Hacking: Not Just for the Feds!

The threats that came to a Washington state high school in June 2007 were chillingly specific. One message read, “there are 4 bombs planted throughout Timberline High School. One in the math hall, library hall, and one portable. The bombs will go off in 5 minute intervals at 9:15am.”

In response, the FBI deployed a secret surveillance tool to unmask the identity of the suspect, who was using an anonymous MySpace account linked to the bomb threats. By pretending to be an Associated Press reporter, an FBI agent was able to get the suspect to click on a fake news story, which installed spyware that revealed, among other things, the suspect’s true IP address. The 15-year-old pleaded guilty to making bomb threats and other charges, though his lawyer claimed it was all “a prank from the get-go.”

The whole incident made one thing clear: The FBI can hack. Now, imagine your local police department. What if it could do that, too?

Many members of the public first became aware of the FBI’s interest in hacking in February, when the bureau and Apple battled over a locked iPhone belonging to one of the San Bernardino, California, shooters. That spat ended abruptly when the FBI announced it had hacked into the iPhone without Apple’s assistance.

What lots of people didn’t realize is that the FBI has a decadeslong history of hacking for investigative purposes. Though the bureau’s methods are shrouded in secrecy, available accounts show that law enforcement has been hacking since at least the 1990s. The most recent public conversations have focused on largely on encryption strength and whether tech companies should be required to install so-called backdoors for law enforcement to access with warrants, a move the tech community argues would broadly undermine device security. But law enforcement has long had many other tricks up its sleeves, like installing malware that can gather passwords or encryption keys by logging keystrokes and using a Computer and Internet Protocol Address Verifier to unmask the real IP address of a suspect who has anonymized his or her location.

The present debate around law enforcement hacking is, for good reason, focused mostly on the FBI. At present, the most sophisticated law enforcement hacking capabilities belong to the federal government and remain classified. And although state and local police certainly investigate some serious crimes within their jurisdictions, the FBI routinely handles serious crimes—child pornography, human trafficking, financial crime resulting in the loss of millions of dollars. By many measures, the gravity of the crimes the FBI investigates makes it understandable that when we consider extraordinary hacking measures used by law enforcement, we would start with the FBI.

But law enforcement hacking is not just a matter for the feds, thanks to two trends in particular.

First, just like law-abiding citizens, criminals have access to legal services that allow them to encrypt communications, browse privately, and otherwise minimize their digital footprints. Smartphone encryption frequently prevents crime, but as these tools become easier to use and the commercial default, it isn’t difficult to imagine that criminals—even those who aren’t technologically sophisticated—will use them, too.

Second, state and local police departments are very interested in hacking capabilities that could, as they see it, improve their ability to fight crime. Leaked emails from the past several years show that law enforcement agencies around the country have received demonstrations of spyware being sold by the controversial Italian-based company Hacking Team, whose mission is to “provide effective, easy-to-use offensive technology to the worldwide law enforcement and intelligence communities.” Hacking Team boasts of software that helps law enforcement “hack into [their] targets with the most advanced infection vectors available.”

The federal government is also sharing cybercrime-related knowledge with state and local police departments. The National Computer Forensics Institute, a federally funded center, is “committed to training state and local officials in cyber crime investigations” and offers tuition-free education on many elements of policing in a high-tech crime era. And after unlocking the San Bernardino iPhone, the FBI hastened to assure its local partners that it would share technical assistance whenever possible.

Many of the same concerns held about FBI hacking also apply at the state and local levels. For instance, the FBI-Apple standoff ended because of the involvement of an outside group, which the bureau paid to help it access the device. What rules should govern such third-party involvement? What kinds of compensation should third parties be allowed to receive, and what incentives would such a marketplace create?  Does a law enforcement agency have a responsibility to disclose any vulnerabilities it exploited to the software developer so that it can be patched? If law enforcement inserts malware on platform in order to track a suspect, does it have an obligation to clean up the malware after the investigation?

And perhaps most importantly, do we even want state and local law enforcement to have hacking capabilities? The FBI may do a reasonably good job at keeping the vulnerabilities it uses under wraps so they don’t fall into the hands of malicious actors. But state and local departments may have neither the inclination nor the capacity to be so vigilant. For some, this is an argument for hacking operations, if they happen at all at the state and local levels, to be conducted in conjunction with, or under the supervision of, the FBI. For instance, cybersecurity experts Adam Segal and Alex Grigsby suggested in the Washington Post that a decryption lab could be housed within the FBI to assist state and local law enforcement, in much the same way that the FBI currently assists them with fingerprint and biometric analysis.

Law enforcement hacking also presents disclosure challenges for our adversarial justice system. Assistant Federal Public Defender Andrew Grindrod is concerned about the challenge of preparing a fair and thorough defense when law enforcement insists on keeping hacking methods classified. In an email, he warned that “if law enforcement is not prepared to produce its hacking technology in discovery, we should think hard about whether we are comfortable depriving people of liberty through prosecutions that put this untestable technology front and center.”

These aren’t concerns for a distant future. In November, Manhattan District Attorney Cyrus Vance Jr. said at an event:

In my Office alone, 423 Apple iPhones and iPads lawfully seized since October 2014 remain inaccessible due to default device encryption. Approximately 10% of our warrant-proof devices pertain to homicide or attempted murder cases, and 9% to sex crimes. And while we’ve been locked out of approximately 34% of all Apple devices lawfully recovered since October 2014, that number jumped to approximately 42% of the devices recovered in the past three months.

Earlier this year, he made use of the FBI-Apple standoff to emphasize that the move toward “default device encryption affects virtually all criminal investigations, the overwhelming majority of which are handled by state and local law enforcement.”

But the waters ahead for state and local law enforcement hacking are still murky—legally, operationally, and ethically. Hacking Team itself was hacked in July 2015, and emails released revealed that the Metropolitan Bureau of Investigation based in Orlando, Florida, had contacted Hacking Team about its spyware products. But the bureau recognized at least the legal uncertainty ahead, worrying that using a piece of surveillance software could make it difficult to comply with search warrants. The email dump also revealed that on many occasions, after receiving spyware demonstrations from the Hacking Team, local police departments decided not to purchase spyware, saying the products did not meet their needs at the time. But the question remains: What about next time?

This article was originally published in Future Tense, a collaboration among Arizona State University, New America, and Slate.