Law Enforcement and Investigative Hacking: A Not-So-New Strategy

ServersWe’re all familiar with the case of the FBI hacking the San Bernardino-related iPhone earlier this year. While this may be the most high profile example of law enforcement using hacking as an investigative tool, it certainly isn’t the first. New America has published “A Brief History of Law Enforcement Hacking in the United States“, a report which examines the historical examples of law enforcement hacking as a means to engage more of the population in an illustrative policy discussion. “Under what legal authority can this type of hacking be authorized? […] How can the privacy of third parties be protected when investigating a single individual? […] How should law enforcement minimize the collection of data that isn’t relevant to their investigation?” The report is asking the hard questions, and it seems that, to date, law enforcement hasn’t provided much in the way of answers.

January 1999: The FBI installs a Key Logger System (KLS) on the computer of Nicodemo Scarfo, which is used to decrypt an incriminating file. Scarfo challenges the legality of this, but the FBI pleads the fifth and says “classified” when a judge asks for more information on the technology.

May 2007: FBI is granted a search warrant to use a Computer and Internet Protocol Address Verifier (CIPAV) to track down the source of the recurring bomb threats against Timberline high school in Washington. CIPAV was activated via a fake news article link sent to the suspected account, and the suspect was arrested and plead guilty. According to the report, “As early as 2002, however, an internal memo was circulated warning law enforcement that overuse of this technique could result in exclusion of important evidence in court. This means that CIPAV has been popular for a long time, and much more so than the public records illustrate.”

March 2013: The Court pushes back when Texas Judge Stephen Smith rejects a warrant request from the FBI based on the Fourth Amendment’s protection against unreasonable search and seizure. The FBI intended to collect not only IP address, but also passwords, documents, correspondence, and take pictures from the computer’s camera. Judge Smith’s ruling is not binding in other similar cases, and it seems that the government continues to push for revisions to the federal rule at the foundation of Smith’s opinion.

2012: FBI and Europol exploit Tor (The Onion Router) vulnerabilities to infiltrate criminal and contraband sites. When asked about the concerns regarding the compromise of software and the information of innocent Tor users, a Europol representative commented that “This is something we want to keep for ourselves. The way we do this, we can’t share with the whole world, because we want to do it again and again and again.”

2014-2016: The FBI infiltrates the child pornography site Playpen by seizing the server in North Carolina hosting the website. The FBI obtains a warrant to use a “network investigative technique” (NIT) to identify Playpen users and bypass Tor anonymity. The NIT led to 1,300 actual computer address and the charging of 137 individuals in the U.S. Here’s the rub: these searches also extended to other countries besides the United States. Remote searches were conducted in Greece, Chile, Denmark, Colombia, and Austria. A most-due question from a defense attorney in a resulting hearing asked “What authority did a judge in the Eastern District of Virginia have to approve a search that was executed thousands [of] miles away on a computer in Washington state?” When probed about the technology and exploited vulnerabilities, the FBI again kept silent.

We’re at a crossroads, an “intersection of criminal justice and modern technology”. As law enforcement’s hacking technologies and abilities expand, so do the encryption capabilities that protect user data. As December approaches, Congress’ decision on Rule 41, and whether or not to pass the Stopping Mass Hacking Act, will play a big role in determining the way forward.