Did the FBI Have a Chance to Fix Their Lies about Encryption in 2016?

The WaPo reports that the FBI has been presenting grossly inflated numbers describing how many devices it can’t open because of encryption. The error stems, the FBI claims, to a “programming” error that actually sounds like an analytical error: the double or triple counting of the same encrypted phones.

Over a period of seven months, FBI Director Christopher A. Wray cited the inflated figure as the most compelling evidence for the need to address what the FBI calls “Going Dark” — the spread of encrypted software that can block investigators’ access to digital data even with a court order.

The FBI first became aware of the miscount about a month ago and still does not have an accurate count of how many encrypted phones they received as part of criminal investigationslast year, officials said. Last week, one internal estimate put the correct number of locked phones at 1,200, though officials expect that number to change as they launch a new audit, which could take weeks to complete, according to people familiar with the work.

“The FBI’s initial assessment is that programming errors resulted in significant over-counting of mobile devices reported,’’ the FBI said in a statement Tuesday. The bureau said the problem stemmed from the use of three distinct databases that led to repeated counting of phones. Tests of the methodology conducted in April 2016 failed to detect the flaw, according to people familiar with the work.

I find the April 2016 failed test suspicious.

To know why, consider this bit of history. Back in 2015, in the wake of Apple making encryption standard, Jim Comey and Sally Yates made a big pitch for back doors. But when Al Franken asked them, they admitted the FBI didn’t actually know how big the problem is.

Over an hour and a quarter into the SJC hearing, Al Franken asked for actual data demonstrating how big of a problem encryption really is. Yates replied that the government doesn’t track this data because once an agency discovers they’re targeting a device with unbreakable encryption, they use other means of targeting. (Which seems to suggest the agencies have other means to pursue the targets, but Yates didn’t acknowledge that.) So the agencies simply don’t count how many times they run into encryption problems. “I don’t have good enough numbers yet,” Comey admitted when asked again at the later hearing about why FBI can’t demonstrate this need with real data.

Nevertheless, in spite of Congress’ request for real numbers in July 2015, in January 2016 — just as some at FBI were trying to create an excuse to force Apple to open Syen Rizwan Farook’s phone — Comey and Yates admitted they still hadn’t started tracking numbers.

Around January 26, 2016 (that’s the date shown for document creation in the PDF) — significantly, right as FBI was prepping to go after Syed Rizwan Farook’s phone, but before it had done so — Comey and Yates finally answered the Questions for the Record submitted after the hearing. After claiming, in a response to a Grassley question on smart phones, “the data on the majority of the devices seized in the United States may no longer be accessible to law enforcement even with a court order or search warrant,” Comey then explained that they do not have the kind of statistical information Cy Vance claims to keep on phones they can’t access, explaining (over five months after promising to track such things),

As with the “data-in-motion” problem, the FBI is working on improving enterprise-wide quantitative data collection to better explain the “data-at-rest” problem.”

[snip]

As noted above, the FBI is currently working on improving enterprise-wide quantitative data collection to better understand and explain the “data at rest” problem. This process includes adopting new business processes to help track when devices are encountered that cannot be decrypted, and when we believe leads have been lost or investigations impeded because of our inability to obtain data.

[snip]

We agree that the FBI must institute better methods to measure these challenges when they occur.

[snip]

The FBI is working to identify new mechanisms to better capture and convey the challenges encountered with lawful access to both data-in-motion and data-at =-rest.

Grassley specifically asked Yates about the Wiretap report. She admitted that DOJ was still not collecting the information it promised to back in July.

The Wiretap Report only reflects the number of criminal applications that are sought, and not the many instances in which an investigator is dissuaded from pursuing a court order by the knowledge that the information obtained will be encrypted and unreadable. That is, the Wiretap Report does not include statistics on cases in which the investigator does not pursue an interception order because the provider has asserted that an intercept solution does not exist. Obtaining a wiretap order in criminal investigations is extremely resource-intensive as it requires a huge investment in agent and attorney time, and the review process is extensive. It is not prudent for agents and prosecutors to devote resources to this task if they know in advance the targeted communications cannot be intercepted. The Wiretap Report, which applies solely to approved wiretaps, records only those extremely rare instances where agents and prosecutors obtain a wiretap order and are surprised when encryption prevents the court-ordered interception. It is also important to note that the Wiretap Report does not include data for wiretaps authorized as part of national security investigations.

