We Need Stronger Regulations Regarding U.S. Law Enforcement Hacking of Devices Abroad

FBI emblem

This piece was orignally published in Slate in February 2017

In 2015, the FBI obtained a warrant to hack the devices of every visitor to a child pornography website. On the basis of this single warrant, the FBI ultimately hacked more than 8,700 computers, resulting in a wave of federal prosecutions. The vast majority of these devices—over 83 percent—were located outside the United States, in more than 100 different countries. Now, we are in the midst of the first cases to work their way through the appellate courts—and it should inspire new scrutiny of the FBI’s extraordinary power to hack devices abroad.

The abuse of children is a heinous crime, and child pornography fuels and profits from that abuse. So of course law enforcement must be able to develop techniques to adequately investigate such exploitation. But government hacking is a powerful tool. Far from limited to prosecution of child pornographers, it can have unforeseen consequences for individuals around the world.

Much of the public debate concerning these cases has centered around the domestic law and policy governing the FBI’s power to hack, including its compliance with the requirements of the Fourth Amendment. But the FBI’s hacking of thousands of devices abroad—which it conducted unilaterally, without the consent of other states—also carries profound foreign relations and security risks. Those risks are particularly alarming given the current state of U.S. foreign policy under President Trump.

Well-established international law prohibits countries from exercising law enforcement functions in other countries without consent. Otherwise, it can be interpreted as a violation of sovereignty, stoking diplomatic conflict. It may also interfere with active criminal investigations by the other country’s authorities. Or it might even infringe the other country’s domestic laws. For instance, in 2002, Russia’s Federal Security Service filed criminal charges against an FBI agent for hacking a Russian server as part of an investigation.

In the digital realm, unilateral investigative actions abroad may heighten the risk of diplomatic conflict. Unlike, for example, the FBI rifling through a person’s papers, the nature, scope and purpose of a digital hack may not be immediately clear. Was the purpose of the hack to conduct surveillance, steal information, or interfere with political institutions? It may also be difficult to identify the actor behind the hack. Was it another state, hackers who may or may not be affiliated with that state, or a group of criminals?

We have yet to see public evidence of such tensions stemming from the child pornography cases. Perhaps in part because of the nature of the crime, countries are reluctant to make a fuss. But the government admitted in a 2014 memo that it plans to use hacking in other criminal investigations, and there’s no limitation on the type of crimes for which it can use such techniques. As the FBI continues to run hacking operations—each with the potential to affect thousands of devices—the likelihood of diplomatic conflict only increases.

The foreign relations risks posed by FBI hacking come at a time of increased international uncertainty and anxiety about the United States. The “Muslim ban” has unleashed worldwide antipathy. Trump’s strident language on Taiwan and the South China Sea has injected volatility into Sino-American relations. His criticism of the European Union has angered its leaders. And he recently berated the prime minister of Australia during what should have been a routine, cordial exchange. FBI hacking abroad could further negatively impact U.S. foreign relations.  

Americans would surely reject the prospect of other countries unilaterally hacking their devices, even for law enforcement purposes. At the moment, high-profile hacks in the United States, including those potentially undertaken by foreign actors, are dominating the public conversation. These experiences have heightened public concern regarding digital privacy and security. FBI hacking abroad could feed charges of hypocrisy by other countries when the United States complains about breaches. An investigation into child pornography might be different than interfering with another nation’s election—but hacking in either context produce similar foreign relations risks.

The enormous potential repercussions—foreign and domestic—of FBI hacking should give us serious pause, even if they take place outside of public view. In December 2016, amendments to the Federal Rules of Criminal Procedure went into effect, which significantly expanded the government’s authority to hack, including abroad. Congress has, thus far, failed to address these changes, which demand a robust public debate. The courts are currently the primary venue for addressing certain limits to FBI hacking, but they are ill-suited to consider (among other things) the foreign implications of this power. The current wave of cases therefore call renewed attention to the need for a broader debate about whether to endow the FBI with such a dangerous and expansive capability.