Coming Soon to Apple vs FBI: Live Witnesses and Dead Terrorists

Screen Shot 2016-03-18 at 1.31.47 PMApple today revealed that the FBI intends to call two witnesses in the March 22 hearing regarding the All Writs Act order to help crack Syed Rizwan Farook’s phone: what I understand to be Privacy Manager Erik Neuenschwander and its Law Enforcement Compliance lawyer Lisa Olle. The tech company declined to say whether it will call the FBI personnel who made sworn statements in the case.

Things could get interesting fast, especially if Apple calls FBI’s forensics guy, Christopher Pluhar — or even better, FBI Director Jim Comey — as there’s an apparent discrepancy between their sworn testimony.

Here’s what Jim Comey had to say in response to a Jerry Nadler question in the March 1 House Judiciary Committee hearing.

As I understand from the experts, there was a mistake made in the, that 24 hours after the attack where the County at the FBI’s request took steps that made it hard later — impossible later to cause the phone to back up again to the iCloud. The experts have told me I’d still be sitting here, I was going to say unfortunately[?], I’m glad I’m here, but we would still be in litigation because — the experts tell me — there’s no way we would have gotten everything off the phone from a backup, I have to take them at their word.

Comey’s comments appear to conflict with this sworn declaration of FBI Christopher Pluhar.

To add further detail, on December 3, 2015, the same day the Subject Device was seized from the Lexus IS300, I supervised my Orange County Regional Computer Forensics Laboratory (“OCRCFL”) team who performed the initial triage of the Subject Device, and observed that the device was powered off, and had to be powered up, or booted, to conduct the triage.


I learned from SBCDPH IT personnel that SBCDPH also owned the iCloud account associated with the Subject Device, that SBCDPH did not have the current user password associated with the iCloud account, but that SBCDPH did have the ability to reset the iCloud account password.

Without the Subject Device’s passcode to gain access to the data on the Subject Device, accessing the information stored in the iCloud account associated with the Subject Device was the best and most expedient option to obtain at least some data associated with the Subject Device. With control of the iCloud account, the iCloud back-ups of the Subject Device could be restored onto different, exemplar iPhones, which could then be processed and analyzed.


After that conversation with Ms. Olle, and after discussions with my colleagues, on December 6, 2015, SBCDPH IT personnel, under my direction, changed the password to the iCloud account that had been linked to the Subject Device. Once that was complete, SBCDPH provided exemplar iPhones that were used as restore targets for two iCloud back-ups in the Subject Device’s iCloud account. Changing the iCloud password allowed the FBI and SBCDPH IT to restore the contents of the oldest and most recent back-ups of the Subject Device to the exemplar iPhones on December 6, 2015. Once back-ups were restored, OCRCFL examiners processed the exemplar iPhones and provided the extracted data to the investigative team. Because not all of the data on an iPhone is captured in an iCloud back-up (as discussed further below), the exemplar iPhones contained only that subset of data as previously backed-up from the Subject Device to the iCloud account, not all data that would be available by extracting data directly from the Subject Device (a “physical device extraction”).

That’s true for several reasons. First, as I understand it, once the phone was turned off, such a backup would no longer be possible, so it would have not been a mistake to change the password. And while Pluhar’s assertion that you can’t get everything from an iCloud backup is consistent with Comey’s claim (presumably Pluhar is one of the experts Comey relied on), Neuenschwander explained that that was false in his own supplemental declaration.

Note, this passage is also the first confirmation that the FBI had already told Apple this phone was part of the investigation by December 6, meaning it must have been one of the ones Apple provided metadata for on December 5.

There is just one way that Pluhar’s declaration and Comey’s statement (again, both were sworn) can be true: if the FBI turned off the phone themselves [update: or let it drain, h/t Some Guy]. That would also mean Comey’s claim that “a mistake was made in that 24 hours after the attack” would make more sense, as it would refer to the decision to turn off the phone, rather than FBI’s direction to San Bernardino County to change the password.

That said, I wonder whether FBI isn’t trying something else by calling Olle and Neuenschwander to testify.

