Sept. 15, 2016
Today, New America's Cybersecurity Initiative released A Brief History of Law Enforcement Hacking. The Cybersecurity Initiative is a joint initiative of the International Security Program and Open Technology Institute.
Hacking by law enforcement has been front page news since the FBI purchased a hacking tool to bypass the security of an encrypted iPhone while investigating the San Bernardino shooting. However, this type of hacking is nothing new: it has been over fifteen years since the first known case of police intrusion into a computer as part of an investigation. While it is uncertain when this behavior began, we are sure that, as of 1999, that the government had begun to use technological skills to access private digital networks and material in the process of investigating crimes. Hacking methods can be as simple as using a USB drive to install a malicious program, or tricking users into opening a phishing email, and as complex as tools that rely on previously unknown or “zero-day” vulnerabilities to allow a hacker to bypass the sophisticated security functions of a mobile phone’s operating system.
Despite being a key tactic for law enforcement since the turn of the century, hacking didn’t become a major topic of public discussion until the San Bernardino iPhone hack. That case received such widespread media coverage that even the general public was talking about the ways that law enforcement could, or could not, access the devices that we all carry in our pockets. But the repercussions of investigative hacking are unclear, and important questions must be asked when evaluating policy options to address the issue: what procedural and substantive standards must be met when the government seeks authorization to hack? Under what legal authority can this type of hacking be authorized? Could the hack damage the targeted device or infect untargeted devices? How can the privacy of third parties be protected when investigating a single individual? Should law enforcement be able to target only specific individuals, or everyone that visits a particular website or uses a particular service? How should law enforcement minimize the collection of data that isn’t relevant to their investigation? These are all critical questions, yet law enforcement has taken very few steps to provide clear information about their procedures, tools, or tactics when it comes to their hacking activities.
These procedures, tools, and tactics have become dramatically more complex over the past fifteen years. But just as the technology used to hack computers has progressed, so has the technology that helps to limit law enforcement access to user data. Encryption and anonymization technology are stronger than ever before, and so law enforcement has become more reliant on the use of vulnerabilities—security flaws in software and hardware—to access information on their targets. The FBI has been reluctant to share the functions of their hacking technology, or the vulnerabilities they exploit, allowing them to repeatedly use tools like the one that eventually managed to hack that infamous iPhone. This behavior raises the question of whether or not law enforcement leaves citizens’ communications, data, and systems insecure by refusing to disclose information that would allow companies to patch their products and protect their users. The history of technology used in government hacking has been a back and forth between investigators and those they investigate, each trying to use the newest software or system in order to achieve their goals.
But these technological advances may have outpaced the legal methods used to manage them. In April 2016, the Supreme Court submitted to Congress revisions to Rule 41 of the Federal Rules of Criminal Procedure, which legislates search warrants, to address the difficulties of conducting investigations when suspects use anonymizing technology. The first part of the Rule 41 changes allows for a judge from any district to authorize a warrant when the search involves a device using anonymizing technology. The second addition permits the FBI to use one warrant to search compromised computers when the investigation involves devices located in five or more districts. If Congress does not pass a bill rejecting the proposed amendments by December 1, 2016, they will automatically go into effect. These revisions will certainly make it easier for the government to hack lawfully, even though we know that law enforcement has been hacking for more that 15 years without this authorization.
Because of the complexity of this discussion, legally, technically, and on a policy level, New America has produced a paper that chronicles the history of U.S. law enforcement hacking. The United States is at a fork in the road, and we must consider what role law enforcement hacking should play in criminal investigations. With the imminent changes to Rule 41, the power to push back against forensic hacking resides in the courts and in Congress. At the same time, more and more crimes have a technological component and investigators will have to address these challenges. No matter what happens, the next five years will be an exciting tour through the intersection of criminal justice and modern technology. The goal of this paper is to tell the story of how we arrived at this moment in history, and provide readers with the information to understand, and participate in, this important discussion.