The emergence into the public consciousness of government hacking techniques and activities in recent years has sparked an increasingly loud debate over how and when law enforcement agencies should be allowed to employ these tactics. But that conversation ignores the fact that these techniques may not actually be legal, experts say.
Law enforcement agencies, especially the FBI, have been using hacking techniques to conduct remote searches of suspects’ computers for many years. Those techniques typically involve the deployment of custom malware, through things such as targeted phishing emails and the use of an exploit for a vulnerability. These methods have been used in many cases over the years, and law enforcement officials say they are vital to the investigation of crimes in today’s environment.
But legal experts say that there is no explicit permission in United States law for this kind of investigative technique.
“Should the government be able to hack because we have a strong network now? I don’t think we’ve answered that. We haven’t answered in the U.S. whether it’s constitutional for the government to hack,” Amie Stepanovich, U.S. policy manager at Access Now, said during a panel discussion on government hacking Monday sponsored by New America.
One of the key drivers of the discussion around government hacking right now is a proposed change to Rule 41 of the Federal Rules of Criminal Procedure that would allow law enforcement agencies to seek warrants from one judge to search remote computers anywhere in the U.S. Technology companies, civil liberties groups, and some lawmakers have objected to the change, saying it would give the government too much power to hack. The change to Rule 41 would go into effect on Dec. 1 unless Congress passes legislation to prevent it.
“The SCOTUS definitely hasn’t said government hacking is legal.”
Andrew Crocker, a staff attorney for the EFF, said the change would build on top of an already problematic investigative technique that has no explicit approval from the Supreme Court of the United States.
“The SCOTUS definitely hasn’t said government hacking is legal. There’s nothing remotely approaching a single warrant that allows the general hacking of people in many places,” Crocker said. “That’s anathema to the Fourth Amendment.”
Earlier in the day, a separate panel of technologists and attorneys discussed the government hacking question from the perspective of when the government should disclose its techniques and the vulnerabilities it uses. Both law enforcement and intelligence agencies use vulnerabilities in the course of their work, some of which are publicly known and others that are private. The recent Shadow Brokers dump of a large set of tools and exploits believed to belong to the NSA has renewed the debate over when or if the government should disclose the bugs it uses, especially if they’re being used in national security operations.
“There’s a lot that we don’t know. We don’t actually know what the full range of their capabilities are. As a software developer, knowing that the government is one of my adversaries puts me in a very awkward position,” said Daniel Kahn Gillmor, a senior staff technologist at the ACLU and a member of the Debian Project.
“You’d like to think that law enforcement is around to protect you and make things better for you. I’m going to actively discourage my users who might talk to law enforcement about bugs to not talk to them. I want them to talk to me. The act of using these exploits is counter to the idea that they must be kept secret.”