As part of its reply, Apple had Senior Vice President for Software Engineering Craig Federighi submit a declaration to rebut government claims Apple has made special concessions to China. After making some absolute statements — such as that “Apple has also not provided any government with its proprietary iOS source code,” Federighi stated, “It is my understanding that Apple has never worked with any government agency from any country to create a “backdoor” in any of our products or services.”

I was struck at the time that the statement was not as absolute as the others. Federighi relies on what he knows, without, as elsewhere, making absolute assurances.

Which got me wondering. If any country had demanded a back door (or, for that matter, Apple’s source code) would Federighi really need to know? From Neuenschwander’s declaration, it sounded like a smallish team could make the back door the FBI is currently demanding, meaning he might be as high as such knowledge would rise.

So I wonder whether, in an attempt to be dickish, the government intends to ask Neuenschwander and Olle, who would be involved in such compliance issues, if they also back Federighi’s statement.

We shall see. For now, I just bet myself a quarter that Apple will call Comey.

13 replies
  1. Some Guy says:

    “There is just one way that Pluhar’s declaration and Comey’s statement (again, both were sworn) can be true: if the FBI turned off the phone themselves.”

    One of the many articles I’ve read about this had a report that the FBI allowed the battery to drain down to the point the phone shut off. I believe that’s the mistake Comey is referring to.

    If I remember correctly, it was a tech news site, not a traditional newspaper web site. I wish I could offer more specifics – if I come across it again, I’ll post the link.

  2. bloopie2 says:

    “I just bet myself a quarter that Apple will call Comey. ” I’ll take that bet. I believe that Comey is too highly accomplished at responding to a question without answering it, to be a useful witness for Apple. Kind of like Ari Fleischer, former Bush Press Secretary, who, I understand, could stand up to any questioner on earth, for hours, and provide no useful information in return. (Or is that kind of like Donald Trump?) But you’re right, the chess match going on here is something to behold.

    • emptywheel says:

      I upped my bet from $.10 to $.25 as I wrote this, because they would do it to raise the costs of whatever DOJ is trying to do with Apple’s witnesses.

      Remember, too, Ted Olson knows Jim Comey very very well, having served as his witness during the hospital confrontation. I bet any good trial lawyer would know the buttons to push, I bet Ted knows how to push them incredibly well.

  3. bloopie2 says:

    Was the phone So Important, at that time, that it was being (or should have been) tended to with the utmost of care? Or was it just one of many pieces of (potential) evidence to be gotten around to in due course? If the latter, then it’s perhaps understandable that “mistakes were made”. If the former, then it’s gross negligence on the part of the “prosecution”, which the court should not redeem in the manner requested.

  4. JJ says:

    Federighi stated, “It is my understanding that Apple has never worked with any government agency from any country to create a “backdoor” in any of our products or services.” vs. statement about iOS. Explanation: Federighi was not at Apple for the creation of all products and services that it produced over the years. However, he was at Apple for all the year of iOS development. Apple years 1996-1999, 2009-present. iOS years 2007-present. Assume 2007-2009 backdoors were not needed to be created because they were part of the software.

  5. orionATL says:

    a story here in the ny times:

    and a similar one in the guardian about the paris terrorist attacks

    are relevant to the psychological atmosphere created by the likes of james “big scare” comey of the fbi and sen. diane “dunce” feinstein of the senate select committee on “intelligence” (really, spying) regarding the apple gambit by the doj.

    the round-up of surviving perpetrators in belgium was basic policework involving, e. g., fingerprints and dna smears. no doubt some spying was involved, but, amazingly, once again, spying did not get the credit for wrapping up the gang.

    but remember the psychological atmosphere supporting more intrusive spying following the paris attacks:

    – it was xbox (or something similar)

    – it was playstation (or something similar)

    – maybe whatsapp was responsible

    – maybe “signal” (whatever that is) was to blame.

    point is:

    – spying didn’t stop the attack.

