FBI Director James Comey says his agency is still assessing whether a vulnerability used to unlock an iPhone linked to one of the San Bernardino killers will go through a government review to determine if it should be disclosed to Apple or the public.
“We are in the midst of trying to sort that out,” Comey said on Tuesday at a cybersecurity event at Georgetown University in Washington, DC.
“The threshold (for disclosure) is, are we aware of the vulnerability, or did we just buy a tool and don’t have sufficient knowledge of the vulnerability to implicate the process?”
The White House has a procedure for reviewing technology security flaws and deciding which ones should be made public.
Comey suggested the audit may not apply in this high-profile circumstance.
Although officials say the process leans toward disclosure, it is not set up to handle or reveal flaws that are discovered and owned by private companies, sources have told Reuters, raising questions about the effectiveness of the so-called Vulnerabilities Equities Process.
Comey’s comments appeared to concede the FBI does not own the method used to crack the county-owned work phone belonging to Syed Farook, who with his wife opened fire in December on a San Bernardino holiday party, killing 14 and wounding 22.
The method instead belongs to a still-unidentified third party that the FBI said came forward due to the attention received from its public pursuit of a court order to compel Apple’s assistance in unlocking the phone.
Sources have told Reuters the technology used to access the phone data was supplied by a non-US company.
Apple’s refusal to comply prompted a high-profile standoff and ignited a long-simmering debate over security and privacy and law enforcement access to encrypted technology.
The government withdrew its case after it said the secret hacking method worked.
Comey has previously said the method only works a “narrow slice” of iPhone 5c devices running iOS 9.