Whose World Is This?: US and UK Government Hacking
This piece originally appeared here.
On both sides of the Atlantic, we are witnessing the dramatic expansion of government hacking powers. In the United States, a proposed amendment to Rule 41 of the Federal Rules of Criminal Procedure would permit the government to obtain a warrant, in certain circumstances, to hack unspecified numbers of electronic devices anywhere in the world. Meanwhile, across the pond, the British Parliament is currently debating the Investigatory Powers Bill, which (among many other things) would authorize the government to hack the devices of broad classes of people without geographic limitation. The exercise of these powers will have significant implications for the privacy and security of individuals around the world and therefore commands our attention.
The American Context: One Rule to Hack Them All
Rule 41 currently prohibits, with several exceptions, magistrate judges from issuing warrants to search or seize property located outside their districts. The proposed amendment creates new exceptions for electronic devices. In particular, it would permit a magistrate judge to issue a warrant to remotely access, search, seize or copy “electronically stored information located within or outside that district” where the location of such information “has been concealed through technological means.”
A plethora of technologies “conceal” the location of “electronically stored information.” In some cases, the technology deliberately protects the privacy of the user, for example, enabling journalists to communicate with vulnerable sources. In other instances, the technology masks the user as a by-product of its core service, such as securing communications. For example, many individuals and businesses rely on virtual private networks (VPNs) — which establish encrypted connections between the user’s device and a trusted server that then appears as the source of any network activity — to send and receive sensitive data, such as financial or medical information (or even for ordinary internet usage when connecting to potentially insecure networks, such as a public Wi-Fi hotspot).
The Justice Department has explained that it seeks the proposed Rule 41 amendment to “catch and prosecute criminals who use anonymizing technologies,” such as Tor. The recent evolution of FBI hacking operations explains this focus. In the past few years, the government has embraced “watering hole attacks,” a hacking technique that targets a group of users by identifying websites frequented by such users and installing custom code that deploys malware on all devices visiting those sites. In 2012, the FBI began using watering hole attacks to identify visitors to child pornography sites hosted by servers protecting their anonymity. In 2015, a magistrate judge granted the FBI a warrant, pursuant to which it ran a watering hole attack that infected several thousand computers. In the ensuing wave of US criminal cases, some of the defendants have challenged the validity of the warrant under Rule 41, on grounds that it was executed outside of the issuing district.
The British Context: The Investigatory Powers Bill
In the UK, the Investigatory Powers Bill seeks to enshrine broad hacking powers into primary legislation. The Bill would authorize British intelligence agencies and law enforcement to hack (referred to as conducting “equipment interference” or “EI”) devices inside and outside the UK. It would further authorize the government to compel “telecommunications providers” to assist them in effecting a hacking warrant, unless “not reasonably practicable.” As Apple has criticized, the term “telecommunications providers” is so broadly defined as to expand the government’s “reach beyond UK borders to … any service provider with a connection to UK customers.”
In addition to these troubling powers, the Bill permits the British government to obtain expansive hacking warrants. Under the Bill’s “targeted” hacking provisions, the government may seek a warrant that relates to a device “belonging to, used by or in the possession of a group of persons who share a common purpose or who … may carry on, a particular activity” or “belonging to, used by or in the possession of more than one person or organisation, where [hacking] is for the purpose of a single investigation or operation.” A draft Code of Practice, published by the government alongside the Bill, asserts that “it is entirely possible for a [targeted] warrant to cover a wide geographical area or involve the acquisition of a significant volume of data” and that “[t]here is no limit on the number of pieces of equipment, locations, persons or organisations to which a targeted warrant may relate.” (The Bill also authorizes intelligence agencies to hack in “bulk” when hacking overseas. A joint Parliamentary committee has failed to see “what a ‘Bulk’ EI warrant is intended to cover, and how it differs from a ‘Targeted’ EI warrant.”)
To compound matters, the Bill allows the Home Secretary to issue hacking warrants, subject only to a circumscribed review by a Judicial Commissioner. Judicial Commissioners — a new position created by the Bill — are appointed by the Prime Minister and sit for three-year terms, raising serious questions about their independence. The government is not required to seek any form of judicial approval to compel assistance from technology companies — it can merely “serve a copy of the warrant.” Thus, under this power, the government could go directly to Google, Microsoft, or myriad other service providers and seek their assistance in hacking their customers, for instance, by pushing a false security update containing malware.
Hacking and General Warrants
The troubling thread running through US and UK government hacking is the resurrection of general warrants. General warrants permit government officials to search, seize, or arrest a broad class of persons, typically on the basis of some form of undesirable conduct. In the years before the American Revolution, the British Government relied on such warrants — called “writs of assistance” — to search colonists’ homes and businesses for evidence of customs violations. Opposition to these warrants helped catalyze the Revolution and their prohibition is now inscribed in the Fourth Amendment. In the UK, the unlawfulness of general warrants shares a similarly long history and is enshrined in a celebrated line of cases from the 1760s.