These two answers lay out why the numbers in the Wiretap Report are of limited value in assessing how big a problem encryption is.

Significantly, Comey and Yates offered these answers in response to a Chuck Grassley question about whether they believed, as the corrupt Cy Vance had claimed in Senate testimony, that “71% of all mobile devices examined…may be outside the reach of a warrant.”

The number FBI is now trying to correct was “more than half,” inching right up towards that 71% Vance floated years ago. In other words, this faulty methodology got them to where they needed to go.

I find that all the more suspicious given something that happened later in 2016. As soon as Jim Comey started providing numbers in August 2016, back when they showed 13% of phones could not be accessed, I asked how FBI came up with the number. At the time, a spox admitted that the number included more than encrypted phones — it also included deleted or destroyed phones.

It is a reflection of data on the number of times over the course of each quarter this year that the FBI or one of our law enforcement partners (federal, state, local, or tribal) has sought assistance from FBI digital forensic examiners with respect to accessing data on various mobile devices where the device is locked, data was deleted or encrypted, the hardware was damaged, or there were other challenges with accessing the data. I am not able to break that down by crime type.

That is, in September 2016, five months after FBI failed to find their flawed methodology, an FBI spox told me the number used was not an accurate count of how many phones couldn’t be accessed because of encryption.

When then FBI General Counsel James Baker used the same 13% a few months later, claiming all were encrypted, I checked back. The same spox said the number at that point was just encrypted phones.

It is true that damaged devices are provided to CART and RCFL for FBI assistance, but the 886 devices in FY16 that the FBI was not able to access (which is the number that GC Baker provided last week), does not include those damaged devices. It includes only those devices for which we encountered a password we were not able to bypass.

Now, it’s possible that the methodological problem I identified in 2016 — that their “Going Dark” number actually included phones they couldn’t access for entirely different reasons — was a different problem than the one just identified a month ago (just before Baker retired). Certainly, it doesn’t sound like the same problem (though as I reminded someone from DOJ’s IG some time ago, the forensics labs sending in these numbers have a history of unreliable numbers). That said, given the proliferation of chat apps with disappearing messages that amount to “destroyed” evidence — which under the flawed methodology used in 2016 would be counted as an encryption problem — it could be.

Still, what I identified in September 2016 was a methodological problem. It should have triggered a closer look at the time.

Instead, the FBI has been lying about how bad the Going Dark problem is for another year and a half.

image_print
15 replies
  1. GKJames says:

    “Flawed methodology” almost makes it sound scientific, rigorous protocols over which reasonable people could disagree. Another word might be “bogus”. At each stage, their numbers couldn’t withstand scrutiny. Easy to see why; 13% isn’t going to cut it when your motive–as it is on every occasion–is to frighten Congress and the public. And that Comey and Yates are poster children of integrity and ethics is bizarre. There should at least be a qualifier whenever they’re mentioned, along the lines of “characterization is solely relative to the cretins in power now”.

  2. Trip says:

    Marcy, Have you seen this? From a few days ago:

    https://mobile.twitter.com/VickerySec/status/997694044602974208
    Chris Vickery@VickerySec

    Just came across these two tweets from Darren Bolding on Dec 28th, 2015. That’s the same day news broke of the first nation-wide voter data file I found (191 mil records). I had provided Darren’s own record to him within a few days prior in order to prove it was a legit leak. 1/2
    https://mobile.twitter.com/VickerySec/status/997689369996619777/photo/1

    Darren was the RNC’s CTO at the time. He joined Cambridge Analytica after the election. More and more I suspect that Darren may be (or have knowledge of) the link between United In Purpose/Pioneer Solutions and the SCL/CA/AIQ cabal.

