A San Bernardino county worker may be responsible for a contentious battle now playing out between Apple and the government over data on an iPhone that belonged to suspected San Bernardino shooter Syed Rizwan Farook.

Shortly after the phone in question was seized from an SUV belonging to Farook and his wife, someone changed an Apple ID that might have allowed the phone to back up data to iCloud—which would have given the government a chance to seize the data with a court order. But because that ID was changed, there is no chance the phone could have ever backed up additional data to iCloud, a senior Apple executive said on a call today with reporters.

When asked who changed that ID, the executive said that the government indicated it was someone who worked for the county, but that he didn’t know the identity of that worker. However, this presumably would have been an IT worker for the county who supplied the phone to Farook.

The government touched on this detail in a motion it filed with the court today but placed it only in a lengthy footnote at the bottom of one page. The government also didn’t acknowledge in the footnote that this was likely the best chance it had of retrieving the data it wanted from the phone.

Instead, the aggressive motion pushed the government case against Apple to a new level, asking a federal court to compel the company to comply with an earlier order issued on Tuesday by a magistrate. That order directs Apple to provide a software tool to the government that eliminates certain security features in the iPhone operating system in order to allow the government to perform what’s known as a brute-force password-cracking technique to try to unlock the phone and obtain data stored on it.

In a footnote on one page of the filing, the government described four options that Apple had suggested for obtaining the data. One of those involved having the phone connect to a known Wi-Fi spot to which it had previously connected and letting it sit overnight to see if it would auto-backup the most recent data on the phone.

The government noted in the footnote that it tried the method, but it didn’t work: “Neither the owner nor the government knew the password to the iCloud account, and the owner, in an attempt to gain access two some information in the hours after the attack, was able to reset the password remotely, but that had the effect of eliminating the possibility of an auto-backup.”

The Apple executive told reporters that the company’s engineers had first suggested to the government that it take the phone to the suspect’s apartment to connect it to the Wi-FI there. But since reporters and members of the public had swarmed that crime scene shortly after the shootings occurred, it was likely that any Wi-Fi there had been disconnected. So Apple suggested the government take the phone to Farook’s former workplace and connect the phone to a Wi-Fi network there.

The executive said that Apple walked the government through the entire process to accomplish this, but the government came back about two weeks later and told Apple that it hadn’t worked.

Apple didn’t understand why it had not worked—until the company learned that sometime after the phone had been taken into the custody of law enforcement, someone had gone online and changed the Apple ID that the phone uses to conduct backups.

This means that the government’s best opportunity to get the desired data was frustrated by the changing of this Apple ID, according to the Apple executive. If the phone had indeed backed up to iCloud, the data would have been recovered, and Apple would not now need to resist the government’s attempts to force it to create a backdoor for its operating system.

The Apple executive said the company didn’t initially make all of this information public because it believed its discussions with the government over the methods used to retrieve data from the phone had been confidential. But after the government surprised Apple with the new filing today, and discussed this attempt to get the phone backed up to the iCloud, Apple no longer felt obligated to keep the conversation confidential.

It’s entirely possible that the phone would never have backed up data to iCloud after it was seized, however. The phone had previously been backing up data to its related iCloud account—data that authorities have already seized—but the last backups stopped on October 19. The government was not able to obtain any data from the phone after that date. The government thinks that Farook might have disabled the backup function. But the Apple executive said that’s unknown, and there is currently no evidence to support the claim that he turned it off.

Either way, Apple and the government are now embroiled in a heated battle over what the government now wants Apple to do to help the government hack the phone. And it’s not clear that even if Apple assists the government with what it’s currently asking the company to do, that the government will be able to crack the password on the phone and obtain data. If Farook chose a complex six-digit alpha-numeric for his password, Apple has said that could take five-and-a-half years or more to crack, if ever.


Apple Says the Government Bungled Its Chance to Get That iPhone’s Data