FBI Plans to Keep Apple iPhone-Hacking Method Secret

The Federal Bureau of Investigation plans to tell the White House it knows so little about the hacking tool that was used to open a terrorist’s iPhone that it doesn’t make sense to launch an internal government review about whether to share the hacking method withApple Inc.

The decision, and the technical and bureaucratic justification behind it, would likely keep Apple in the dark about whatever security gap exists on certain models of the company’s phones, according to people familiar with the discussions.

At issue is a hacking tool FBI director James Comey has said cost the government more than $1 million and was used to open the locked iPhone of Syed Rizwan Farook. Mr. Farook and his wife killed 14 people and injured 22 others in a shooting rampage in San Bernardino, Calif., in December before they were killed by police. The FBI wanted access to the data on his phone in hopes of finding information on any additional crimes or associates.

The confrontation was defused when a still-undisclosed third party approached the FBI with a way to unlock the phone, prompting the agency to say it no longer needed Apple’s help.But the phone led to a high-stakes legal confrontation as the Justice Department sought a court order to force Apple to help investigators open the device. The company resisted, saying it would have to write software to open the phone, and that would endanger the privacy of millions of other iPhone users.

The agency is preparing to send a formal notification to the White House in coming days saying that while the agency bought the hacking tool from the third party, officials aren’t familiar with the underlying code that runs it, these people said.

Because of that, the FBI plans to tell the White House, its agents aren’t aware of a software vulnerability that should be reported to the Vulnerabilities Equities Process panel, an interagency group that decides whether to notify software makers of security weaknesses, these people said.

Such a move, tantamount to deciding not to share the vulnerability with Apple, is likely to anger privacy advocates who contend the FBI’s approach to encryption weakens data security for large groups of customers in order to preserve technical options for federal investigators.

Asked for comment Wednesday, an Apple spokesman referred to previous comments made by a lawyer for the company, who said Apple was confident the vulnerability the FBI apparently found would have a short shelf life, and that the company would continue to make security improvements to its phones.

Despite the end of the court fight over the San Bernardino iPhone, the larger policy battle between the government and technology companies over privacy and security continues. But Mr. Comey has said he is glad to see the San Bernardino litigation conclude, because that could lead to a calmer, broader discussion about policy choices surrounding encryption.

At an appearance at Georgetown University on Tuesday, Mr. Comey hinted at the FBI’s plans regarding the iPhone vulnerability. He suggested that despite paying a high price for the hacking tool, his agents may not know enough about how it works to begin the broader White House review that would determine if the security gap should be disclosed to Apple. Mr. Comey said the government was “close” to deciding whether to start that review process.

The question, the director said, is whether the FBI is “aware of a vulnerability, or did we just buy a tool and don’t have sufficient knowledge of the vulnerability’’ to launch the White House vulnerability equities process.

That process involves a number of government entities, including intelligence agencies, who review security vulnerabilities in software and then decide whether to alert the manufacturer or the public about the weakness. The panel’s decisions are based on such factors as the number of people who may be vulnerable; the likelihood of the vulnerability being exploited by malicious hackers; and the value to national security and law enforcement of keeping the security hole secret.

Obama administration officials have said the process leans toward disclosing vulnerabilities so they can be patched, but some privacy groups dispute that, saying the system is in fact weighted in favor of national security and law-enforcement officials who want to continue exploiting any software vulnerabilities for their investigations.

Recently, the Justice Department notified Apple of a different, unrelated software vulnerability in its products, according to people familiar with the discussions. That marked the first, and so far only, instance in which the government has notified Apple of a security vulnerability, these people said.

The vulnerability was relayed to Apple on April 14, according to these people, and centered on a vulnerabilities in iPhone and Mac computer software. Company officials believe they had already fixed those issues in September, according to a person familiar with the matter.

Within the FBI, a number of officials have argued that the tool used to crack Mr. Farook’s phone—a 5C model that isn’t as widely used as the company’s other versions—shouldn’t be provided to Apple, because the company would then patch the security hole and continue to stymie criminal investigations, according to people familiar with the discussions.

Privacy advocates blasted the FBI’s planned move as another indication the agency is willing to sacrifice consumers’ data security if it helps agents pursue investigative leads in specific cases.

Christopher Soghoian, chief technologist at the American Civil Liberties Union, said the planned move by the FBI shows that the government process for reviewing software vulnerabilities “is riddled with loopholes.’’

“If the government can circumvent the process merely by buying vulnerabilities, then the process becomes a farce,’’ Mr. Soghoian said. “The FBI is not interested in cybersecurity.’’

In his appearance on Tuesday, Mr. Comey said the FBI is working to reduce computer-security vulnerabilities by being “more predictive but less reactive’’ to hacking incidents—developing better relationships with victims and potential victims of hacking so that companies can beef up their security measures and be ready to respond quickly in the event of a hacking attack.