Published by The Lawfare Institute
in Cooperation With
As readers know, the FBI has accessed the phone of Sayed Farook and the government has withdrawn its motion to compel Apple’s assistance. Paul Rosenzweig and Jason Healy have a wager as to whether or not the FBI tells Apple how it accessed the device within one calendar year. Paul says it won’t disclose, Jason says under a fair application of the Vulnerabilities Equities Process (VEP), it must. Now that there’s a proven method, I want in on the bet.
My money is on third option: The FBI tells Apple how it accessed the phone for reasons unrelated to the VEP.
I do not believe the government is required to disclose by the much-discussed, little-understood VEP. And I agree with Ben that the outraged tenor of calls for the FBI to provide Apple with some technical assistance of its own show more than a little chutzpah. But I do think the government will disclose within the year—and probably in the near future—because it’s the right call on a number of non-VEP factors.
Some context on the VEP: The government certainly does not have to disclose its tool pursuant to this process, as some commentators have opined, primarily because the government does actually have to do anything pursuant to the VEP. It is an executive policy process, not a law. In essence, there is a policy commitment to ask the interagency a particular set of questions prior to making a decision to withhold a vulnerability from the public for some period of time. This process ensures multiple stakeholders will play a role—significantly, removing the determination from the intelligence community alone—and ensures consistent and rigorous examinations designed to reflect the public expectations.
As a general matter, all interagency processes—which are overseen by the White House—are as unpredictable as they are maddening. For those outside the National Security Council, it can feel a bit like being a teenager consulted on an important family decision, only to be arbitrarily overruled by parents for reasons that make you wonder why they bothered asking your opinion in the first place. Bottom line, there is no majority vote here. It’s a process by which the Administration gathers the information it needs from various agencies in order to make a final determination that is its own to make.
There is simply not enough available information to make any kind of reasonable guess as to the outcome of the VEP process here, assuming it even applies. While White House cyber chief Michael Daniel has written in general terms about the factors to be weighed, the far more specific and detailed questions that actually constitute the process are not publicly known. In Daniel’s broader terms, the considered factors are
- How much is the vulnerable system used in the core internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems?
- Does the vulnerability, if left unpatched, impose significant risk?
- How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?
- How likely is it that we would know if someone else was exploiting it?
- How badly do we need the intelligence we think we can get from exploiting the vulnerability?
- Are there other ways we can get it?
- Could we utilize the vulnerability for a short period of time before we disclose it?
- How likely is it that someone else will discover the vulnerability?
- Can the vulnerability be patched or otherwise mitigated?
Without knowing anything about the method the FBI is employing, I see no basis for assuming this is a computer vulnerability subject to the process in the first place. But if it is, based on the information available, I’m not convinced any of those factors weigh in favor of immediate disclosure.
Of course, there is really no way to meaningfully predict the outcome of any process without knowing what exactly is being judged under the criteria. And while we may be able to approximate the equities of the FBI and DOJ, it is far more difficult to predict the impacts to other stakeholders across the executive branch. Keep that in mind when listening to commentators who insist that a particular outcome is required here; the whole point of having a process is that it is fact-specific and that the outcome is not obvious without those facts.
But I still think the government ends up telling. And I think it does so for reasons which have nothing to do with VEP factors.
First, the VEP does not consider an inevitable need to disclose—it is designed to evaluate intelligence community tools which may well remain secret. But a law enforcement method is only useful as a secret until evidence is needed in a criminal prosecution. As I’ve mentioned elsewhere, when a forensic method is used to obtain evidence in a criminal case, the defendant has a Sixth Amendment constitutional right to confront his accuser; in practical terms that means being able cross-examine the expert on the methods employed. In San Bernardino, the defendants in question are deceased. But obtaining evidence that cannot be used in court is not all that valuable to law enforcement in the long run. Because there are no obvious grounds on which to assert that a third-party commercial service is classified, secrecy is time-limited from the outset.
Second, while the VEP itself creates public legitimacy, the process does not factor in public relations. Rather, it presumes internal executive deliberations will remain secret—vulnerabilities will be disclosed (immediately or eventually) without sharing the reasoning. But the Apple case is the first true public test of the government’s general inclination to share or hoard “vulnerabilities.” The executive branch has been working to convince critics that internal processes—VEP and otherwise—favor disclosing vulnerabilities in the vast majority of cases. Indeed, Michael Daniel wrote about the VEP in response to speculation that the US government was aware of and did not disclose the Heartbleed vulnerability—an accusation it denies. Considering the ground it has to make up with a skeptical public, it would be surprising if the government did not use this opportunity to demonstrate its good faith. The public relations factor is especially salient when the timeline is already limited to use in court.
Finally, the likelihood that the method is something Apple will inadvertently fix in future updates weighs differently here than it would under the VEP. Apple has already indicated its intention to move towards systems that will make it technically impossible to provide the type of assistance requested in California. While Apple’s engineers may not be aware of a specific compromise, they certainly know which areas to generally reinforce; that is their job. Under the VEP, this fact might weigh against disclosure; if the vulnerability is likely to be patched anyway, that minimizes the “significant risk” of leaving it unpatched. But, apart from the VEP, this factor likely favors telling Apple here. If the FBI discloses the method, it is still able to deploy it on phones already in its custody, assuming those are currently disabled from software updates. If the method is at the mercy of Apple’s next update anyway—not to mention the government’s own need to use it in court—its future value is limited enough to weigh in favor of telling Apple.
To hedge my bet, here are a few factors weighing against disclosure. First, the government may have agreed to treat the method as the proprietary information of the third-party company. That would likely limit the method’s usefulness for criminal prosecutions, but the FBI may well have agreed to such terms in this particular case. Second, the government may not know what the method is. The third party could have provided the assistance without disclosing the method itself. This would be at least somewhat at odds with the Justice Department’s representation to the court—DOJ requested time to conduct testing—but it is not outside the realm of possibility. Finally, if the method is one which will eventually need to be disclosed in court, the government may allow nature to take its course instead of proactively disclosing to Apple. Essentially, the government may decide that it makes sense to let the court process determine the disclosure timeline, especially if they are not concerned any immediate risks to Apple will materialize.
Still, I’m betting that if the government knows, it’ll tell and sooner rather later. And it should; the value here would seem too limited and the awareness too broad to justify a different outcome.
Paul and Jason, if I’m wrong and the government either does not disclose or announces they are doing so pursuant to the VEP, your drinks are on me.