    Basically, what I’m saying is: If anyone ever gets the chance to ask Mr. Bolding some questions under oath, ask him how (link: http://pioneersolutionsinc.com) pioneersolutionsinc.com gets RNC voter data. #BillDallas #TamasCser #UiP #TrendMojo #bitcoin
    12:22 AM · May 19, 2018

    https://mobile.twitter.com/VickerySec/status/998012120624066561

    Chris Vickery@VickerySec

    If any US authorities are having difficulty figuring out a way to wrap US jurisdiction around the AggregateIQ people, there’s at least one easy route: Dev notes show they were spoofing caller ID numbers for calls to voters within the US. US law generally prohibits this practice.

    • SpaceLifeForm says:

      AIQ is a key puzzle piece. Bolding jumping on the sinking ship may have been karma. With both UK and US CA ops pleading broke and all.

      https://ca-commercial.com/

      [Note: a .com, not a .co.uk]

      Cambridge Analytica (UK) Limited, SCL Group Limited, SCL Analytics Limited, SCL Commercial Limited, SCL Social Limited and SCL Elections Limited (together “the Companies”)

      On 3 May 2018, Vincent John Green and Mark Newman, insolvency practitioners at Crowe Clark Whitehill LLP were appointed independent Joint Administrators of the Companies under order of the High Court.

      [Link there to contact administrators]

  3. gezzerx says:

    The figures don’t lie it is the liars that do the figuring, it has always been like this and always will be ! ! !

    • bmaz says:

      Oh goody, the “Jill” troll is back. “Jill”, you dishonest pile of bunk, people here have discussed Epstein for years.You are a dirtbag troll dropping in like you have something. You don’t. You never do. You propagate dishonest garbage. Get out of here.

  4. Jon Morse says:

    I am not specialized in IT security or programming, though I’m not unfamiliar with them, but I do have specialized training as a network administrator which involves some basic security issues & work (with more specialized people for this there doing most of this stuff,) so I do have a bit more than some random person on the area. I would be highly surprised if 90%-95% of any model of any type of phone sold in the U.S. has any form of security or encryption that one of the relevant U.S. agencies cannot defeat within like 3-5 months of the day it’s released, & all but literally a dozen or less highly specialized phones that very few people even know exists as a product & even fewer actually buy that cannot be completely cracked within 7-8 months. I would guess the dozen or so mentions are also likely able to be cracked no later than 1.5-2 years from release at the absolute latest. Though understand that the last number & time-frame is a lot more speculative based than the prior estimates, so don’t put a lot of weight behind them & it is the longest amount of time that I imagine it could possibly take (any longer than that & I would actually be rather shocked, which hasn’t happened to me on issues in this area in a long time.) There is also always a possibility that they don’t even worry about making a pro-active effort to crack those phones because of there rarity & if they do obtain access to a method to defeat them its probably just because partners of theirs have been working on doing it on their own initiative (bragging rights, just because, etc…) or some black hat developed a method & the agencies themselves or private partners in this field could have just lifted the method from them when they found out someone had a way to do it.

    Just as some things to show something to support what I’m saying not requiring any sort of technical background knowledge. https://www.forbes.com/sites/thomasbrewster/2018/02/26/government-can-access-any-apple-iphone-cellebrite/#7604ac8b667a is about Cellebrite (an Israeli IT/hacking firm has partnered on previous occasions with one or another U.S. government agency). The article dated February 26, 2018 discusses the firm telling customers about their ability beat any of the security that run on any iPhone device running iOS 11 which was officially released on September 19, 2017 & they further specified that this included everything at that time to the 11.2.6 update officially released on February 19, 2018… 7 days before the article was posted. I refuse to personally use Apple products so this is just going off the list I’m seeing that briefly describe each update so I apologize for any mistakes this next part may contain (though it wouldn’t be anything significant.) That particular update appears to be incredibly minor & I imagine might not have even required any changes on their end to continue to work & in fact I doubt much if any adjustments would have be necessary since no later than possibly January 8, 2018 depending on the specifics of their method which would have a bit over a month before the article… but still. This for a company/phone series that regularly is lauded for its security features including this time around with this iOS new version as well. Yet https://blog.elcomsoft.com/2017/09/new-security-measures-in-ios-11-and-their-forensic-implications/ is a blog post written by a company that sells consumer grade software to extract the data from most phones in most circumstances an unlimited number of times for a measly $199 that is regularly updated & while the license I would imagine only lasts 1 year for that $199 I know for a fact (as I’ve had similar software & on their FAQ page they explicitly mention this,) that once you buy it you will always be able to purchase an extension to your license for a year (even if you let the license expire for an extended period of time then decide you want to get one again to update & use it,) for a discounted rate that is certainly no less than $20 less than the $199 & likely between $30-$50 during times that are generally “sale” periods (black friday/cyber monday as an example.) That blog post written a few days before iOS was released based off of the developer beta versions of it they had access to methods to defeat most of the majorly touted security software upgrades, not in some theoretical sense but the actual technical details on how it would be done & likely knew how to deal with all major & minor upgrades or almost all of them they just didn’t discuss for a few different reasons.

