圣贝纳迪诺恐袭案背后秘史：FBI本可攻破iPhone加密程序

近来随着关于智能手机加密防护的争论再次升温，该领域曾经发生过的一场重要争论也再次引起了人们的关注。据最新披露的一份报告显示，2015年的圣贝纲迪诺恐袭案发生后，美国联邦调查局本可不依赖苹果公司的协助，自行解锁一名枪手使用的iPhone。但这样做会大大降低FBI通过法律途径向苹果施压的力度，从而无法为今后要求苹果提供协助创下前例。FBI最终还是诉诸法律途径，跟苹果打起了官司。

这段历史为什么又引起了人们的注意？因为最近，特朗普政府试图强迫智能手机制造商在手机中留下“后门”，以便执法部门读取用户的加密信息。多数专家表示，此举将弱化所有手机用户的敏感信息保护力度。今年一月，FBI局长克里斯托弗·雷在讲话中表示，FBI需要手机留下某种形式的后门，因为去年该局有8,000多部涉案手机无法读取数据，从而造成了“重大的公共安全问题”。而一向反对政府给手机开后门的参议员罗恩·维顿则表示，FBI局长的看法是“欲盖弥彰”，其用心“昭然若揭”。

围绕圣贝纳迪诺恐袭案的涉案手机解锁问题，2016年FBI曾与苹果公司曾爆发过一场大规模的法律战。就在手机加密问题再次引发双方激辩的同时，不久的一份新报告却披露了那场法律战背后一些不为人知的秘密。

不过这些信息看来对FBI十分不利。

2015年12月2日，两个名叫萨伊德·里兹万·法鲁克和塔什芬·玛利克的枪手在加州的圣贝纳迪诺炮制了一桩枪击案，造成14人死亡。案发后，执法部门发现了一部属于法鲁克的iPhone 5C手机，这部手机设有密码。2016年2月，FBI请求法院要求苹果公司重写iPhone软件，以允许FBI破解手机密码。当时FBI表示，没有苹果的帮助，FBI无法绕过这部涉案手机的加密程序。时任FBI局长的詹姆斯·科梅伊两次在国会作证时作了同一表态。但由于法律程序迁延日久，最终FBI还是在没有苹果协助的情况下将这部手机解锁了。据称它采用的是由外部专家研发的一种技术。（解锁这部手机的团队并非之前所传的以色列安全公司Cellebrite。）

一段秘史

上周二，美国司法部监察长披露了一份关于此事的11页的报告，并将报告的PDF版本公布在了司法部网站上。报告认为，科梅伊和FBI向法院申请强制苹果解锁涉案手机时并未撒谎，他们确实认为自己没有这个能力，不过这仅仅是因为FBI高层当时没有咨询该局最先进的网络部门的意见。后来FBI的“远程操作部门”（ROU）接到任务后，联系了一家外部“厂商”，最终搞出了能攻破iPhone防护措施的解决方案。

从报告中看，FBI在2015年12月3日就获得了法鲁克的iPhone。破解这部手机的任务落到了FBI的操作技术处（OTD），该处包括ROU和CEAU（加密与电子分析部门）两个部门，其中ROU主要负责国家安全案件，而CEAU主要负责一般刑事案件的调查。不过那次破解任务以CEAU为主，破解也没有成功，并且当时并未寻求外部协助。

ROU直到2月11日才知道这件事，这时离政府检察官向法庭申请强制苹果解锁只有不到一个星期了。不过当时ROU已经知道有一家外部厂商拥有攻克苹果安全防护的技术，而且这项技术的完整度已达90%。ROU要求该厂商全力完成破解方案，到了3月16日，这项技术已经可以使用了。不到一周后，政府的律师就撤销了对苹果的指控。

该报告认为，司法部监察长“未发现任何证据表明，在时任FBI局长科梅伊向国会作证以及向法庭申请强制执行时，OTD已拥有了破解法鲁克的iPhone手机的能力。因此我们认定，FBI的国会证词以及向法院提交的申请并非是失实的。”

不过故事到这里还不算完，报告还指出：

不过，FBI对国会和检察官办公室所作的关于其没有能力破解法鲁克iPhone数据的证词，乃是基于OTD的部门和人员已经进行过有效沟通协调，而且CEAU已经穷尽了所有技术方案的前提。然而我们认为，这种理解和假设并无事实支持。

该报告还指出，当得知针对苹果的指控已经撤销后，CEAU的负责人还很不高兴。“外部厂商介入后，他对针对苹果的诉讼无法继续进行而感到沮丧，甚至向ROU的负责人发泄了自己的不满。他坦承，在与ROU负责人交谈过程中，他公开表达了自己对聘请外部厂商破解法鲁克iPhone的失望，并质问ROU的负责人：‘你为什么要那样做？’”

冲突本可避免

报告指出，问题的症结在于，FBI在尝试所有可能的解决方案之前，本不应该动用法律手段解决问题。“我们认为，CEAU应该已经向它信任的各家厂商咨询了可能的解决方案，在被告知无果后，才向OTD和FBI高层（乃至美国联邦检察官办公室）表示，没有其他替代的技术方案能攻破法鲁克的iPhone，必须请求苹果的技术援助。”

苹果拒绝向《财富》就这份报告发表评论。不过苹果早先曾就美国政府要求手机厂商给手机留“后门”一事发表过声明。苹果公司高级副总裁克雷格·费德里吉在声明中称：“用户依靠我们的产品来保护他们的个人信息，运营他们的企业，甚至是管理电网、交通系统等重要基础设施。鉴此，削弱手机的安全性是没有道理的。保护别人的隐私，就是保护我们所有人的隐私，所以我们应当摒弃保护隐私必然妨害安全的错误思维。实际上，这是一个安全对安全的问题。”

在与该报告一并发布的一封信中，FBI也强调了报告的结论，称FBI在此案中并没有作任何虚假证词，并承诺将在OTD部门内部进一步加强“沟通协调”。（财富中文网）

译者：朴成奎

With the debate over encryption on smartphones heating up yet again, one of the most important past controversies in the area needs to be revisited. According to a new report, the FBI could have unlocked the iPhone used by one of the San Bernardino shooters without Apple’s help possibly more quickly than it did. But that would have undercut the bureau’s legal efforts to force Apple’s hand and set a precedent requiring future assistance.

