Encryption

The Apple Vulnerability Disclosure Question -- Looks Like I Will Win

By Paul Rosenzweig
Thursday, April 28, 2016, 10:39 AM

A few weeks ago, as anyone who is not living under a rock will remember, the FBI withdrew its effort to force Apple to unlock an iPhone because, as it told the court, it gained access to the phone through a previously undisclosed vulnerability. Apple then publicly turned around and asked the FBI to disclose the vulnerability that it had found to it -- a request that Ben characterized as digital chutzpah.

It seemed to me at the time that it was unlikely that the FBI would agree to Apple's request -- and that a fair application of the vulnerability process would result in a decision not to disclose. My friend, Jason Healey, disagreed -- and so we made a small wager on the outcome. We set a 1-year deadline on whether the FBI would or would not publicly tell Apple what it had found. Susan joined in -- arguing that the FBI would tell Apple about the vulnerability for reasons unrelated to the equities process. And over on Twitter, co-blogger Nicholas Weaver, also chimed in on the bet, saying that the vulnerability would be disclosed. All in, I am going to be out 3 dinners if they do -- and eating three good meals at someone else's expense if the FBI does not.

It's a bit premature, of course, to declare victory. The deadline is still 11 months away in March 2017. But if this report from the Associated Press is correct, it might be time for my friends to start planning where we will dine (anywhere in the greater DC area is fine by me). According to the report, the FBI won't disclose because it can't -- it doesn't know how the vulnerability works:

The FBI said Wednesday that it will not publicly disclose the method that allowed it to access a locked iPhone used by one of the San Bernardino attackers, saying it lacks enough "technical information" about the software vulnerability that was exploited.

* * *

In a statement Wednesday, FBI official Amy Hess said that although the FBI had purchased the method to access the phone — FBI Director James Comey suggested last week it had paid more than $1 million — the agency did not "purchase the rights to technical details about how the method functions, or the nature and extent of any vulnerability upon which the method may rely in order to operate."

Now, to be fair, that's a completely unanticipated reason why my prediction is likely to be accurate ... so my friends might call a "foul" on me. But I'm starting to taste the victory ....