US government hacking: preliminary findings on the FOIA replies
We are now close to receiving the final documents we demanded using the Freedom of Information Act from US agencies regarding their hacking activities, and we’re concerned with what we’ve seen thus far. You can find the disclosures here.
- There is increased inter-agency cooperation on hacking
- We found confirmation that the DEA sought to acquire hacking capabilities
- There are trainings taking place seemingly in support of government use of malware
Privacy and security are both essential to protecting individuals, including their autonomy and dignity. Undermining privacy undermines the security of individuals, their devices and the broader infrastructure. People need privacy to freely secure themselves, their information, and fully enjoy other rights. However, a growing number of governments around the world are embracing hacking to facilitate their surveillance activities.
As a form of government surveillance, hacking presents unique and grave threats to our privacy and security. It has the potential to be far more intrusive than any other surveillance technique, permitting the government to remotely and surreptitiously access our personal devices and all the intimate information they store. It also allows the government to conduct novel forms of real-time surveillance, by covertly turning on a device’s microphone, camera, or GPS-based locator technology, or by capturing continuous screenshots or seeing anything input into and output from the device.
On 21 December 2018, Privacy International, together with the American Civil Liberties Union and the Civil Liberties & Transparency Clinic of the University at Buffalo School of Law, filed a lawsuit demanding US federal law enforcement and immigration authorities turn over information about the nature and extent of their hacking activities.
Specifically, we submitted Freedom of Information Act requests to seven Law Enforcement Agencies as well as to four US administrative offices that oversee those law enforcement agencies.
Law enforcement requests
Following our lawsuit, the agencies and offices started disclosing information with regard to the aforementioned activities. We are now close to finally receiving all of the requested documents. In this blog, we provide an overview of the disclosures we have received so far. We also discuss the main issues some of them seem to raise around government hacking.
It is worth noting that not all agencies disclosed documents. Out of the 11 authorities from whom we sought information, four told us that they didn’t hold any responsive documents. The US Customs and Border Protection agency, the DHS Office of the Inspector General, the Treasury Office of the Inspector General and the Treasury Inspector General for Tax Administration responded to our request stating that they do not hold any information regarding government hacking.
The remaining seven government agencies accepted that they held responsive records, i.e. ‘matches’ for the terms we had outlined in our FOIA requests. However, we note that much of the content of the documents we received from these agencies was redacted under US Freedom of Information laws, which allows some documents or information to be exempted from disclosure provided that specific conditions are met. The dominant explanations offered by agencies as a justification for non-disclosure was that the redacted information either (i) provided specific details on techniques and procedures to be followed in an undercover operation or - yes, you guessed it - (ii) full disclosure would reveal currently used hacking techniques and/or undermine their future use.
This exercise has underlined the continuing secrecy surrounding the engagement of US agencies with extremely intrusive surveillance techniques, such as hacking, and the difficulties for civil society to ensure that governments are not putting our freedoms and the security of the Internet as a whole at stake.
Here are our key findings on the disclosures thus far.
Increased inter-departmental cooperation on hacking
The disclosures revealed that government departments were openly discussing the possibility of hacking and its legality. We saw a redacted email thread between ICE and USSS with an attachment titled “Government Use of Malware”.
We also reviewed a heavily redacted email exchange between an Attorney Advisor to the USSS and the Department of Homeland Security, with a subject line “Government Use of Malware” with the former asking the latter whether they had dealt with an unspecified issue presumably relating to the subject line. This early exchange may have been the start of knowledge-sharing across the USSS and the Department for Homeland Security in respect of government hacking activities.
It seemed strange that a seemingly anodine email addressing the purchase of an Adobe package would be redacted to this extent. We read up on the IRS’ justification for redacting the email. The IRS’ explanation was, surprisingly, that the email had been redacted on account of containing information “regarding specific tools and procedures to be used to conduct a specific undercover operation which is currently ongoing”.
