work phone, calls he made, apps he downloaded and the people with whom he exchanged text messages — possibly including the content of some messages, up to about a week before the attacks.

And it’s unlikely that Farook had been communicating with terrorist sleeper cells or foreign handlers that authorities wouldn’t otherwise know about, one former Department of Homeland Security counterterrorism official told POLITICO.

All told, if the phone really contains valuable anti-terror data, investigators probably already have it.

So why are Justice Department prosecutors waging such a loud, public court fight to demand that Apple help it unlock the encrypted phone’s security protections — a fight that has alarmed the tech industry, stoked the debate about privacy versus national security, and even intruded into the presidential race?

The FBI is “hoping to set a precedent,” the ex-DHS official told POLITICO. And it chose its ground well: a terrorism case, where “the public opinion aspect is stronger.”

FBI Director James Comey and Apple's top lawyer are set to square off on the debate Tuesday afternoon in separate appearances before the House Judiciary Committee.

Critics say the FBI is picking a fight with Apple over long-standing tensions about the increasing impenetrability of the iPhone’s encryption, rather than acting from an immediate, pressing need to extract evidence. Before this month, its most-publicized encryption dispute with Apple involved an obscure meth dealer prosecution in Brooklyn.

No former national security official contacted by POLITICO was willing to totally write off the chance that Farook’s phone contained relevant information. He “could have taken a picture of something. … He could have written notes on the phone, he could have cut and pasted material,” said a former Justice Department official, speaking on condition of anonymity. “You can extract a lot of information from a photograph.”

But Farook's iPhone appears to be a relatively weak target. "There is a reasonably good chance that there is nothing of any value on the phone," San Bernardino city police Chief Jarrod Burguan told NPR on Friday, although he defended the FBI’s request as “an effort to leave no stone unturned.”

Comey has vigorously insisted that it’s critical that investigators unlock the iPhone to get a full picture of its contents in the last six weeks before the rampage. "Maybe the phone holds the clue to finding more terrorists," he wrote in a blog post this month. "Maybe it doesn't. But we can't look the survivors in the eye, or ourselves in the mirror, if we don't follow this lead."

Even if the phone contains just a sliver of information, that sliver could prove useful, former FBI Associate Deputy Director Buck Revell said. “It could be absolutely nothing or it could be the key to the next terrorist event and the wrap-up to this one,” he said.

But based on the Justice Department’s own documents, plus interviews with a half-dozen security experts, a wealth of information from Farook’s phone is already available to the FBI, even without having Apple break into it.

Experts say it’s nearly impossible for Farook not to have left digital traces up to the minute he died in a gun battle with police — data obtainable from sources such as Verizon’s cellular network, the advertising program of Verizon’s AOL subsidiary and even Apple itself.

That includes any phone numbers that Farook contacted if he made a regular voice call in the past year or longer. If he exchanged SMS text messages, the FBI most likely knows not just whom he sent them to, but the messages’ contents going back about a week before the shooting. Apple can disclose which apps he downloaded — including any encrypted text messaging apps. And Apple can probably identify whoever used the phone’s default iMessage text client to exchange messages with Farook, although not the content of those messages.

In addition, the FBI says it has obtained a full digital backup from Farook’s iCloud account, which was last synced with the phone on Oct. 19, offering an even more complete treasure lode for his activities until six weeks before the shootings.

“It gives you basically everything that’s on the phone,” said Jonathan Zdziarski, a forensic scientist who specializes in Apple devices. Examining that backup, agents can retrieve data such as the content of the iMessages and which Wi-Fi networks Farook used — yielding a record of his travels.

“You could even get third-party app data,” Zdziarski said, depending on how developers coded the software.

Apple spokesman Fred Sainz refused to clarify whether the company retains iMessage transaction information, and for how long. But the company said in a court filing Thursday that it had provided the FBI with “account information, emails and messages” associated with three Apple accounts in response to a search warrant.

"When the FBI came to us in the immediate aftermath of the San Bernardino attacks, we gave all the information we had related to their investigation," Apple general counsel Bruce Sewell is set to tell lawmakers at Tuesday's House Judiciary hearing, according to his prepared testimony. "And we went beyond that by making Apple engineers available to advise them on a number of additional investigative options."

Even so, he maintains, abiding by the government's latest request "would set a dangerous precedent for government intrusion on the privacy and safety of its citizens."

Security experts also have non-technical reasons for doubting that the phone contained much useful information — such as the fact that Farook and his wife, Tashfeen Malik, didn’t show much concern about what happened to it. Authorities have said the couple smashed their personal cellphones, along with their computer hard drives, before embarking on their shooting spree. But the phone was found in a black Lexus belonging to his family.

In addition, Farook didn’t bother to erase his iCloud backups. (There’s been speculation over whether he deliberately disabled new backups after Oct. 19, but they could have stopped on their own, perhaps because his account reached its storage limit.) He even left the device’s location-tracking Find My iPhone feature turned on, Zdziarski noted.

Plus, the former DHS counterterrorism official said, the relative amateurism of the shootings is one argument against the idea that Farook had been in contact with other terrorists or ISIL coordinators, further lessening the iPhone’s evidentiary value.

Running a sleeper cell inside the United States isn’t easy, requiring handlers and members to observe operational security practices that are easy to mess up. Had ISIL been able to coordinate the husband-and-wife team, the official said, it wouldn’t have told them to hit a nonprofit providing services to the developmentally disabled.

“The likelihood is that this is self-radicalization, followed by self-initiation,” the former official said of the shootings. “As horrible as it was on a personal level, it was not a geopolitical impactful activity.”

Nor do the government’s court filings mention sleeper cells and other terrorists. Instead, prosecutors discuss Farook’s iPhone communications with the shooting victims and his wife.

And if the government wants to read encrypted text message sent through an app such as Telegram — reported to be popular with ISIL — the FBI’s silence suggests there’s nothing to look at, said Nate Cardozo, a staff attorney with the Electronic Frontier Foundation. “I’m guessing if the phone did have Telegram installed, they would be shouting that from the rooftops,” he said.

Finally, former NSA official Ron Gula speculated, maybe the FBI and other agencies actually have the technology to get into the phone themselves, but are seizing on this case to publicize their push for “backdoors” to encryption.

“Obviously, the NSA, the CIA, whoever, is not going to come out and say, ‘We’ve got it, we can do this,’” said Gula, who’s now CEO of Tenable Network Security.

“I’d like to believe my government has the resources, including in the FBI, to do this,” he added. “So they’re making [the fight] public for a reason.”