The history is suddenly relevant again as the Trump administration is trying to revive proposals to force smartphone makers to add a “backdoor” for law enforcement agencies to get access to users’ encrypted information. Most outside experts warn that approach would weaken the protection of sensitive data for all phone users. The new plans follow a speech in January by FBI director Christopher Wray, who said the bureau needed some kind of backdoor because it was locked out of almost 8,000 phones last year creating “a major public safety issue.” Senator Ron Wyden, who has long opposed weakening encryption, blasted Wray’s view as “ill-informed” and “debunked.”

But just as both sides are reengaging in well-worn arguments, detailed information emerged on Tuesday shedding new light on the massive legal battle between the FBI and Apple in 2016 over the difficulties of decrypting an iPhone used by one of the San Bernardino shooters.

And the new information doesn’t look good for the FBI.

After the December 2, 2015 shooting by Syed Rizwan Farook and Tashfeen Malik in San Bernardino, Calif. during which 14 people were killed, law enforcement officials found an iPhone 5C belonging to Farook. The phone was locked with a passcode. In February, 2016, the FBI went to court seeking to force Apple to rewrite the software running on iPhones to allow the bureau to crack the passcode. Without Apple’s aid, the FBI said it had no way to get past the phone’s encryption. Then-FBI-director James Comey repeated that story twice in Congressional testimony. But as the legal efforts dragged on, the FBI ultimately was able to unlock the phone without Apple’s help by relying on a technique developed by outside experts. (Though not, as was once rumored, Israeli security firm Cellebrite.)

A Secret History

On Tuesday, the Inspector General of the Justice Department released an 11-page report on the incident and posted a PDF version on the department’s web site. The report concluded that Comey and the FBI’s court filing told the truth about the bureau’s inability to unlock the phone. But that was only because top FBI officials hadn’t asked one of the bureau’s most sophisticated cyber units for help. As soon as the group, known as the Remote Operations Unit or ROU, was asked, it connected with an outside “vendor” that created a solution to crack the iPhone’s security.

According to the timeline uncovered by the Inspector General, the FBI seized Farook’s iPhone on December 3, 2015. The task of cracking the encryption fell to the bureau’s Operational Technology Division, including both the Remote Operations Unit, which tends to focus on national security matters, and a section called the Cryptographic and Electronic Analysis Unit, or CEAU, which aids most criminal inquiries. But only CEAU started working on the phone, failed to crack it, and did not seek outside assistance.

The ROU wasn’t informed about the challenge until February 11, less than a week before government prosecutors went to court in their effort to force Apple to help. And the ROU already knew about an outside vendor who had a technique to crack the iPhone that was 90% complete. Once the ROU asked the vendor to prioritize finishing the cracking scheme, it was ready to use by March 16. Less than a week later, government lawyers dropped the case against Apple.

The Inspector General “found no evidence that OTD had the capability to exploit the Farook iPhone at the time of then-Director Comey’s Congressional testimony and the Department’s initial court filings,” the new report concludes. “We therefore determined that neither the Congressional testimony nor the submissions to the Court were inaccurate when made.”

But that wasn’t the whole story, the report continues:

However, FBI statements in Congressional testimony and to the (U.S. Attorney’s Office) regarding its capabilities to access the data on the Farook iPhone were based on understandings and assumptions that people and units in OTD were effectively communicating and coordinating from the outset and that CEAU had searched for all possible technical solutions, points that were not borne out by the facts, as we determined them

And, according to the report, the head of the CEAU unit wasn’t happy that the case against Apple had to be dropped. “After the outside vendor came forward, he became frustrated that the case against Apple could no longer go forward, and he vented his frustration to the ROU Chief,” the report says. “He acknowledged that during this conversation between the two, he expressed disappointment that the ROU Chief had engaged an outside vendor to assist with the Farook iPhone, asking the ROU Chief, ‘Why did you do that for?'”

The Confrontation Could Have Been Avoided

The bottom line was that the FBI should not have gone to court against Apple before comprehensively checking for possible solutions, the Inspector General noted. “We believe CEAU should have checked with OTD’s trusted vendors for possible solutions before advising OTD management, FBI leadership, or the (U.S. Attorney’s Office) that there was no other technical alternative and that compelling Apple’s assistance was necessary to search the Farook iPhone,” the report concludes.

Apple declined to comment to Fortune on the new report. The company had earlier issued a statement on the government’s renewed efforts at forcing backdoors in phones. “Weakening security makes no sense when you consider that customers rely on our products to keep their personal information safe, run their businesses or even manage vital infrastructure like power grids and transportation systems,” Apple senior vice president Craig Federighi said in the statement. “Ultimately protecting someone else’s data protects all of us so we need to move away from the false premise that privacy comes at the cost of security when in truth, it’s a question of security versus security.”

In a letter accompanying the report, the FBI highlighted the conclusion that no inaccurate testimony had been given and committed to improve “communication and coordination” within the bureau’s Operational Technology Division.