    – encryption does not seem to be a factor.

    steady police work following a trail – it’s called hunting “big jim”, human minds were built for it – did the job.

    o. k. now we currently have the san bernardino gambit of the u. s. dept of justice (whenever you read “fbi” in the media, just substitute doj and you’ll have the name of the driving force behind the attack on encryption via apple corp) which, once again, tries to allow the government to intrude further into citizens lives and privacy.

    the perpetrators are dead and buried. the two phones they used have been recovered. but the phone they almost certainly did not use, a work phone, was seized by the fbi, but was allowed to run its battery down and die.

    so what might we expect of the untrained, never-leashed pit bull of a u. s. doj out of this mess?

    why, attempt to use the judiciary to compel apple corp to write code to unlock the dead, irrelevant phone?

    what political tactics will the doj employ to acvkmplish their mission? ?

    why, the same quiver of scare tactics used by american politicians and bureaucrats after the paris attacks.


    and double boo,

    to big jim and dunce feinstein

    and to the scheming prosecutors at the united states department of justice.

  6. pdaly says:

    I am still confused about the powered down/battery run down bit. And it seems Comey wants the phone unlocked even if the iCloud back up had worked perfectly.
    I can understand that in the immediate aftermath of the shooting, before the FBI could eliminate a group acting in concert with the San Bernadino shooter husband/wife team, the FBI would have wanted the discovered iPhone turned off and/or electronically sealed off in a Faraday cage to prevent someone working with the couple from sending a ‘remote wipe’ signal to the iPhone.
    I also assume that the FBI always has access to anyone’s iCloud account, so I don’t see the point in the FBI changing the password to the iCloud account. (Happy to learn from someone who might understand the advantage of the iCloud account password change).
    Even with a dead battery there should have been ample time later, once the FBI determined the shooters had acted alone, to take that iPhone to the shooters’ house and power it up. I assume they had sole access to the shooters’ house and wifi soon after the shooting.
    The iPhone, even in its locked state, would then communicate overnight with its iCloud account uploading to the iCloud any missing data that had accumulated in the iPhone in the 6 wks leading up to the shooting. (Unless the iPhone cannot be changed after it is taken in as evidence? But the shooters were dead so there would not be a trial where evidence would be necessary, right?).
    Then Comey mentions in his testimony that he would still likely be asking for Apple’s help to unlock the iPhone even had the final back up to the iCloud been performed because data on the physical phone would NOT have backed up to the iCloud.
    What kind of information is that?
    I found this article written in 2/2016 suggesting some developers of Apps for the iPhone may write code to keep data away from the iCloud.
    “There’s also data on the phone’s local memory that isn’t included in the iCloud backup, as the FBI pointed out in its Saturday statement. There’s been some confusion on this point too, but a quick turn through Apple’s developer guidelines makes it clear that the bureau is right. iCloud backs up anything [apps] developers store in the [iPhone’s] Documents folder — which typically means any data generated by the user — but it’s entirely a question of how a given app is written. The private messaging apps like Signal and Wickr, for instance, purposefully keep much of their cache data stored locally, out of iCloud’s reach. To find those files, you would need to unlock the phone and scan its local memory. ”

  7. pdaly says:

    So this is the timeline:
    First FBI’s Christopher Pluhar learns from Apple’s lawyer Ms. Olle that the “remote wipe” function is not on. The iCloud account won’t remote wipe the iPhone.
    “After that conversation with Ms. Olle, and after discussions with my colleagues, on December 6, 2015, [San Bernardino County Dept. Public Health] IT personnel, under my direction, changed the password to the iCloud account that had been linked to the Subject Device [iPhone].”
    In other words, once the FBI realized the iPhone was NOT going to be Remote Wiped if they powered up the iPhone at the dead shooters’ house where the trusted wifi node would have uploaded iPhone data to the iCloud account, the FBI instead ordered the iCloud account to be locked down with a password change to the iCloud account.
    Then, upon blocking any chance of a final iCloud back up, the FBI goes public saying it cannot get the last 6 weeks of iCloud data from the terrorists’ phone, because the County IT department ‘screwed up.’
    Once that story fell apart (with talk back from Apple clarifying the timeline for us) the FBI states it (the FBI) screwed up in asking for the iCloud password change, but then goes on to say it (the FBI) was not interested ONLY in iCloud data but also in the data that exclusively resides in the iPhone–the data that never uploads to the iCloud.
    (t should look back at the early news announcements to see how the FBI was spinning it.)
    It appears, however, the FBI’s/DOJ’s end game was to float a test case, sellable to a sympathetic public, to set a precedent towards breaking Apple’s iPhone safety features.

Comments are closed.