Hacking Necessary Safeguards

A growing number of governments around the world are embracing hacking to facilitate their surveillance activities. But many deploy this capability in secret and without a clear basis in law.

A growing number of governments around the world are embracing hacking to facilitate their surveillance activities. But many deploy this capability in secret and without a clear basis in law.In the instances where governments seek to place such powers on statutory footing, they are often doing so without the safeguards and oversight applicable to surveillance activities under international human rights law.

Hacking can present unique and grave threats to our privacy and security. For these reasons, even where governments conduct surveillance in connection with legitimate activities, such as gathering evidence in a criminal investigation or intelligence, they may never be able to demonstrate that hacking as a form of surveillance is compatible with international human rights law. To date, however, there has been insufficient public debate about the scope and nature of these powers and their privacy and security implications.

Our proposed safeguards are designed to help interested parties assess government hacking in light of applicable international human rights law. They are further designed to address the security implications of government hacking. Generally speaking, security considerations must be embedded into surveillance safeguards and oversight mechanisms. We separately explain the legal and conceptual bases for our proposed safeguards in “Government Hacking and Surveillance: Commentary to the 10 Necessary Safeguards.”

These safeguards form part of a comprehensive strategy pursued by Privacy International and others across civil society to ensure that:

  • Governments and industry prioritise defensive security;
  • Our devices, networks and services are secure and privacy- protective by design and that these protections are maintained; and
  • Legal and technological protections apply to everyone across the world.

Why we are concerned

Government hacking is unlike any other form of existing surveillance technique. Hacking is an attempt to understand a system better than it understands itself, and then nudging it to do what the hacker wants. Fundamentally speaking, hacking is therefore about causing technologies to act in a manner the manufacturer, owner or user did not intend or did not foresee.

Governments can wield this power remotely, surreptitiously, across jurisdictions, and at scale. A single hack can affect many people, including those who are incidental or unrelated to a government investigation or operation.

Governments may resort increasingly to hacking to facilitate surveillance in the future. In the digital age, data about individuals often resides in the hands of companies, and those companies may be based in a foreign jurisdiction. Governments have therefore typically relied on the cooperation of a third party – a company, foreign government, or even both – to access this data. This process is typically time-consuming and may prove fruitless if the company or foreign government is unwilling or unable to provide access. Hacking can therefore be more convenient than legal processes involving multiple parties.

Sometimes companies may place their users’ data out of their own reach, for example, by choosing not to collect it or by encrypting it. Under claims of “going dark,” governments are pressuring companies for privileged access to their systems and to redesign security mechanisms. All the while, governments are developing and procuring capabilities to hack those very same companies’ products and services, which may allow them to collect data that would otherwise not be captured, or to bypass encryption and other security features.

Through hacking, governments may directly exert influence over or interfere with technologies, which are ever more seamlessly integrated into lives, economies, and societies. Government hacking capabilities are constrained only by a government’s own resources and capacities. We believe we must prioritise systems and data security and that further constraints must be applied to restrict and restrain the power of governments to hack.

Privacy implications

Hacking permits governments remote access to systems and therefore potentially to all of the data stored on those systems. For an increasing number of people, personal digital devices contain the most private information they store anywhere, replacing and consolidating address books, physical correspondence, journals, filing cabinets, photo albums and wallets. Increasingly, governments may direct their hacking powers towards new and emerging devices, like the Internet of Things and body-worn and –embedded devices, such as health sensors.

Hacking also permits governments to conduct novel forms of real-time surveillance. Hacking permits governments to covertly turn on a device’s microphone, camera, and GPS-based locator technology. Through hacking, a government can also capture continuous screenshots of the hacked device or see anything input into and output from that device, including login details and passwords, internet browsing histories, and documents and communications the user never intended to disseminate.

