FBI Over-Counted Encrypted Phones Connected To Crimes — By A Lot

May 23, 2018

The FBI significantly over-counted the number of encrypted phones it says are connected to ongoing criminal investigations but remain inaccessible to investigators without back door access.

For about seven months, the bureau has been telling Congress and the public that potential evidence on nearly 7,800 blocked devices continues to elude investigators. The statistic has been cited repeatedly by multiple officials and lawmakers to demonstrate what they say is the growing threat encryption software combined with a reluctance by manufacturers to provide a key, poses to national security and public safety. But in reality, the true number of devices that have impeded investigations, is likely to be a fraction of that, the FBI acknowledged in a statement Tuesday.

"The FBI's initial assessment is that programming errors resulted in significant over-counting of mobile devices reported through [the Operational Technology Division's] databases," the FBI said.

It explained that a new collection methodology implemented in April 2016 gathered information from three separate databases, resulting in duplicate counts.

"The FBI relied upon information from these databases to publicly report that approximately 7,775 devices could not be accessed in Fiscal Year 2017, despite the FBI having the legal authority to do so," the statement said, adding that the "statistics are incorrect."

A report by The Washington Post suggests a more precise figure is between 1,000 to 2,000 phones.

As recently as January, FBI Director Christopher Wray quoted the inflated figure and said it represented more than half of all the smartphones the FBI had collected in the year-long timeframe. The previous fiscal year's count was 650 devices, as reported by then-director James Comey.

Wray, like his predecessor, subsequently called for cooperation from the private sector because "it's going to be a lot worse in just a couple of years if we don't find a responsible solution."

"We need to work together, the government and the private sector, to find a way forward, and find a way forward quickly," he said at an international conference on cyber security.

The FBI said it first became aware of the tracking error about a month ago.

"It is unfortunate timing for the bureau to admit this kind of mistake because it certainly undercuts the trust in the bureau that was already tenuous to be begin with," Jennifer Daskal, a law professor at American University and former senior Justice Department national security official, told NPR.

The FBI has been the object of President Trump's wrath almost since he took office and the bureau confirmed it was investigating possible collusion between the Trump campaign and Russian nationals. On Sunday, Trump said he would demand the Justice Department launch an investigation into the FBI for allegedly using a "spy" to infiltrate his campaign team.

Daskal added that the new, much smaller number of unbreakable devices, undermines "the scope of the problem and the urgency for the FBI to act as default encryption becomes increasingly ubiquitous.

The debate over encryption and government access to secure information is decades old but it became especially heated after the 2015 mass shooting in San Bernardino, Calif.

As NPR reported:

In the wake of the San Bernardino shootings, the FBI demanded that Apple create a mechanism for accessing data on a locked iPhone. Apple refused, citing concerns about privacy and potential government overreach. As the two sides geared up for a court battle, the Justice Department announced that it had found a third party to help break into the phone. The issue was raised again in 2017 after a Texas gunman's phone was found locked. At the time, an FBI special agent blamed the industry standard encryption for blocking investigators' ability to crack the PIN code on the gunman's device.

Privacy groups argue that efforts by the government to compel companies to break encryption codes are ultimately more harmful to law-abiding citizens who would become more vulnerable to hacking.

Amie Stepanovich, U.S. policy manager at Access Now, a privacy advocacy group, noted cases in which software updates are licensed and developed by the manufacturer have resulted in devices getting "bricked," that's when a device becomes permanently locked or the data is wiped clean.

"Hacking tools released into the wild can't always be controlled," she said. There are unintended consequences."

Copyright 2018 NPR. To see more, visit http://www.npr.org/.