A stylized image of computer code. Photo Credit: Wikimedia Commons.
During the 37th Meeting of the INTERPOL Specialists Group on Crimes against Children in France earlier this month, US Department of Justice and Federal Bureau of Investigation (FBI) officials presented a draft resolution calling for “lawful access” to encrypted data “enabled or facilitated by [providers of technology services].”[i] Although INTERPOL stated later that it currently has no plan to back such resolution,[ii] the news reinvigorated the “going dark” debate—the phenomenon of law enforcement agencies being unable to access information on digital devices or networks because of the strong encryption implemented by technology companies.[iii] To find a resolution to this problem, American policymakers should pass legislation to allow law enforcement agencies to hack into devices or networks using existing software vulnerabilities. Such practice could protect national security while ensuring individual privacy by mandating the specific circumstances under which lawful hacking is permitted and reviewing vulnerabilities on a case-by-case basis with a more transparent vulnerabilities disclosure process.
For the private sector and consumers, encryption is essential to ensure privacy. End-to-end encryption—embedded in applications like WhatsApp and Signal—ensures that communications cannot be intercepted during transmission.[iv] While those applications are still vulnerable to attacks in which hackers acquire the encrypted communications through devices, another layer of authentication on the endpoints with passwords or digital signatures strengthens the overall security.[v] Law enforcement agencies, however, argued that such encryption hinders their investigation efforts to protect public safety and national security.[vi] In the case of the San Bernardino terrorist attack, the FBI requested that Apple assist in unlocking a deceased terrorist’s iPhone. Apple, however, refused and defied a court order by arguing that such efforts could compromise the security of their products.[vii] Google, Amazon, and other technology companies publicly supported Apple and filed briefs in the legal case to defend Apple’s decision to protect individual privacy over national security.[viii]
Previously, the U.S. demanded and ultimately failed at asking service providers to create a “backdoor” or install some kind of exceptional technical access to encrypted data for government use, but such efforts have so far floundered.[ix] The Clinton administration proposed a “Clipper Chip,” an encryption device intended to be built in devices with a built-in backdoor that enabled access to encrypted data and voice messages.[x] However, the backdoor approach is controversial for several reasons. First, creating these kinds of access points to encrypted systems requires the introduction of certain vulnerabilities that undermine the security of the system.[xi] Clipper chip, for example, failed partially because of irreconcilable technical vulnerabilities.[xii] Moreover, US agencies would not have access to foreign encrypted software. Even if the US government could mandate that American companies install backdoors, law enforcement agencies could still not access information transmitted through foreign applications—such as Telegram, a U.K.-based messenger application.
Lawful hacking—hacking performed by government agencies exploiting existing vulnerabilities—is a potential solution to the going dark debate.[xiii] Instead of installing a backdoor that would create new vulnerabilities to an already-fragile system, lawful hacking allows agencies to access information without damaging the system or requiring the help of technology companies. The FBI has used such techniques—the Network Investigative Technique (NIT)— upon acquiring warrants to conduct surveillance or assist criminal investigations in the past.[xiv] Specifically, the agency developed and installed a malware—Computer and Internet Protocol Address Verifier (CIPAV)— on the target’s computer to collect information such as the Internet Protocol (IP) addresses, list of the programs running, and open communication ports.[xv] In 2015, the FBI seized dark web child pornography website Playpen, but continued to monitor the website and installed CIPAV to almost 8,700 computers to collect the user’s IP addresses, resulting in over 200 prosecutions of Playpen active users.[xvi]
Moreover, the Justice Department in 2016 updated Rule 41 of the Federal Rules of Criminal Procedure that allows law enforcement to obtain warrants to conduct computer investigation without specifying the geographic location of the target.[xvii] In other words, law enforcement agencies are now able to conduct hacking with appropriate warrants in any locations, whereas previously they were only able to do so in the region of the federal court.
However, it is important to note that hacking performed by law enforcement agencies lacks legislative oversight and input. The change to Rule 41 occurred with only judicial review; congressional approval was never sought, which subsequently stirred public controversy.[xviii] The lack of legislation that formally permits lawful hacking undermines the legitimacy and legal certainty of hackings by law enforcement agencies, especially when they may run afoul of the Fourth Amendment.