Hacking permits the manipulation of data in a world that is increasingly data-driven. By controlling the functionality of systems, hacking permits governments to delete data or recover data that has been deleted. Hacking also permits governments to corrupt or plant data, send fake communications or data from the device, or add or edit code to add new capabilities or alter existing ones and erase any trace of the intrusion. In a world where information about us is increasingly expressed as data, minute changes to that data – a password, GPS coordinates, a document – can have radical effects.

The privacy intrusions of hacking are enormously amplified should a government interfere with communications networks and their underlying infrastructure. By hacking a network provider, for instance, a government might gain access not only to the provider’s system, but also through the data stored there, to the systems of all its users. Governments may also interfere with different types of networks and their infrastructure, such as those connecting banks. Hacking directed at networks could be for the purpose of conducting surveillance against specific individuals, groups or countries, or across numerous jurisdictions.

Government hacking also encompasses the hacking of devices in the government’s physical custody. While this type of hacking raises many of the same concerns articulated above, it also presents unique privacy implications. Data that resides on devices can include data that the user of that device does not even know exists and cannot access. For instance, mobile phones may contain data the user believes was deleted or sensor-generated data unknown and unavailable to the user that could divulge biographic, physiological or biometric information.

Security implications

Government hacking for surveillance is equally concerning from a security perspective. Computer systems are complex and, almost with certainty, contain vulnerabilities. People are also complex and their interactions with systems also give rise to vulnerabilities; they can be exploited to interfere with their own systems.

Identifying vulnerabilities, testing them by developing exploits, and sharing these results is necessary for security. But government hacking for surveillance does not seek to secure systems. In the surveillance context, the government identifies vulnerabilities, not to secure systems through testing and coordinated disclosure, but to exploit them to facilitate a surveillance objective. This activity may not only undermine the security of the target system but also of other systems.

Security concerns also abound when governments take advantage of people to interfere with their own systems. Phishing, for example, is a common social engineering technique whereby a hacker impersonates a reputable person or organization. Phishing attacks typically take the form of an email or text message, which may contain a link or attachment infected with malware. These techniques prey on user trust, which is critical to maintaining the security of systems and the internet as a whole.

Security is hard and if government agencies are actively undermining security, it places the ecosystem at risk.

Government hacking powers must be explicitly prescribed by law and limited to those strictly and demonstrably necessary to achieve a legitimate aim. That law must be accessible to the public and sufficiently clear and precise to enable persons to foresee its application and the extent of the
Prior to carrying out a hacking measure, government authorities must assess the potential risks and damage to the security and integrity of the target system and systems generally, as well as of data on the target system and systems generally, and how those risks and/or damage will be mitigated or
Prior to carrying out a hacking measure, government authorities must, at a minimum, establish: A high degree of probability that: A serious crime or act(s) amounting to a specific, serious threat to national security has been or will be carried out; The system used by the person suspected of
Prior to carrying out a hacking measure, government authorities must make an application, setting forth the necessity and proportionality of the proposed measure to an impartial and independent judicial authority, who shall determine whether to approve such measure and oversee its implementation
Government authorities must not add, alter or delete data on the target system, except to the extent technically necessary to carry out the authorised hacking measure. They must maintain an independently verifiable audit trail to record their hacking activities, including any necessary additions
Government authorities must notify the person(s) whose system(s) have been subject to interference pursuant to an authorised hacking measure, regardless of where the person(s) reside, that the authorities have interfered with such system(s). Government authorities must also notify affected software
Government authorities must immediately destroy any irrelevant or immaterial data that is obtained pursuant to an authorised hacking measure. That destruction must be recorded in the independently verifiable audit trail of hacking activities. After government authorities have used data obtained
Government authorities must be transparent about the scope and use of their hacking powers and activities, and subject those powers and activities to independent oversight. They should regularly publish, at a minimum, information on the number of applications to authorise hacking approved and
When conducting an extraterritorial hacking measure, government authorities must always comply with their international legal obligations, including the principles of sovereignty and non-intervention, which express limitations on the exercise of extraterritorial jurisdiction. Government authorities
Persons who have been subject to unlawful government hacking, regardless of where they reside, must have access to an effective remedy.