    All of that is to try to explain why it is that I would be willing to bet at least half of everything that I own and/or is in my name (I’m not very wealthy so I would not be so cocky as to say everything despite it being an imaginary scenario,) that they don’t have a single phone which *they personally don’t already have a way, nor do they or some U.S. government agency have any partner they used for any other issue in this area of activity before who does not offer a way to defeat any & all security, encryption, etc.. on*. Not 1 that security, encryption, etc… is the singular barrier preventing access to the data on. Now I would be cocky to enough to bet everything that there is no more than 10 phones that fit that description. I mean evidence is literally all over the place though it is more easily found generally from an approach of looking for ways to break the security of these devices than it is from an approach of looking for what devices law enforcement or the government is capable of breaking. The second approach is typically more difficult to track down information that is just out in the public sphere in regards to newer things being that they are done behind closed doors between contracting 3rd parties or within the agencies (or between different ones at times,) rather than just posted on some website or what have you. The first approach very quickly leads to what in the scheme of things is rather affordable solutions to the same questions that literally anyone can purchase legally & does actually work. For that matter it doesn’t take all that much more of an effort to find publicly available means for many instances that cost no money at all & only minor technical knowledge & effort to do (without even resorting necessarily to even a run of the mill black hat hacking forum & definitely without resorting to something like a dark web site of some fashion.) So the idea that any industrialized country on the planet, especially the U.S. government, does not have at least 1 way to achieve this is on its face absurd.

    • SpaceLifeForm says:

      Yes, Nation-States that have resources (money, time, good hackers), sure, they will get in, no problem. But, they will be focused on specific targets. If you are not a specific target, but a possible subject, then they will just follow the Metadata. If , however, you start communicating with a specific target (which the Metadata will reveal), then you may become a target too.

      Especially if it involves money laundering.

      • bmaz says:

        You are kind of a blindered one trick pony with the relentless bleating of “METADATA!!” aren’t you?

        Frankly, to any extent the issue may have resilience, you undermine it by crying wolf relentlessly with this vague and somewhat wacky bullshit. You might as well diversify into chem-trails at this point.

  5. SpaceLifeForm says:

    Rudy, Rudy, Rudy.  C’mon man, your dress does not match your pumps!  And your makeup just sucks!’

    https://www.politico.com/story/2018/05/24/informant-republicans-democrats-doj-meeting-607128

    \We want to see how the briefing went to today and how much we learned from it,” Giuliani said in a Thursday phone call. “If we learned a good deal from it, it will shorten that whole process considerably.”

    [Still trying to figure out what is really happening]

    [Process is *not* gettimg shorter.  No way]

  6. SpaceLifeForm says:

    So, what is the difference between

    iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

    and

    toknowall[.]com

    ?

    Both involved in network attacks.

    FBI investigating both.

    Both domain names taken over to stop or minimize the attacks.

    The difference:

    The former was taken over by Marcus Hutchins while the latter was taken over by FBI via court order.

    So, why is Marcus still enduring legal proceedings?

     

    • SpaceLifeForm says:

      Note the former is Wannacry, which hit millions of computers, especially corporate networks.

      The latter, VPNFilter, under a million, hits SOHO routers.

      Mimimal work, reboot your SOHO router.
      Preferably, factory reset and start over.

      Even DHS says to do that, and I’m not sure when DHS actually bought a vowel.

Comments are closed.