To adopt the practice of lawful hackings, Congress should consider two main legal and ethical implications. First, the legislation must mandate the specific circumstances under which lawful hacking is permitted and ensure that fourth amendment rights are not violated before commencing any hacking efforts. The Supreme Court in Riley v. California (2014) emphasized the importance of extra privacy protections for cell phones, dictating that cell phones hold the “sum of an individual’s private life.”[xix] The Court ruled that law enforcement’s search of a cell phone’s digital contents during an arrest without a warrant constitutes a violation of the Fourth Amendment as a result.[xx] In light of the Court’s opinion, the legislation must ensure that warrants issued are specific. For example, the search for information regarding child pornography should not allow government agencies to access messages or applications unrelated to such charges. Lawful hacking is a powerful tool if it were to be approved by the policymakers, but an adequate measure that protects the fundamental Fourth Amendment rights is crucial.
Moreover, lawful hacking also touches on the ethical dilemma on whether government agencies have the obligation to disclose vulnerabilities to the developers or vendors for patching, regardless of whether such vulnerabilities are discovered or purchased by the government. The legislation must not only incorporate the current White House-led Vulnerabilities Equities Process (VEP) into law with greater transparency, but also detail its applicability to the hacking tools used by government agencies in criminal investigations.[xxi] Disclosing a vulnerability to its responsible party would prevent malicious actors from exploiting it, but undermine the government’s efforts in using such vulnerabilities for investigation efforts. As a result, the Equities Review Board should first have the ability to determine a reasonable time frame for the developer or vendor to patch the vulnerability if the responsible party were to be notified.[xxii] In the specific case of lawful hacking, the Board should also review vulnerabilities on a case-by-case basis to maximize the interests of government agencies while minimizing the risks of vulnerabilities being exploited by hackers or stolen as they were in the WannaCry case.
While the US government has argued that lawful hacking is insufficient to properly conduct investigations, such an argument fails to understand that the goal of the legislation that legalizes government hacking is to strike a fair balance between government access and privacy. Former FBI Director James Comey in his testimony before the House Committee said that he does not consider lawful hacking alone to be an adequate solution to the going dark problem.[xxiii] Indeed, finding and developing tools to explore vulnerabilities could be time-consuming, necessitating the expenditure of more resources than simply installing backdoors on networks or devices. However, the consequences of installing backdoors are not comparable to those of adopting lawful hacking. The latter delivers an option for law enforcement and intelligence to collect enough information to do its job. Lawful hacking is not the perfect answer to the going dark problem, but society as a whole has little to lose and much to gain from a formalized legal framework that satisfies the Fourth Amendment and ensures the equities between private liberty and public safety.
[i] Sean Gallagher, “Think of the Children: FBI Sought Interpol Statement against End-to-End Crypto,” Ars Technica, November 18, 2019, https://arstechnica.com/tech-policy/2019/11/think-of-the-children-fbi-sought-interpol-statement-against-end-to-end-crypto/.
[iii] FBI, “Going Dark,” Page, Federal Bureau of Investigation, accessed November 12, 2019, https://www.fbi.gov/services/operational-technology/going-dark.
[iv] Lily Hay Newman, “Encrypted Messaging Is Essential—But It Isn’t Magic,” Wired, June 14, 2018, https://www.wired.com/story/encrypted-messaging-isnt-magic/.
[v] Brian Barrett, “The CIA Can’t Crack Signal and WhatsApp Encryption, No Matter What You’ve Heard,” Wired, March 7, 2017, https://www.wired.com/2017/03/wikileaks-cia-hack-signal-encrypted-chat-apps/.
[vi] Charles Duan, “A New Framework for the Encryption Debate,” Lawfare (blog), April 9, 2018, https://www.lawfareblog.com/new-framework-encryption-debate.
[vii] Brian Barrett, “At Least Encryption Had a Good Year,” Wired, December 23, 2016, https://www.wired.com/2016/12/year-encryption-won/.
