On May 22, the Washington Post reported a jawdropping screw-up by the FBI that will, if there is any justice left in the world, have significant repercussions for the ongoing encryption debate. Due to “programming errors,” the Post reported, the FBI “provided grossly inflated statistics to Congress and the public” concerning the number of smartphones the agency could not unlock due to encryption in the space of a year.
Since as early as June 2017, FBI and DOJ officials had been saying in public speeches and congressional testimony that the number of unopenable phones was nearly 7,800 in the space of the last fiscal year, and over 3,000 just in the first half. Now, the FBI admits those numbers are bogus. The real number is still being revised, but may be around 1,200 for the entire year. That means the figure the government has been repeating for months is several times the actual count.
Today, Forbes reports that the error lay with a contractor tasked with tracking the number of unopenable smartphones. The contractor allegedly failed to dedupe numbers gathered from across multiple databases, and also counted encrypted apps and files as devices. The result: a massive overcounting.
Were these “programming errors” an honest mistake by the guy who submitted the lowest bid for this government contract, or a deliberate attempt by the FBI to cook the numbers in order to exaggerate the scope of the “going dark” problem? We don’t yet know, but as the aphorism goes, don’t attribute to malice that which is adequately explained by stupidity. However, “stupidity” may be overly harsh (look, I’m terrible at Excel too), so let’s give the FBI and its contractor the benefit of the doubt and just say “mistakes were made.”
But why were they made? We know from the DOJ Inspector General’s report about FBI officials’ “Apple vs. FBI” testimony, which I blogged about last month, that there are elements within the Bureau who have an agenda when it comes to “going dark.” They want to see legal precedent established that authorizes the government to mandate “exceptional access” (read: backdoors) or other compulsory weakening of the encryption in consumer-facing devices and apps. In the “Apple vs. FBI” case, that ulterior motive translated into willful blindness. One section chief with an agenda avoided looking around too hard to see whether the FBI’s outside vendors could help the FBI access the San Bernardino shooter’s iPhone. He was upset when another section chief came forward with a vendor who could, because that meant the court case against Apple couldn’t go forward.
Regardless of anyone’s personal agenda, the FBI—and whatever government contractor it made the mistake of hiring—are organizations composed of humans. That means they are susceptible to bureaucracy, complacency, inertia, outdated technology, and internal politics, just like any other workplace. And government workplaces in particular have a reputation for suffering especially acutely from these problems, thanks in part to the maze of regulations and procedures they must follow. In short: Nobody’s perfect.
In the instant situation, failures occurred at (at least) two different points. First, “the use of three distinct databases … led to repeated counting of phones,” and then, “[t]ests of the methodology … failed to detect the flaw.” According to Forbes, the first-level error came from the contractor. We don’t know yet whether the second one was also made by the contractor, or by FBI personnel checking the contractors’ work. Regardless, it’s worth asking whether—consciously or unconsciously—the FBI’s “going dark” agenda may have caused whoever made the “programming errors,” and whoever ran those tests, to put in less than their best possible efforts.
Maybe this was another willful-blindness situation: somebody came up with the 7,800 number, and everyone else chose not to look too hard at it. Or, perhaps everyone thought they were doing their best, but their best wasn’t that good, and in fact they were unwittingly sabotaging their own work. An unconscious desire to help the Bureau succeed in its “going dark” agenda might have exacerbated the pre-existing organizational dysfunctions that otherwise supply an innocuous (albeit still infuriating) explanation for this screw-up. Even if the FBI (or a contractor hoping to get more work in the future) didn’t fudge the numbers, stupidity might have gotten a quiet nudge from malice.
It’s commendable that the FBI has owned up to the error, but it should never have been made in the first place. This was an entirely avoidable own-goal. America’s choice of encryption policy has huge consequences for computer security, national security, human rights and civil liberties, and the nation’s economic interests, as I’ve explained in a recent whitepaper. It is imperative that the FBI come correct when what they’re asking for—some kind of backdoor mandate—is so high-stakes.
The FBI has a duty to provide Congress and the American public with the best possible information about the critical policy issue of encryption. That’s true not only because bad data makes bad policy, but because the FBI used its overinflated numbers to get Congress to give it tens of millions of dollars of American taxpayers’ money. Its budget request for FY 2018 asked for $21.6 million for its “going dark” efforts based on a number it now admits (with a discreet little asterisk) is wrong. The FBI can’t count, but you got billed for their mistake.
Another reason why the FBI must fix this error is because they owe it to themselves to maintain their credibility. If anyone who opposes the FBI’s “going dark” agenda—the many cryptographers, civil liberties advocates, and others who have worked tirelessly for years to counter the government’s rhetoric and FUD on this issue—were to make this big a mistake, no one on the Hill would take them seriously anymore. Between the OIG report and this overcounting error, the FBI’s credibility on “going dark” is in tatters. As the Post article notes, at a time when the agency’s influence and reputation are under attack by a lawless president and his enablers, the FBI can’t afford these unforced errors.
If the Bureau wants anyone to ever again believe a word it says about encryption, it must get to the bottom of what went wrong here and take steps to ensure it doesn’t happen again. At least two civil liberties organizations so far have suggested that another Inspector General investigation might be necessary to prompt that soul-searching. A congressional inquiry might do the trick too. Senator Ron Wyden (D-OR) has already sent the FBI one of his famous strongly-worded letters. If you’d like to see your congressperson take action, too, pick up your phone. I trust you know how to unlock it.