DragonI

The FBI has collected 430,000 iris scans in a so-called 'pilot program'

Critics say the agency project includes few privacy protections

www.theverge.com|Colin Lecher

Federal agencies are usually required to submit privacy reports for any project involving personal data, as a way of anticipating and mitigating possible overreach, but the iris pilot still has no privacy impact assessment. A preliminary privacy review in 2014 determined that the assessment was unnecessary "because the pilot was conducted with very limited participation for a limited period of time in order to evaluate iris technology," an FBI representative told The Verge. The majority of the current 434,000 enrollments were added after that determination was made. The bureau says it is currently in the process of creating a privacy impact assessment in response to the expanded scope of the project, although it's not clear when those documents will be complete.

The agreement between the FBI and California "is pretty vague" on privacy guidelines, Ozer says. The document says only that the FBI will handle information from the project "lawfully," while California must "comply with its state privacy laws." (The FBI has said the program is bound by internal information security standards.)

It's not the first time the FBI has dragged its heels on creating privacy reports for a biometric database. In June, a report from the Government Accountability Office found hundreds of millions of facial scans were made under an out-of-date privacy assessment, including tens of millions from driver's license photos that were not linked to any crime. Like the iris pilot, the result was a nominally experimental program that nonetheless ingested vast quantities of personally identifiable data from US citizens.

Both programs were developed as part of the FBI's Next Generation Identification database, an ongoing project that includes federal databases for finger and palm prints collected from crime scenes, as well as employment-based background checks. NGI also includes enhanced searches for identifying unknown corpses.

The FBI has been attempting to exempt the NGI database from certain provisions of the Privacy Act, which would require the government to maintain up-to-date public records on each program. Privacy advocates have accused the agency of attempting to obfuscate how the database will function. "The Privacy Act was enacted to ensure that individuals had an enforceable right to know the records that the government keeps about their activities," a group of advocates and companies recently wrote in a letter to the FBI. "While there may be legitimate reasons for exempting some law enforcement activities from some of the Act's provisions, exemptions must not render the Act meaningless."

According to figures from the FBI and the U.S. Office of Management and Budget, Comey's annual salary as of January 2015 was $183,300. Without a raise or bonus, Comey will make $1.34 million over the remainder of his job.

That suggests the FBI paid the largest ever publicized amount for a hacking technique, given the most previously paid was $1 million by U.S. information security company Zerodium to break into phones.

Speaking at the Aspen Security Forum in London, Comey was asked by a moderator how much the FBI paid for the software that eventually broke into the iPhone.

"A lot. More than I will make in the remainder of this job, which is seven years and four months for sure," Comey said. "But it was, in my view, worth it."

Apple Policy on Bugs May Explain Why Hackers Would Help F.B.I.

Apple does not pay hackers to find and report bugs, which may explain why a third party has offered to help the government break into an iPhone.

www.nytimes.com|Nicole Perlroth and Katie Benner

Google, Microsoft, Facebook, Twitter, Mozilla and many other tech companies all pay outside hackers who turn over bugs in their products and systems. Uber began a new bug bounty program on Tuesday. Google has paid outside hackers more than $6 million since it announced a bug bounty program in 2010, and the company last week doubled its top reward to $100,000 for anyone who can break into its Chromebook.

Apple, which has had relatively strong security over the years, has been open about how security is a never-ending cat-and-mouse game and how it is unwilling to engage in a financial arms race to pay for code exploits.

The company has yet to give hackers anything more than a gold star. When hackers do turn over serious flaws in its products, they may see their name listed on the company’s website — but that is it. That is a far cry from what hackers can expect if they sell an Apple flaw on the thriving underground market where a growing number of companies and government agencies are willing to pay hackers handsomely.

Flaws in Apple’s mobile devices can typically fetch $1 million. Last September, a boutique firm in Washington, called Zerodium, which sells flaws to governments and corporations, announced a $1 million bounty for anyone who would turn over an exploit in Apple’s iOS 9 mobile operating system — the same operating system used to power the iPhone used by the San Bernardino shooter. By November, Zerodium said a team of undisclosed hackers had successfully claimed the bounty.

U.S. Says It May Not Need Apple’s Help to Unlock iPhone

A court hearing set for Tuesday was canceled in the Justice Department’s bid to gain access to phone data in the San Bernardino mass shooting inquiry.

www.nytimes.com|Katie Benner

“Testing is required to determine whether it is a viable method that will not compromise data on Farook’s iPhone,” the Justice Department wrote in the filing. “If the method is viable, it should eliminate the need for the assistance from Apple.” The Justice Department added that it would file a status report by April 5 on its progress on unlocking the iPhone.

...

“This could render the whole dispute moot,” Joseph DeMarco, a former federal prosecutor who filed a brief on behalf of law enforcement groups that supported the Justice Department in this case, said of the new filing. “The issue at hand is whether the government can use the All Writs Act to force an unwilling third party, Apple, to create a back door. But if it can find a willing third party to break into the phone, then the All Writs Act argument is moot.”

..

The law enforcement official declined to name the outside party that approached investigators with a possible method for opening the phone.

The Apple executives said the company had been in regular discussions with the government since early January, and that it proposed four different ways to recover the information the government is interested in without building a backdoor. One of those methods would have involved connecting the iPhone to a known Wi-Fi network and triggering an iCloud backup that might provide the FBI with information stored to the device between the October 19th and the date of the incident.

Apple sent trusted engineers to try that method, the executives said, but they were unable to do it. It was then that they discovered that the Apple ID password associated with the iPhone had been changed. (The FBI claimed earlier Friday that this was done by someone at the San Bernardino Health Department.)

Friday night, however, things took a further turn when the San Bernardino County’s official Twitter account stated, “The County was working cooperatively with the FBI when it reset the iCloud password at the FBI’s request.” Justice Department and county spokespeople did not respond to requests for comment on Saturday; an Apple spokesperson said the company had no additional comment beyond prior statements.

Had that password not been changed, the Apple executives said Friday, the government would not need to demand the company create a “backdoor” to access the iPhone used by Syed Rizwan Farook, who died in a shootout with law enforcement after a terror attack in California that killed 14 people. The Department of Justice filed a motion to compel the company to do that earlier Friday.