ACLU vs. Government: Should There Be Rules Governing Hacking?

The rise of mobile technology means we are rarely disconnected from a vast ecosystem of services and content. With more people online sharing more than ever, personal data has become currency, and entire business models are predicated on harvesting and deriving insight from that information.

But technology companies have lost the benefit of the doubt in the court of public opinion following numerous scandals and reports of misuse of data over the last year or two. As a result, more users are putting a premium on privacy and transparency.

Apprehension over data misuse and exposure is not limited to the private sector. The ACLU and a UK counterpart, Privacy International, are suing eleven “federal criminal and immigration enforcement agencies, including the FBI, Immigration and Customs Enforcement, and the Drug Enforcement Administration” about “the nature and extent of the government’s hacking activities and, importantly, the rules that govern these powerful surveillance tools.” Hacking tools are increasingly used to catch serious criminals, but as the lawsuits underscore, information about them remains vague.

Inside the ACLU Lawsuit

The ACLU lawsuit is rooted in concern that the current ambiguity surrounding government hacking creates possible Orwellian scenarios. A post announcing the lawsuit outlines a belief that the government is using hackers to “[take] advantage of unpatched vulnerabilities in [citizens’] devices and software” to “obtain all kinds of sensitive, confidential information” through a variety of means – including “[activating] a device’s camera and microphone, [logging] keystrokes, or otherwise [hijacking] a device’s functions,” potentially without user awareness.

The ACLU contends that these agencies need to disclose more information to the public about their methodology, tools, the frequency with which they deploy these tools, the legal justification for use, “and any internal rules that govern them.” The ACLU is also seeking “any internal audits or investigations related to their use.”

Is Secrecy Justified?

The ACLU lawsuit claims that what little information exists has been confined to “scattered news accounts”; what they do know is described as “very troubling.” Several high-profile cases involve the so-called dark web: in 2013, the FBI admitted to hacking Freedom Hosting, a hidden service operator for private browser Tor, in a child pornography case. Then, the FBI reportedly used a ‘network investigative technique’ (or NIT) to operate child porn haven Playpen for almost two weeks. That exploit, which revealed users’ real IP addresses on the otherwise anonymous network, led a series of arrests and 137 criminal cases.

By those numbers, the NIT was undeniably effective (and, the FBI would surely argue, justified) in catching alleged criminals who had ‘gone dark.’ But the source code in question has remained classified; in the interim, some security experts have likened the tool to malware.

Similar tools, says the ACLU, have been deployed “for investigating increasingly ordinary crimes,” including on innocent civilians. They argue the lack of accountability makes it impossible “for the public to meaningfully determine whether and when the government should engage in hacking, whether the government is collecting excessive information about the people it surveils, and how investigators handle innocent bystanders’ information,” as well as “how the government’s hacking impacts cybersecurity for everyone using the internet.”

Is a Solution Imminent?

The ambiguity over the method and scope of hacking has even led to an unintended side effect in a small number of cases: prosecutors have dropped charges in a small number rather than reveal the code to the defense teams. Susan Hennessy, the executive editor of national security-focused blog Lawfare, and Nicholas Weaver, a senior staff researcher at the International Computer Science Institute, argued in a 2016 blog post that those “extraordinarily high stakes” put significant burden on judges to make the right decision in the interests of national security.

A Hennessy-authored 2017 paper argues that a clear, meaningful solution is most likely the responsibility of Congress. That legislation “is not to eliminate the possibility of the disclose-or-dismiss dilemma but instead to ensure it arises only where constitutionally or otherwise appropriate and not as a Hail Mary litigation strategy,” she explains.

Uncertain rules mean loopholes remain, and the question of “whether a defendant needs to see the ‘exploit’ of the NIT in order to receive a fair trial” remains unanswered. That gray area will continue to invite skepticism, and with it, lawsuits and complications. Hypothetical solutions – Hennessy and Weaver posited that a system of “[exploiting] existing vulnerabilities,” rather than creating new ones may be the line in the sand – are all that exists.

Whether the ends justify the means is endlessly debatable. But a few things are clear with no resolution in sight: hacking is undeniably effective and undoubtedly valuable to law enforcement; it has cemented a permanent place in its toolkit in our digital-centric world; and the ongoing dialogue about privacy will continue gathering steam in the absence of codified rules.

Quandary Peak Research

Based in Los Angeles, Quandary Peak Research provides software litigation consulting and expert witness services. We rapidly analyze large code bases, design documents, performance and usage statistics, and other data to answer technical questions about the structure and behavior of software systems.