Stanford CIS

When You Hack Phones on the Fly, but Won’t Confirm or Deny, That’s a Glomar!

By Riana Pfefferkorn on

In late December, the American Civil Liberties Union (ACLU) filed a lawsuit against the Federal Bureau of Investigation (FBI), challenging the FBI’s “Glomar” response to its Freedom of Information Act (FOIA) request about the FBI’s encrypted mobile device forensics capabilities. The FBI’s response, as I told Bloomberg, illuminates an ongoing tension in the federal government’s use of surveillance technologies that have both law enforcement and intelligence or national-security purposes.

The ACLU’s request, filed in June 2018, sought records about the Bureau’s Electronic Device Analysis Unit (EDAU). According to the FOIA request, the EDAU is one of the units within the FBI that either home-rolls capabilities for extracting data from locked smartphones, or obtains them from outside third-party vendors such as Cellebrite and GreyShift (the two best-known players in this particular field). Little is publicly known about the EDAU; by its request, the ACLU sought to learn more.

The FBI replied to the FOIA request with what is known as a “Glomar” response. Glomar-ing a request means that the agency receiving the request refuses to either confirm or deny whether responsive records even exist. That is, the topic of the FOIA request is so sensitive that even the fact of the existence (or non-existence) of responsive records is itself deemed to be too sensitive to acknowledge.

The Glomar response is typically seen in the context of requests implicating either (1) an individual’s privacy, as the very fact of someone’s having been the subject of an investigation (or not) may give rise to a privacy interest, or (2) military/intelligence/national security interests, where the topic of the FOIA request may be highly classified. It thus seems unusual, at least to me, to see a Glomar response to a request that was directed at domestic criminal law enforcement activities and that has no bearing on any individual privacy concerns.

An agency’s Glomar response can be overcome if the requester (here, the ACLU) can show evidence that the agency (the FBI) has already acknowledged the existence of the subject of the records request (the EDAU). The ACLU’s FOIA request laid the groundwork for the legal challenge it is now bringing in court: it cited sources documenting multiple instances where the FBI had referred to the EDAU and/or the agency’s device forensics capabilities and vendor partnerships. Those sources include a federal court order, federal contract bid requests, and the 2018 report by the FBI’s internal watchdog about the intra-agency tussles surrounding the 2016 “Apple vs. FBI” lawsuit.

It remains to be seen whether the court will agree with the ACLU that this is enough evidence to rebut the Glomar response. (It bears noting that in September 2019, the DOJ’s own internal appellate body for FOIA appeals reversed and remanded the FBI’s Glomar response as to one of the categories of documents the ACLU requested, but the FBI went silent after the remand.) The FBI might also choose to avoid a potentially unfavorable court ruling by amending its FOIA response to withdraw the Glomar. (In that case, it would still likely refuse to disclose responsive documents on other grounds, which in turn could prompt further litigation.)

Whatever the outcome of the ACLU’s lawsuit, the FBI’s decision to neither confirm nor deny the existence of responsive records, when the very fact that the FBI (and other law enforcement agencies) can reliably break into smartphones is hardly a big secret, illustrates a particular tension within the federal government when it comes to novel technologies and techniques for surveilling or otherwise gathering information about people.

On the one hand, in order to do their job, federal law enforcement authorities have to disclose some amount of information about their activities. The core purpose of the FBI and its parent agency, the Department of Justice (DOJ), is to investigate and prosecute violations of federal criminal law. To do that successfully, the government must disclose certain information about its investigation to the courts and to defense counsel. At the investigatory stage, the government must divulge sufficient information to convince a judge to issue a warrant or other legal process needed for information-gathering activities (such as searching a seized smartphone). At the prosecution stage, the government must share certain information with the defense and the court, thanks to the Constitution, federal law, court rules, ethics rules, and DOJ policies. Some of these disclosures, at both stages, will be filed on the public court docket; some won’t; some may not be made public at first but become public eventually. (See, for example, the court order referenced in the ACLU's FOIA request, describing an FBI special agent’s affidavit representing to the court that she had sought the EDAU’s help in unlocking the defendant’s phone.)

On the other hand, the government doesn't want to let out too much knowledge about exactly what it can do. Why not? Because criminals could use that information to evade detection, for example. The FBI has a history of being notoriously closed-lipped both in response to FOIA requests and in the courts (some examples follow below). This is understandable in terms of not tipping off the bad guys. However, such secrecy also stymies oversight by the public, lawmakers, and the courts. What’s more, it can even conflict with the DOJ’s own business, because a paramount emphasis on secrecy sometimes ends up undermining individual criminal prosecutions.

I’ve discussed this tension in the past with regard to the government’s remote hacking of suspects’ computers in the so-called “Playpen” campaign to catch traders of child sex abuse material (CSAM). In the Playpen cases, the government had hacked CSAM suspects' computers in order to identify and locate them, using what it called a “Network Investigative Technique” or “NIT.” (The EDAU’s use of NITs is one of the subjects of the ACLU’s FOIA request.) When the Playpen defendants’ lawyers demanded information on the NIT, the government disclosed some info, but refused to disclose certain details of how the NIT worked; in fact, it classified that information.

