The FBI may be allowed to withhold information about how it broke into an iPhone belonging to a gunman in the December San Bernardino shootings, despite a U.S. government policy of disclosing technology security flaws discovered by federal agencies.
Under the U.S. vulnerabilities equities process, the government is supposed to err in favor of disclosing security issues so companies can devise fixes to protect data. The policy has exceptions for law enforcement, and there are no hard rules about when and how it must be applied.
Apple Inc. has said it would like the government to share how it cracked the iPhone security protections. But the Federal Bureau of Investigation, which has been frustrated by its inability to access data on encrypted phones belonging to criminal suspects, might prefer to keep secret the technique it used to gain access to gunman Syed Farook's phone.
The referee is likely to be a White House group formed during the Obama administration to review computer security flaws discovered by federal agencies and decide whether they should be disclosed.
Experts said government policy on such reviews was not clear-cut, so it was hard to predict whether a review would be required. "There are no hard and fast rules," said White House cybersecurity coordinator Michael Daniel, in a 2014 blog post about the process.
If a review is conducted, many security researchers expect that the White House group will not require the FBI to disclose the vulnerability it exploited.
Some experts said the FBI might be able to avoid a review entirely if, for instance, it got past the phone's encryption using a contractor's proprietary technology.
Explaining the policy in 2014, the Office of the Director of National Security said the government should disclose vulnerabilities “unless there is a clear national security or law enforcement need."
The interagency review process also considers whether others are likely to find the vulnerability. It tends to focus on flaws in major networks and software, rather than individual devices.
During a press call, a senior Justice Department official declined to disclose whether the method used on Farook's phone would work on other phones or would be shared with state and local law enforcement.
Apple declined to comment beyond saying it would like the government to provide information about the technique used.
The government reorganized the review process roughly two years ago and has not disclosed which agencies regularly participate other than the Department of Homeland Security and at least one intelligence agency. A National Security Council spokesman did not respond to a request for comment about agency participation.