[viii] Russel Brandom, “Google, Microsoft, and other tech giants file legal briefs in support of Apple,” The Verge, March 3, 2016, https://www.theverge.com/2016/3/3/11156704/apple-fbi-amicus-briefs-iphone-encryption-fight.
[ix] Sean Gallagher, “Barr Says the US Needs Encryption Backdoors to Prevent ‘Going Dark.’ Um, What?,” Ars Technica, August 4, 2019, https://arstechnica.com/tech-policy/2019/08/post-snowden-tech-became-more-secure-but-is-govt-really-at-risk-of-going-dark/.
[x] Ben Buchanan, “Bypassing Encryption: ‘Lawful Hacking’ Is the next Frontier of Law Enforcement Technology,” Salon, March 22, 2017, https://www.salon.com/2017/03/22/bypassing-encryption-lawful-hacking-is-the-next-frontier-of-law-enforcement-technology_partner/.
[xi] Harold Abelson et al., “Keys Under Doormats: Mandating Insecurity by Requiring Government Access to All Data and Communications,” July 6, 2015, 24, http://dspace.mit.edu/handle/1721.1/97690.
[xii] Jack Karsten and Darrell M. West, “A Brief History of U.S. Encryption Policy,” Brookings (blog), November 30, 2001, https://www.brookings.edu/blog/techtank/2016/04/19/a-brief-history-of-u-s-encryption-policy/.
[xiii] Steven M. Bellovin et al., “Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet,” SSRN Scholarly Paper (Rochester, NY: Social Science Research Network, August 18, 2013), https://papers.ssrn.com/abstract=2312107.
[xiv] UNITED STATES COURT OF APPEALS FOR THE SIXTH CIRCUIT, UNITED STATES OF AMERICA V. ANDREW BLAKE MOOREHEAD, NO.18-5216, http://www.opn.ca6.uscourts.gov/opinions.pdf/19a0004p-06.pdf.
[xv] Jennifer Lynch, “New FBI Documents Provide Details on Government’s Surveillance Spyware,” Electronic Frontier Foundation (blog), April 29, 2011, https://www.eff.org/deeplinks/2011/04/new-fbi-documents-show-depth-government.
[xvi] Joseph Cox, “The FBI Used a ‘Non-Public’ Vulnerability to Hack Suspects on Tor,” Motherboard (blog), November 29, 2016, https://motherboard.vice.com/en_us/article/kb7kza/the-fbi-used-a-non-public-vulnerability-to-hack-suspects-on-tor.
[xvii] Jeff John Roberts, “FBI’s New Hacking Powers Take Effect This Week,” Fortune, November 30, 2016, http://fortune.com/2016/11/30/rule-41/.
[xviii] Kate Tummarello, “Support the SMDH Act and Give Congress Time to Debate New Government Hacking Powers,” Electronic Frontier Foundation (blog), November 29, 2016, https://www.eff.org/deeplinks/2016/11/support-smdh-act-and-give-congress-time-debate-new-government-hacking-powers.
[xix] Shannon Gross, “A Mystery Wrapped in an Encryption: Surveillance and Privacy in the Encrypted Era,” Northwestern Journal of Technology and Intellectual Property 15, no. 1 (May 2, 2017): 83.
[xx] Electronic Privacy Information Center, “EPIC – Riley v. California,” accessed April 14, 2019, https://epic.org/amicus/cell-phone/riley/.
[xxi] The White House, “Vulnerabilities Equities Policy and Process for the United States Government,” November 15, 2017, https://www.whitehouse.gov/sites/whitehouse.gov/files/images/External%20-%20Unclassified%20VEP%20Charter%20FINAL.PDF.
[xxii] Susan Hennessey, “Lawful Hacking and the Case for a Strategic Approach to ‘Going Dark,’” Brookings (blog), October 7, 2016, https://www.brookings.edu/research/lawful-hacking-and-the-case-for-a-strategic-approach-to-going-dark/.
[xxiii] Kevin Bankston, “Ending The Endless Crypto Debate: Three Things We Should Be Arguing About Instead of Encryption Backdoors,” Lawfare (blog), June 14, 2017, https://www.lawfareblog.com/ending-endless-crypto-debate-three-things-we-should-be-arguing-about-instead-encryption-backdoors.