VICE News, the Associated Press, and USA Today filed a Freedom of Information Act (FOIA) lawsuit against the FBI in federal court Friday seeking records related to the “tool” the FBI purchased to unlock the iPhone 5c owned by one of the shooters in the 2015 San Bernardino terrorist attack.
Speaking at the Aspen Security Conference in London last April, FBI Director James Comey suggested the bureau paid as much as a seven-figure sum to unknown hackers to crack Syed Rizwan Farook’s iPhone.
“We paid a lot,” Comey said at the time. “But it was worth it.”
Prior to and following Comey’s remarks, the three news outlets filed FOIA requests with the FBI seeking a wide range of documents concerning the unusual business arrangement between the FBI and the hackers, and the funds the bureau spent on the tool used to crack the iPhone’s four-digit passcode without activating a security feature that would have erased the stored data.
The FBI denied our requests, claiming the documents we sought are exempt from disclosure because they were “compiled for law enforcement purposes” and disclosure “could reasonably be expected to interfere with enforcement proceedings.” But Comey had disclosed that the bureau used public funds to purchase the hacking tool, which he said cost taxpayers more money than he will earn over the next seven years.
Comey earns an annual salary of $183,500.
“Understanding the amount that the FBI deemed appropriate to spend on the tool, as well as the identity and reputation of the vendor it did business with, is essential for the public to provide effective oversight of government functions and help guard against potential improprieties,” states the complaint filed in our FOIA case. “Further, the public is entitled to know the nature of the vendors the Government finds it necessary to deal with in cases of access to private information, including whether or not the FBI feels compelled to contract with groups of hackers with suspect reputations, because it will inform the public debate over whether the current legislative apparatus is sufficient to meet the Government’s need for such information.”
As our lawsuit notes, “the public interest in receiving this information is significant.” The complaint, which can be read in full at the end of this story, continues:
“The FBI’s purchase of the technology — and its subsequent verification that it had successfully obtained the data it was seeking thanks to that technology — confirmed that a serious undisclosed security vulnerability existed (and likely still exists) in one of the most popular consumer products in the world. And in order to exploit that vulnerability, the FBI contracted with an unidentified third-party vendor, effectively sanctioning that party to retain this potentially dangerous technology without any public assurance about what that vendor represents, whether the vendor has adequate security measures, whether the vendor is a proper recipient of government funds, or whether it will act only in the public interest.”
Farook and his wife shot 14 people to death last December at the Inland Regional Center in San Bernardino and wounded 22 others. In the aftermath of the attack, the FBI filed a request with a US magistrate judge demanding that Apple be ordered to help the FBI unlock Farook’s iPhone because, at the time, the government couldn’t figure out how to crack it. The magistrate ordered Apple to build software that would allow the FBI to access the iPhone, but Apple refused and vowed to take the fight to the Supreme Court to protect privacy and digital rights.
The battle between the FBI and Apple was on public display for a couple of months until the FBI revealed last March that it no longer needed Apple’s help, dropping its case. A third party had brought to the FBI’s attention a previously unknown software flaw in the iPhone, a defect that allowed the third party to create the tool used to crack the iPhone’s security feature.
The FBI never disclosed the security flaw to Apple or how it hacked the iPhone, meaning that iPhones may still be vulnerable.
Follow Jason Leopold on Twitter: @JasonLeopold