(Side note: The Playpen cases weren’t the first time the federal government has prosecuted suspects based on evidence gathered through secretive means while withholding information about those means from defense counsel and judges. The FBI also spent years using Stingrays in secret, hiding their use even from the courts, and would rather drop cases than break that secrecy.)

While some Playpen courts allowed that refusal to stand, at least one court didn’t, finding that the defendant was entitled to the information and that the government had demonstrated that the information was privileged against disclosure. Faced with this dilemma, the government dropped the case rather than divulge how the NIT worked (despite the availability of other options to protect the information from further disclosure).

The federal government’s fear that the details of the NIT would somehow get out and fall into unwanted hands was so strong that it classified that information and then dropped a case against an accused CSAM offender rather than take that risk. Keeping the details of its capability secret was more important to the FBI and the DOJ than their core law enforcement purpose of bringing an alleged offender of a serious crime to justice.

The choices to classify the NIT’s details and to drop that case suggest that the NIT’s utility wasn’t limited to criminal investigations, but extended to intelligence and national security applications too. If so, perhaps those stakeholders in government were loath to risk burning the details of the technique on what to them was just another garden-variety criminal case.

Therein lies the tension. If the government refuses to share information about its technical capabilities, it may be unable to move forward with some criminal prosecutions — which, again, is kind of the whole point of having federal law enforcement authorities. In addition, the government’s role in protecting public safety means it must account for the public interest in disclosing cybersecurity vulnerabilities known to the government so that they can be patched. Sometimes it does so disclose. But where those technical capabilities are also useful in protecting the nation’s security against our adversaries (and for subverting our adversaries’ security), the government may conclude that the balance of the equities weighs against disclosure.

The pull of different equities in conflicting directions, even within a single agency such as the FBI, is how you end up with the dismissal of those Playpen and Stingray cases. And I think it also explains the FBI’s Glomar response to the ACLU. In the past, the Bureau repeatedly mentioned, in multiple official, public-facing documents across a variety of contexts (court filings, internal watchdog report, government contracts), its development of forensic capabilities for accessing encrypted devices. Now, however, it seems someone else within the agency wishes they hadn’t done that, and is using the Glomar response to try to backpedal on those past decisions.

Maybe I’m reading too much into the Glomar response. Maybe it’s just a typical crappy FOIA response by an agency that is notoriously just the absolute worst when it comes to FOIA. The FBI’s tactics for evading transparency mean that FOIA requesters often have no recourse for getting the information to which FOIA entitles them besides suing, as the ACLU finally did after two and a half years of foot-dragging by the agency.

Whatever the reason for the FBI’s obstinacy in this instance, the court overseeing the ACLU’s FOIA lawsuit must not allow the Bureau to sweep this topic back under the rug. By throwing a veil of secrecy over its ability to unlock and extract data from encrypted devices, the FBI frustrates oversight by the courts, lawmakers, and the public of the agency’s use of a formidable investigative tool. The FOIA law is supposed to empower the public to enforce government transparency in service of that oversight. When the FBI impedes and delays compliance with its duties under federal law, it is resisting accountability to the American people it supposedly serves.

Why does government oversight matter? Because it is imperative to democratic decisionmaking. Keeping the public in the dark about their capabilities allows federal law enforcement agencies to distort the public debate over the proper scope of their surveillance powers. That includes the ongoing debate over encryption. The FBI has repeatedly and vociferously demanded a legally-mandated backdoor into everybody's encrypted devices and communications. That would weaken the technologies we've come to rely on to keep our data secure and private.

But those demands rest upon a presumption of necessity. What if an encryption backdoor isn’t necessary for law enforcement to do its job? From what we know, it sure looks like the FBI has developed (in-house) and/or purchased (through contracts with private vendors such as Cellebrite) the reliable capability to extract data from locked devices. That undercuts the argument from the FBI and DOJ that they need, and Congress should mandate, encryption backdoors. However, if they can keep the extent of their abilities hidden from the public, then they are insulated from having to confront the weaknesses of their argument. Despite years of complaining about encrypted devices, they have never released actual, complete, accurate data to back up their claims about encryption’s impact on their mission. They have created an unlevel playing field where they know information that is crucially relevant to the encryption debate while keeping the rest of us in the dark.

FBI and DOJ officials have repeatedly argued that it should be up to the American people and their elected representatives, not Apple or Google, to make a decision about encryption and law enforcement access. Yet they are simultaneously stymieing the debate by refusing to share information that is highly pertinent to this discussion, information that would show whether they really have a serious need for a backdoor after all or are “accessing locked devices quite well, thank you,” as Susan Landau recently put it. Now that the ACLU has asked for that information point-blank in a FOIA request, the FBI’s incredible response is that it can’t even admit whether such information exists at all. We cannot have a fully-informed decisionmaking process under these circumstances.

The FBI wants to have its cake and eat it too, by demanding encryption backdoors for devices while also getting to hide information about whether it really needs them. That's undemocratic and it's unacceptable, and that's why I hope the ACLU prevails in its FOIA litigation.