The iCloud problem
Back to Farook’s iPhone 5c, is there any other way to get the evidence the government wants? What else did they try?
The February 19 filing lists the other methods the government and Apple discussed, and why they won’t work, in a footnote on page 18, paraphrased here:
Obtain cell phone toll records: The filing says “the government has of course done this,” but it’s insufficient since there’s a lot more on the phone than call and SMS records.
Determine if any computers were paired to the phone: The government says there weren’t any.
Attempt an auto-backup of the device with the related iCloud account: This didn’t work because neither the FBI nor the “owner” (the San Bernardino County Department of Public Health) knew the iCloud password.
Obtain previous iCloud backups: The FBI did this too, but the most recent backup was October 19, 2015, but the filing says that’s not sufficient “and also back-ups do not appear to have the same amount of information as is on the phone itself.”
But that third method (attempt an auto-backup to iCloud) is where it gets really weird. The iCloud password was reset remotely, shortly after the crime, by the owner, i.e. the county. The February 19 filing says, “that had the effect of eliminating the possibility of an auto-backup.”
As explained by Ars Technica, they way they tried to force it was to take the iPhone to a known Wi-Fi network, plug it in, and leave it overnight—which should trigger a backup to iCloud if auto-backups are enabled. But it didn’t work because the password had been reset so recently.
So they weren’t able to get an iCloud backup?
Not a full one. According to the February 19 filing, the FBI has Farook’s iCloud backups through October 19, about six weeks before the December 2 shooting. The filing states that the government found evidence in the iCloud account to indicate “that Farook communicated with victims who were later killed in the shootings.” (You’ll recall he killed his own co-workers.)
The filing also states:
In addition, toll records for the subject device establish that Farook communicated with Malik using the subject device between July and November 2015, but this information is not found in the backup iCloud data. Accordingly, there may be critical communications and data prior to and around the time of the shooting that thus far has not been accessed, may reside solely on the subject device, and cannot be accessed by any other means known to either the government or Apple.
Wait, they think there could be data on the phone that isn’t in the iCloud backup?
Sign up for CIO Asia eNewsletters.