Sen. Ron Wyden, D-Ore., sent a strongly worded letter to FBI Director Christopher Wray on Wednesday, voicing concern that the FBI “repeatedly misled” the public and lawmakers on how many devices it was locked out of due to encryption.
On Tuesday, the FBI admitted that in public speeches and sworn congressional testimony over the last year, it had dramatically overstated the number of encrypted phones it cannot access.
“The government has long held discredited views about encryption,” Wyden wrote. “Now we see that the FBI is struggling with basic arithmetic — clearly it should not be in the business of dictating the design of advanced cryptographic algorithms.”
Wyden also charged that the FBI “exploited” the 2015 shooting in San Bernardino, California, to push tech companies for a way to bypass encryption during investigations.
“We see the same calculations today with the overstatement of inaccessible devices … [the FBI] is either too sloppy in its work or pushing a legislative agenda,” the letter states.
Across a period of seven months, Wray repeatedly claimed that his agency was locked out of about 7,800 encrypted, unhackable phones. This figure was coupled with warnings about the growing threat posed by encrypted devices, tech products and services. With encryption becoming a default in any devices and products, law enforcement agencies contend that they need access or risk being unable to access communications and data.
The Washington Post first reported on the overstated figures.
In 2017, the FBI “was unable to access the content of approximately 7,800 mobile devices using appropriate and available technical tools,” Wray told Congress last December. Encryption on electronic devices represents an “urgent public safety issue,” he said in January, referring to the bureau’s investigations in counterterrorism, counterintelligence, human trafficking and organized crime.
Earlier this month, Attorney General Jeff Sessions echoed Wray’s claims: “Last year, the FBI was unable to access investigation-related content on more than 7,700 devices — even though they had the legal authority to do so. Each of those devices was tied to a threat to the American people.”
The Washington Post estimates that the true figure is in the range of 1,000 to 2,000; an internal FBI estimate last week put the number at 1,200. The bureau discovered its miscount about a month ago.
“The FBI’s initial assessment is that programming errors resulted in significant over-counting of mobile devices reported,” the bureau said in a statement. Devices, listed across three databases, were purportedly recounted multiple times.
Lawmakers, privacy advocates and technology groups seized on the admission to disavow the FBI’s push for backdoors.
“The report is a clear reminder that policymakers should take the FBI’s claims of going dark with a big grain of salt,” said Greg Nojeim, director of the Freedom, Security, and Technology Project at the Center for Democracy & Technology.
Kevin Bankston, director of New America’s Open Technology Institute, added: “It turns out that the FBI’s claims were based on bad math and the problem is only a small fraction of what we were originally told—making it all the more clear that Congress should refuse the FBI’s call for legislation that would undermine the security of our smartphones.”
The FBI responded by launching an audit to determine the true number. Wray has “mandated an independent review.”
After the San Bernardino attack, the FBI struggled to access one of the shooter’s devices, intensifying the debate over encryption. Since then, the bureau has sounded off about the threats posed by “going dark,” referring to the proliferation of encrypted software that precludes investigators from accessing digital data despite having the proper legal authority.