Getty Images | erhui1979
The Federal Bureau of Investigation has repeatedly claimed that it was unable to access data on nearly 7,800 encrypted devices in fiscal 2017, but the FBI now admits the number is far lower. In reality, there were just 1,000 to 2,000 devices that the FBI couldn’t unlock last year, The Washington Post reported yesterday.
The FBI apparently counted individual phones multiple times, an error related to the agency’s use of three separate databases. The FBI used the inflated number as evidence that companies like Apple should weaken smartphone security in order to help the agency access encrypted devices. For example, FBI Director Christopher Wray said the following in a January 2018 speech:
In fiscal year 2017, we were unable to access the content of 7,775 devices—using appropriate and available technical tools—even though we had the legal authority to do so. Each one of those nearly 7,800 devices is tied to a specific subject, a specific defendant, a specific victim, a specific threat… Being unable to access nearly 7,800 devices is a major public safety issue. That’s more than half of all the devices we attempted to access in that timeframe—and that’s just at the FBI.
Wray said the 7,800 locked devices illustrate the scope of the “Going Dark” problem, in which criminals benefit from the standard smartphone security features that protect consumers at large. But the FBI’s transcript of Wray’s speech now carries a correction saying that “Due to an error in methodology, this number is incorrect. A review is ongoing to determine an updated number.”
New estimate of 1,200 unlockable devices
One internal FBI estimate last week put the real number of locked phones in FBI possession at 1,200, “though officials expect that number to change as they launch a new audit, which could take weeks to complete, according to people familiar with the work,” the Post reported. If the correct number is 1,200, then the FBI estimate of 7,775 would be nearly 550 percent higher than the actual amount.
The real amount is “probably between 1,000 and 2,000, the Post story said, continuing:
“The FBI’s initial assessment is that programming errors resulted in significant over-counting of mobile devices reported,” the FBI said in a statement Tuesday. The bureau said the problem stemmed from the use of three distinct databases that led to repeated counting of phones. Tests of the methodology conducted in April 2016 failed to detect the flaw, according to people familiar with the work.
While the FBI admitted the error, it said it will continue lobbying for greater access to encrypted devices. “Going Dark remains a serious problem for the FBI, as well as other federal, state, local and international law enforcement partners,” the FBI statement said. “The FBI will continue pursuing a solution that ensures law enforcement can access evidence of criminal activity with appropriate legal authority.”
Apple and other companies have resisted the FBI’s calls to weaken device encryption, saying that doing so would threaten the security of millions of law-abiding smartphone users. Privacy advocates and security experts have consistently said that key-escrow systems that give law enforcement access to encrypted devices would put ordinary consumers at risk.
We contacted the FBI’s press office and will update this story if we get more information.
UPDATE: An FBI statement to Ars offered a bit more detail on the counting mistake. The FBI said:
In April 2016, the FBI implemented a new collection methodology, which gathered data from three separate databases maintained by the FBI’s Operational Technology Division (OTD). The FBI relied upon information from these databases to publicly report that approximately 7,775 devices could not be accessed in Fiscal Year 2017 (FY 2017), despite the FBI having the legal authority to do so. However, the FBI recently became aware of flaws with the methodology implemented in April 2016, and has determined the previously reported FY 2017 statistics are incorrect. The FBI’s initial assessment is that programming errors resulted in significant over-counting of mobile devices reported through OTD’s databases. The FBI is currently conducting an in-depth review of how this over-counting previously occurred, and how the methodology can be corrected to capture future data accurately.
The FBI did not give us any update on exactly how many devices it couldn’t access.