Ten years ago, an FBI official impersonated an Associated Press reporter to lure and track a teenager suspected of sending in prank bomb threats to his school. To find him, the FBI agent, posing as a reporter, sent the teenager links to a supposed story he was working on, but the links were infested with malware that once clicked on quickly exposed the teen’s location. More recently, the FBI has seized and modified websites so that they deliver malware to all visitors, indiscriminately targeting individuals who visit these sites in order to identify and track them. These examples may be the tip of the iceberg when it comes to the U.S. government’s capacity to use sophisticated hacking tools to conduct law enforcement investigations. These techniques raise serious concerns, not least because they threaten to compromise phones, computers and other devices that provide access to the most intimate details of a person’s life. It is also easy to imagine how these tools could be abused. Take one example from our neighbor south of the border: Mexican government agencies have reportedly sent malware-infested text messages to proponents of a national soda tax and other political targets in order to track and intimidate them.
On Sept. 10, Privacy International (PI), the American Civil Liberties Union (ACLU), and the Civil Liberties & Transparency Clinic of the University at Buffalo School of Law (CLTC) filed a series of Freedom of Information Act (FOIA) requests seeking essential records about the use of such hacking tools by U.S. federal law enforcement agencies. The FOIA requests aim to uncover the basic rules governing the use of these techniques, information about how frequently they are used, and any internal investigations into potential misuse. Privacy International and its partners submitted the requests to seven federal law enforcement agencies as well as four Offices of Inspector General.
Law enforcement officials have begun using commercial and bespoke hacking tools to interfere with computer systems in order to access and gather highly sensitive information, including individuals’ locations, internet activities, communications and personal files. While some of these hacking tools are developed in-house, in many instances the U.S. government has purchased these technologies from private companies.
A number of reports show that U.S. law enforcement is investing heavily in hacking technology. The FBI has spent over $1 million obtaining software to hack locked iPhones, and has indicated that it will continue to invest in such technology. Immigration and Customs Enforcement (ICE) has purchased $2 million in hacking technology from Israeli company Cellebrite, in addition to record purchases of hacking software from other technology companies. Similarly, the Drug Enforcement Agency (DEA) has spent almost $1 million on hacking technology from an Italian surveillance technology company, called Hacking Team, and has expressed interest in hacking tools produced by NSO Group.
These investments in hacking technology are a cause of serious concern, as hacking presents unique and grave threats to our privacy and security. Hacking is highly intrusive, allowing for both remote access to systems as well as real-time surveillance. Hacking techniques may also lack particularity and minimization, particularly when they are used to obtain information pertaining to many individuals at once. Further, hacking presents equally concerning security risks, as it involves exploiting security vulnerabilities in systems that millions may use. Hacking techniques also threaten to undermine trust online, because they frequently rely on social engineering techniques or outright deception (like an FBI official pretending he’s a journalist) in order to gain access to a target system. For these reasons and others, the government’s use of hacking may violate Constitutional, statutory and international human rights standards.
As it stands, the public is largely in the dark about how the government perceives the rules that govern its use of these tools for law enforcement purposes. The Fourth Amendment generally requires warrants based upon a finding of probable cause before there is a search or seizure. But it is unclear whether and when law enforcement agencies regard hacking techniques as being subject to a warrant requirement, judicial authorization short of a warrant, or no prior authorization at all. Further, little is known about the internal rules that law enforcement agencies have adopted to regulate the deployment of hacking techniques.
Privacy International and its partners are accordingly seeking information about the internal rules, protocols, and policies that govern the use of hacking techniques, as well as the government’s own interpretations of applicable statutory or constitutional provisions. The FOIA requests also seek basic information about how often, and under what circumstances, law enforcement uses these techniques to investigate civilians.
Without more information about how the government is using hacking tools, the public cannot understand and effectively regulate the government’s use of these techniques. The public should know what hacking techniques law enforcement is using, what information can be acquired from them, the rules that govern the use of these techniques, and what safeguards may be in place to limit retention and use of the information collected from hacking. Through these FOIA requests, Privacy International, the ACLU and CLTC seek to fill that gap.
* * *
Privacy International is a UK-based non-profit that advocates for strong privacy protections and surveillance safeguards in law and technology. The ACLU is a US-based non-profit that works to defend and preserve the individual rights and liberties guaranteed by the Constitution and laws of the United States. The Civil Liberties and Transparency Clinic of the University at Buffalo School of Law conducts litigation and policy advocacy to defend free speech, privacy, and other individual rights while pressing for greater transparency and accountability in government. The FOIA requests were prepared in substantial part by CLTC student attorneys including Laura Gardiner, Thora Knight, Cindy Manuele, Suzanne Starr, Colton Kells, RJ McDonald, and the author of this post, Alex Betschen.