FBI 'Going Dark' whopper: Locked out of only 1,200 phones, not 7,775

The FBI blames programming errors for grossly inflating the number of encrypted, unhackable phones it said it needed backdoors into.

FBI inflates number of phones locked out of
FBI

When is 7,775 actually only 1,200? When the FBI is talking about encrypted phones that the bureau couldn’t unlock. Come to find out all that talk about the "Going Dark" problem is more like a counting problem blamed on poor programming and multiple databases.

As reported by the Washington Post, the FBI grossly overstated the encryption threat figures. FBI Director Christopher Wray repeatedly trotted out 7,775 — usually rounded up to 7,800 — as the number of encrypted mobile devices the FBI was unable to hack into during 2017. It was used again and again by the FBI to pound home its need for backdoors into encryption.

Wray said that to Congress, to the public, and even during a speech at a cybersecurity conference in January 2018. After claiming the bureau does support “information security measures, including strong encryption,” Wray added that those “security programs need to be thoughtfully designed so they don’t undermine the lawful tools we need to keep this country safe.”

While the FBI and law enforcement happen to be on the front lines of this problem, this is an urgent public safety issue for all of us. Because as horrifying as 7,800* in one year sounds, it’s going to be a lot worse in just a couple of years if we don’t find a responsible solution.

The asterisk was just recently added, as was the notation: “* Due to an error in methodology, this number is incorrect. A review is ongoing to determine an updated number.”

The Washington Post reported that the real number of locked phones is closer to 1,200, according to an internal estimate conducted last week.

“The FBI’s initial assessment is that programming errors resulted in significant over-counting of mobile devices reported,’’ the FBI said in a statement Tuesday. The bureau said the problem stemmed from the use of three distinct databases that led to repeated counting of phones. Tests of the methodology conducted in April 2016 failed to detect the flaw, according to people familiar with the work.

If the 1,200 is even correct, then the FBI managed to count each locked phone over 6.479 times to reach the 7,775 number. The FBI has been aware of the “miscount” for about a month; the actual number of locked devices in 2017 will eventually be determined after the FBI completes an audit.

Still, the bureau maintains, “Going Dark remains a serious problem for the FBI, as well as other federal, state, local and international law enforcement partners. ... The FBI will continue pursuing a solution that ensures law enforcement can access evidence of criminal activity with appropriate legal authority.”

Electronic Frontier Foundation responds to FBI's 'programming errors'

Commenting upon the newly revealed FBI “programming errors” and the bureau’s inflated number of unhackable phones, Electronic Frontier Foundation (EFF) Staff Attorney Andrew Crocker wrote, “Frankly, we’re not surprised. FBI Director Christopher Wray and others argue that law enforcement needs some sort of backdoor ‘exceptional access’ in order to deal with the increased adoption of encryption, particularly on mobile devices.”

Scoffing at the scope of the FBI’s ‘Going Dark’ problem, the EFF wonders “how and why the FBI finds itself thwarted by so many locked phones” when third-party solutions from vendors such as Cellebrite and Grayshift “can reportedly bypass encryption on even the newest phones.”

To that end, the EFF submitted a Freedom of Information Act (FOIA) request “to the FBI and other Department of Justice agencies to get some straight answers about approximately 7,800 supposedly unhackable cellphones.”

Kevin Bankston, director of New America’s Open Technology Institute, added:

For years, the FBI has been pushing for backdoors into encrypted mobile devices based on broad claims that law enforcement is ‘going dark’, even as practically every expert outside of law enforcement has made clear that doing so would seriously undermine our cybersecurity, our digital privacy, and our tech economy. Now, it turns out that the FBI’s claims were based on bad math and the problem is only a small fraction of what we were originally told — making it all the more clear that Congress should refuse the FBI’s call for legislation that would undermine the security of our smartphones.

What is still unclear, however, is just how the FBI could have made such a massive mistake on such an important issue, and repeatedly given false information in sworn testimony to Congress. We call on the Justice Department's Inspector General to open a new investigation to find the answer to that question, and on the FBI to finally drop its misguided crusade to undermine encryption.

NEW! Download the Winter 2018 issue of Security Smart