"The FBI purchased the method from an outside party so that we could unlock the San Bernardino device. We did not, however, purchase the rights to technical details about how the method functions, or the nature and extent of any vulnerability upon which the method may rely in order to operate," Amy Hess, the bureau's executive assistant director for science and technology, said in an email.
Because it doesn't have the technical details, the FBI can't submit any software weaknesses to an interagency White House process that weighs whether such defects should be disclosed to manufacturers, like Apple, or developers. Hess said that process, known as the Vulnerabilities Equities Process, "cannot perform its function without significant details about the nature and extent of a vulnerability."
The decision ends any speculation on whether Apple will be able to shore up some of its outdated devices against the exact exploit the FBI used.
But the announcement still hasn't ended mistrust of the agency, its tactics or the very process the government uses to alert private industry of such problems.
"Dual missions are a lie," said security researcher Dan Kaminsky, who has strongly supported Apple, referring to the government's goal of both using and fixing bugs. "An organization motivated enough to fully weaponize an exploit, or pay those who have, is not going to turn around and destroy their own newfound capability."
Disclosing this particular issue is extra important, said Oren Falkowitz, co-founder and CEO of San Francisco cybersecurity company Area 1 Security and a former official with the National Security Agency.
The FBI "is taking the side of making 24 million people less secure, and that seems not to be on the best side of technology, and all the people who have those phones," he said, referencing the number of iPhone 5Cs that have been reportedly sold. "That's extremely troubling."
The lack of transparency in the equities process is, perhaps, what's causing that sentiment to spread among Silicon Valley firms, said Katie Moussouris, the founder and CEO of Luta Security, which advises organizations and governments on vulnerability disclosure and bug bounty programs.
"We want to trust whoever has these vulnerabilities is defending critical infrastructure as the greater good, and ideally making most decisions toward that end," she said. "But we don't know."
The revelation last month that the FBI had managed to get into the work phone of Syed Rizwan Farook, who along with his wife killed 14 people in the December attacks in San Bernardino, halted an extraordinary court fight that flared a month earlier when a federal magistrate in Riverside directed Apple to help the FBI hack into the device.
The Associated Press contributed to this report.
©2016 San Francisco Chronicle. Distributed by Tribune Content Agency, LLC.