The “Particularity Problem,” described by Andrew Crocker in the US context, also plagues the hacking powers in the Investigatory Powers Bill. As discussed above, the Bill’s “targeted” hacking powers do not require a warrant to specify a target at all, but can relate to broad classes of persons or property. Indeed, in a case brought by my employer, Privacy International, challenging hacking by the British signals intelligence agency, Government Communications Headquarters (GCHQ), under current UK law, the government asserted that a hacking warrant could potentially encompass all cell phones in a metropolitan area, such as London. The Bill purports to provide an “updated framework” for this power, which the government insists it already possesses under existing law.
General warrants are particularly dangerous when the government carries out hacking, which presents unique and grave threats to both our privacy and security. Hacking grants an unauthorized person access to the information on our personal digital devices, which have replaced and consolidated our address books, correspondence, journals, filing cabinets, wallets, and photo albums. Hackers can conduct real-time surveillance, covertly turning on a device’s microphone, webcam, and GPS-based locator technology. They can watch anything typed into the device, including login details and passwords, browsing histories, and draft communications the user never intended to share.
What makes general warrants so offensive is that they effectively remove judges from overseeing the executive’s determination of who is a suspect and how to investigate that target. They fail to check fishing expeditions by intelligence agencies and law enforcement. The potential for abuse is particularly acute when it comes to hacking, which is far more intrusive than other surveillance techniques, capable of probing deeply into the most intimate aspects of our lives.
At the same time, hacking has enormous security implications for the internet, particularly deployed at the scale contemplated by general warrants. Internet security is a fragile ecosystem, where a compromised device can negatively affect many other users. Computer systems are complex and unpredictable. Malware is often not fully vetted to determine its effects and its distribution is difficult to control. The government, when targeting a specific group of individuals with a watering hole attack, cannot control who lands on an infected website. The security holes created by such an attack can remain available to anyone else to exploit, long after an investigation is complete.
The Secrecy of Government Hacking
Another disturbing aspect of government hacking in both the US and UK is the incessant secrecy swirling around the practice. The Snowden disclosures offered a startling glimpse of intelligence-related hacking by the NSA’s Tailored Access Operations, which has long “existed in the shadow recesses” of the agency, as well as by its British counterpart in GCHQ. The history and scope of law enforcement hacking in both countries has also taken the public by surprise. The recent Playpen cases have shed new light on FBI hacking, which goes back nearly two decades. And in the UK, the hacking activities of British law enforcement agencies were only revealed in November 2015 with the government’s publication of a draft version of the Investigatory Powers Bill.
The US and UK governments employ secret interpretations of law to justify hacking. Privacy International’s legal challenge to GCHQ hacking, which followed the Snowden disclosures, alleged that the British government had no clear authority under UK law to deploy these capabilities. During the proceedings, the government revealed, for the first time, that it relied on the power to interfere with “property” under the Intelligence Services Act 1994. In the draft Investigatory Powers Bill, the government also revealed, for the first time, its similar reliance on the power to interfere with “property” in the Police Act 1997 to authorize law enforcement hacking.
In the US, the legal framework for the NSA’s hacking operations likely stems from Executive Order 12333, but it remains shrouded in secrecy. While the proposed Rule 41 amendment is not a secret interpretation of law, its effect is similar. The amendment essentially operates as a fait accompli; should Congress fail to act, the amendment automatically goes into effect on December 1. By seeking the changes to Rule 41, the government is attempting to dodge a public debate and legislative approval of the expansion of law enforcement hacking powers.
The International Implications of Government Hacking
US and UK government hacking will affect individuals around the world. The Investigatory Powers Bill recognizes no geographic constraint to hacking powers, a point that prompted a joint Parliamentary committee to caution the government to “give more careful consideration to the consequences of enforcing extraterritoriality.” The proposed Rule 41 amendment authorizes warrants to hack outside the issuing judge’s district so long as the physical location of the device “has been concealed through technological means.” But devices thus cloaked may be located anywhere in the world and only by compromising them can the government determine the location of each user. Thus, the amendment is likely to dramatically expand FBI extraterritorial surveillance.
For this reason, Privacy International has joined an international coalition opposing the proposed Rule 41 amendment. This attention has led to the introduction of the Stopping Mass Hacking Act of 2016 by Sen. Ron Wyden and analogous legislation in the House, which would reject the proposed amendment. By contrast, the hacking powers in the Investigatory Powers Bill encountered little opposition during debate in the House of Commons. Nevertheless, they have attracted criticism beyond British borders, including from US-based organizations such as the Electronic Frontier Foundation, the Center for Democracy and Technology, and New America’s Open Technology Institute.
At the same time, the international implications of government hacking demand an international set of recommendations to govern this practice. In March 2015, Privacy International and Open Rights Group sketched out such a framework, based in part on the International Principles on the Application of Human Rights in Communications Surveillance. Many of the recommendations in this framework have surfaced in analyses of US government hacking, such as requiring a demonstration that less intrusive methods have been exhausted or would be futile, tight constraints around the scope of hacking, and notification to hacking targets. We must engage diverse voices, including those with technical expertise, to develop these recommendations further. To ensure their relevance, we must continue to study and document government hacking, as it manifests in jurisdictions around the world.