The FBI’s Asinine Attempt to Retroactively Justify Cracking Farook’s Phone

“Hold on honey,” said Syed Rizwan Farook, who had just murdered 14 of his co-workers, “let me go get my work phone in case they call me during our getaway”

That’s the logic the FBI is now peddling to reporters who are copping onto what was clear from the start: that there was never going to be anything of interest on Farook’s phone. After all, they’re suggesting geolocation data on the phone (some of which would be available from Verizon) might explain the 18 minutes of the day of the attack the FBI has yet to piece together.

For instance, geolocation data found on the phone might yet yield clues into the movements of the shooters in the days and weeks before the attack, officials said. The bureau is also trying to figure out what the shooters did in an 18-minute period following the shooting.

Farook drove a SUV to the attack and was killed in the same SUV. To suggest his work phone, which was found in a Lexus at his house, might have useful geolocation data about the day of the attack would suggest he made a special trip to the car to leave his phone in it and turned it off afterwards (if we really believe it was off and not just drained when the FBI found it the day after the attack).

Hold on honey, let me go place my work phone in the Lexus.

Similarly, it is nonsensical to suggest the phone would yield evidence of ties with foreign terrorists.

The FBI has found no links to foreign terrorists on the iPhone of a San Bernardino, Calif., terrorist but is still hoping that an ongoing analysis could advance its investigation into the mass shooting in December, U.S. law enforcement officials said.

They’ve had the metadata from the phone since December 6, at the latest. That’s what would show ties with foreign terrorists, if Farook had been so stupid as to plot a terrorist attack against his colleagues on his work phone, to which his employer had significant access.

Finally, reporters should stop repeating the FBI’s claim that Farook turned off his backups.

In particular, the bureau wanted to know if there was data on the phone that was not backed up in Apple’s servers. Farook had stopped backing up the phone to those servers in October, six weeks before the attack.

The government has actually never said that in sworn declarations. Rather, their forensics guy, Christopher Pluhar, asserted only that Farook may have turned them off.

Importantly, the most recent backup is dated October 19, 2015, which indicates to me that Farook may have disabled the automatic iCloud backup feature associated with the SUBJECT DEVICE. I believe this because I have been told by SBCDPH that it was turned on when it was given to him, and the backups prior to October 19, 2015 were with almost weekly regularity. [my emphasis]

But if he did, he was a damned incompetent terrorist, because — as Jonathan Zdziarski, who is quoted in this article, pointed out — at the same screen he would have used to turn off the iCloud backup, he could have also deleted all his prior backups, which we know he didn’t do.

  • Find my iPhone is still active on the phone (search by serial number), so why would a terrorist use a phone he knew was tracking him? Obviously he wouldn’t. The Find-my-iPhone feature is on the same settings screen as the iCloud backup feature, so if he had disabled backups, he would have definitely known the phone was being tracked. But the argument that Farook intentionally disabled iCloud backup does not hold water, since he would have turned off Find-my-iPhone as well.
  • In addition to leaving Find-my-iPhone on, the option to delete all prior backups (which include iMessage history and other content) is also on the same settings screen as the option to disable iCloud backups. If Farook was trying to cover up evidence of leads, he would have also deleted the existing backups that were there. By leaving the iCloud backup data, we know that Farook likely did not use the device to talk to any leads prior to October 19.

We also know from a supplemental Pluhar declaration that Farook had not activated the remote-wipe function, which he also would have done if he were a smart terrorist trying to cover his tracks.

Finally, Apple’s Privacy Manager, as Erik Neuwenschander demonstrated, Pluhar didn’t know what the fuck he was talking about with regards to backups.

