WASHINGTON—The Federal Bureau of Investigation is testing the method used to crack a terrorist’s iPhone to see how many other versions of the device it could open, but it could take officials many more months to decide what to do with their newfound ability.
The showdown between the FBI and Apple Inc. over the locked iPhone of San Bernardino, Calif., gunman Syed Rizwan Farook came to a halt this week when officials announced that an undisclosed third party had shown the government a technique for decrypting the phone’s data.
The FBI hasn’t disclosed the technique or what it found on the phone. The government did, however, drop a high-stakes legal bid to force Apple to help investigators breach the device’s security features.
Apple hasn’t identified the security flaw that let the FBI access Mr. Farook’s iPhone 5C, or determined how many of its other devices might be vulnerable. The 5C wasn’t a particularly big seller for Apple, limiting the technique’s value unless it works on other models. Still, it could have consequences for the broader debate between Washington and Silicon Valley over encryption, privacy, and security.
Chris Soghoian, principal technologist at the American Civil Liberties Union, said the FBI is facing “a million-dollar question, and really what it comes down to is, does the FBI prioritize its own surveillance needs, or does it prioritize cybersecurity.’’
The longer the FBI keeps the security flaw to itself, he said, “the more they are gambling that no other entity will discover this flaw.’’ The ACLU had criticized the FBI’s efforts to force Apple to help unlock the phone.
The process federal intelligence and law-enforcement agencies use for deciding whether and how to disclose a security gap can take months, even when events are moving quickly, according to current and former officials.
The White House oversees the deliberations over whether the newly discovered fault should be publicly disclosed, flagged to the affected company, or kept secret so government agents can keep using it.
In recent days, several current and former government officials have suggested that the process could be more complicated in Apple’s case, because the company has taken the position that it will fight government efforts to make it help unlock phones.
While the government says it needs to be able to look inside such devices when it has a warrant, Apple and other tech companies argue that even with a warrant it is wrong to force them to create new weaknesses in their systems that could expose millions of customers to hacking or snooping.
If the government ends up giving Apple the details of the security flaw, the company could potentially update its software to close off access. The government also will have to decide what, if anything, to tell local law-enforcement authorities about the new encryption-cracking technique. Many local prosecutors say they are locked out of phones that could hold evidence of criminal offenses.
Robert Anderson, a former senior FBI official who is now an executive at Navigant Consulting Inc., said that the more iPhones could be opened with the technique, the more likely the government would be to disclose it to Apple. “I don’t think they would hide it and jeopardize millions of people’s safety and privacy,’’ he said.
Mr. Anderson added, however, that much of the discussion of the Apple-FBI fight fails to account for the fact that technological advances outpace the government’s efforts to stay on top of them.
The FBI’s success in cracking the phone “is going to last for about 30 seconds in the cyberworld…and we’ll be right back to square one,’’ Mr. Anderson said.
He said Washington and Silicon Valley needed to avoid fighting about specific technical features that will be outdated in weeks or months. “Our structure in the government is not designed for today’s world,’’ said Mr. Anderson. “We need to strive to have better processes so that we can communicate faster and more accurately with each other, ’’ he added.
While federal officials have said the review process is designed to favor disclosing security flaws, the ACLU’s Mr Soghoian, said the process appears to be skewed toward holding on to secret vulnerabilities for investigative or intelligence-gathering purposes, rather than sharing them so the flaws can be fixed. That approach, he said, might pay off for the government in the short term but do more harm over time.
He added that by “stockpiling vulnerabilities, and not reporting them, the U.S. government risks angering firms that it regularly goes to seeking voluntary help. And the U.S. government needs Silicon Valley more than Silicon Valley needs the U.S. government.’’
Write to Devlin Barrett at email@example.com