advertisement
The FBI may be allowed to withhold information about how it broke into an iPhone belonging to a gunman in the December San Bernardino shootings, despite a US government policy of disclosing technology security flaws discovered by federal agencies.
Under the US vulnerabilities equities process, the government is supposed to err in favour of disclosing security issues so companies can devise fixes to protect data. The policy has exceptions for law enforcement, and there are no hard rules about when and how it must be applied.
The referee is likely to be a White House group formed during the Obama administration to review computer security flaws discovered by federal agencies and decide whether they should be disclosed.
Experts said government policy on such reviews was not clear-cut, so it was hard to predict whether a review would be required. “There are no hard and fast rules,” said White House cybersecurity coordinator Michael Daniel, in a 2014 blog post about the process.
Some experts said the FBI might be able to avoid a review entirely if, for instance, it got past the phone’s encryption using a contractor’s proprietary technology.
Explaining the policy in 2014, the Office of the Director of National Security said the government should disclose vulnerabilities “unless there is a clear national security or law enforcement need.”
The interagency review process also considers whether others are likely to find the vulnerability. It tends to focus on flaws in major networks and software, rather than individual devices.
Apple declined to comment beyond saying it would like the government to provide information about the technique used.
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)