Agent Pluhar also makes incorrect claims in paragraph 10(b). Agent Pluhar claims that exemplar iPhones that were used as restore targets for the iCloud backups on the subject device “showed that … iCloud back-ups for ‘Mail,’ ‘Photos,’ and ‘Notes’ were all turned off on the subject device.” This is false because it is not possible. Agent Pluhar was likely looking at the wrong screen on the device. Specifically, he was not looking at the settings that govern the iCloud backups. It is the iCloud backup screen that governs what is backed up to iCloud. That screen has no “on” and “off” options for “Mail,” “Photos,” or “Notes.

Zdziarski offers another possible explanation for the lack of backups on Farook’s phone, so there are other possible explanations.

iCloud backups could have ceased for a number of reasons, including a software update that was released on October 21, just two days after the last backup, or due to iCloud storage filling up.

The point is, we don’t know, and it’s not even clear Pluhar would know how to check. So given all that other evidence suggesting Farook may not have turned off his backups, journalists probably should not claim, as fact, he did.

Of course, that claim is really just a subset of the larger set of the bullshit FBI has fed us about the phone. It’d really be nice if people stopped taking their bullshit claims seriously, as so few of the past ones have held up.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

7 replies
  1. Hieronymus Howard says:

     
    What will the FBI do when confronted with an actual “secure enclave” in later models of iPhone’s hardware?  Secure enclave was introduced to the market four years ago, was it not.  Newfangled “fuses” in the latest iterations supposedly fry the decryption chipset if an end-run around the security is attempted.  The prospect of FBI’s chagrin fills me with elation.
     
    But of course bonehead legislation to outlaw the tech will follow––-sponsored by Ms. Feinstein & her ilk.

  2. Ol' Hippy says:

    As I’ve posted on other sites, the FBI wants to get people to surrender their privacy without a fight from citizens. They are not to be believed. Once one realizes that most everything they “say” is a lie or, at best, half truths and nonsense, then you won’t become part of “their” narrative. This is a battle worth fighting, don’t surrender your rights because you will never get them back. Don’t buy into being made safer or that “we’re the ‘good’ guys”. Keep some dignity and don’t surrender the last bits of privacy left to a govt that ants total access to yuor lives.

  3. bloopie2 says:

    “Resentments and hatred build; two very tired people, neither of them spring chickens, traverse the country, getting wearier, getting meaner.” (Speaking of Hillary and Bernie). And I also wonder, how the hell do they do that? I’m younger and could never see myself putting in those hours under those kinds of conditions.

  4. Ian says:

    While Apple & the FBI/DOJ continue their dance through the US (Federal) Court system the reporting on April 14,2016 carried through both:
    .
    Motherboard.vice.com & also news.vice.com
    .
    discloses a Montreal, Quebec, Canada Mafia case where the RCMP [the Mounties] had arranged an entire system of automatically decrypting many millions of transmissions [text & voice] of the consumer [i.e. non-Corporate Secure] version of Blackberry having obtained legal orders from a Quebec court to “follow” several members of the Rizzuto (Mafia) family based in Montreal with the Rizzuto family being routinely listed as a long time branch of the New York based Bonanno Family.
    .
    The reports explain how the consumer version of the Blackberry encryption standard was a hardware driven single Masterkey installed at the factory [while the Corporate Blackberry always allowed the user corporate customer to set their own encryption key and keep changing it]. The court documents left open the possibility that Blackberry itself may have given the RCMP the details of the Masterkey—although the technical reports left open the possibility that the RCMP may have “reverse-engineered” the key themselves—highlighting a statements by the current CEO to the effect that Blackberry will always comply with lawful orders.
    .The detailed reports can be seen at:
    “Exclusive: How Canadian Police Intercept and Read Encrypted BlackBerry Messages”
    .
    https://motherboard.vice.com/read/rcmp-blackberry-project-clemenza-global-encryption-key-canada
    and also:
    “Exclusive: Canadian Police Obtained BlackBerry’s Global Decryption Key”
    .
    https://news.vice.com/article/exclusive-canada-police-obtained-blackberrys-global-decryption-key-how

Comments are closed.