| SAN FRANCISCO, April 13
SAN FRANCISCO, April 13 The company that helped
the FBI unlock a San Bernardino shooter's iPhone to get data has
sole legal ownership of the method, making it highly unlikely
the technique will be disclosed by the government to Apple or
any other entity, Obama administration sources said this week.
The White House has a procedure for reviewing technology
security flaws and deciding which ones should be made public.
But it is not set up to handle or reveal flaws that are
discovered and owned by private companies, the sources said,
raising questions about the effectiveness of the so-called
Vulnerabilities Equities Process.
The secretive process was created to let various government
interests debate about what should be done with a given
technology flaw, rather than leaving it to agencies like the
National Security Agency, which generally prefers to keep
vulnerabilities secret so they can use them.
The government's efforts to force Apple to help it
unlock the San Bernardino iPhone have reignited a national
debate about encryption, security and privacy that continues to
rage two weeks after the Justice Department said it broke into
the phone without Apple's help.
The sources said the technology used to get into the phone
was supplied by a non-U.S. company that they declined to
identify.
Without cooperation from the company, the FBI would not be
able to submit the method to the Vulnerabilities Equities
Process even if it wanted to, the sources said on condition they
not be named.
The FBI itself probably does not know the details of the
technique - just enough to determine that it worked, according
to government sources and Rob Knake, who managed the White House
process before leaving last year.
The FBI said in February that it was unable to get into the
iPhone 5c used by San Bernardino shooter Syed Farook without
help from Apple, and it won a court order compelling the Silicon
Valley icon to break into the device. Apple, backed by much of
the tech industry, complained that the order would in effect
make businesses arms of the state.
The Justice Department dropped the matter the day before a
crucial court hearing, saying it had found a way to get into the
phone.
At the time, Apple said it hoped the maneuver would be
disclosed so that it could fix the flaw before it is discovered
and exploited by criminals.
In a separate New York case, the Justice Department is
trying to force Apple's help in extracting data from a drug
dealer's iPhone 5s. For technical reasons, that would be easier
for Apple to do, though it would be much harder for the FBI or a
contractor, said phone security expert Dan Guido.
The two battles spotlight a long-running but seldom aired
conflict over whether information about software security lapses
should be kept secret by law enforcement or intelligence
agencies, who want the knowledge to snoop, or disclosed to the
technology companies so they can patch the holes.
After questions were raised about the Vulnerabilities
Equities Process in 2013, White House cybersecurity policy
coordinator Michael Daniel said it was "reinvigorated," though
information as basic as which departments are involved remained
undisclosed.
Daniel has written that the factors to be weighed include
how easy a flaw would be for outsiders to find and how much
danger would be posed to society.
But Knake said the procedure had been created in 2010 to
handle situations like an FBI technologist in a lab inventing a
method for circumventing security.
"It was not set up for a world of commoditized
exploitation," where major defense contractors buy and sell
flaws for millions of dollars. (here)
"There is no way the government could force companies to
share the methods that they are trying to sell, or any way to
stop government agencies from buying from those companies," he
said.
Knake said the process could be improved if it were revamped
again to deal with the reality of the exploit marketplace.
The White House referred questions to the FBI, which did not
respond to emails seeking comment.
(Reporting by Joseph Menn in San Francisco and Mark Hosenball
in Washington. Additional reporting by Dustin Volz. Editing by
Jonathan Weber and Bernard Orr)