We are concerned that a request for information on hacking activities carried out by the IRS yielded information on the purchase and use of Adobe software, the hacking capabilities of which - if any - are currently unknown. We are left with open questions as to the role played by Adobe in enabling the government to carry out hacking activities. We can only speculate on the answers: testing the Adobe packages for security for subsequent exploitation could be an option, but equally it could also be that the IRS is using Adobe Forms to deliver malware to targets.
Staff at government agencies are receiving hacking training
Multiple disclosures by the US Department of Justice (Criminal Division) showed Powerpoint presentations covering government hacking. PI has so far found five different Powerpoint presentations touching on network investigative techniques (also referred to as “NIT”). Two of those presentations refer to Operation Torpedo - a 2011-2012 operation by the FBI which used malware to uncover child sex offenders visiting Tor-based child exploitation websites - as a “model” for future investigations.
Operation Torpedo was the first publicly known use of malware by the FBI to target child sex offenders. In 2015, it was followed by Operation Pacifier, a controversial episode in the FBI’s history: it consisted of the FBI seizing Playpen – a site distributing child pornography – and then running it from its own servers instead of immediately shutting it down. On that occasion, the disclosure documents reveal that the site remained operational while ran by the FBI, and enabled users to continue to upload child exploitation materials onto the site.
Government hacking should be the last resort in any criminal investigation, not the starting point. However, the above Powerpoint slide seems to indicate the US DoJ considers malware is an acceptable solution for investigations involving browsers or platforms with robust in-built privacy safeguards.
“Mission creep” – the use of a surveillance technique for a broader range of purposes than originally foreseen – is not new for the US intelligence agencies. As early as 2015, there seems to have been internal pressure at the FBI for the Remote Operations Unit (ROU) to be able to support criminal cases beyond national security by using “technical capabilities”. We can make an educated guess as to what these technical capabilities are: the ROU was hacking from at least 2013.
Other topics covered by the presentations include “techniques to hide your identity online”, “encryption workarounds” and “seize and takeover - NIT deployment”. It would appear that the purpose of the presentations is not merely to provide a descriptive overview of government hacking operations, but instead to equip the audience with the necessary knowledge and tools to carry out these operations.
These Powerpoint presentations are a concerning discovery. Beyond showing an institutional reliance on hacking as an effective tool for criminal investigations and prosecutions, they cast in a negative light well-established privacy safeguards afforded online, such as encryption, and the use of browsers - such as Tor - which enable users to preserve their anonymity.
Moreover, what recent cyberattacks have underlined is that hoarding system vulnerabilities might have onerous consequences for citizens globally. WannaCry, for example, was developed by hackers who effectively managed to exploit vulnerabilities stockpiled by the United States National Security Agency (NSA), and seriously impacted European infrastructure operators in the sectors of health, energy, transport, finance and telecoms.
One DoJ presentation even went as far as listing the patching of vulnerabilities as a “limitation” on government hacking. While that may be true, such limitation should not be considered an unfortunate event, as patching vulnerabilities in software is a good thing for online users at large. It closes the loopholes that may have otherwise been exploited by malicious actors.
Close monitoring of the courts’ views on the legality of government hacking
The documents disclosed reveal a keen interest in the courts’ assessment of the legality of government hacking - and the admissibility of information obtained as a result of hacking in court proceedings.
Governments very often seek to justify intrusive hacking methods for law enforcement purposes. But the reality is that not all information obtained via hacking will be admissible as evidence in criminal proceedings. The concern that information obtained through government hacking could be ignored by the courts was at the forefront for many of the agencies we submitted FOIAs to.
Taken alongside the email exchanges between ICE and other government agencies on the use of malware, this email is likely to have as its intended purpose the reaffirmation of hacking as an effective gateway to obtain evidence that can then be relied on in court. Agencies were quick to spread the word: hacking works (for them).
The DEA approached an Italian surveillance company to develop hacking capabilities
In 2015, an investigation by Privacy International in co-operation with VICE Motherboard, revealed that Hacking Team, a Milan-based surveillance company, had sold its Remote Control System to the US Drug Enforcement Agency and US military via a front company based in the US.
The investigation catalogued what was known about Hacking Team’s intrusive spyware that can remotely switch on the microphone on mobile phones, activate webcams, as well as modify and/or extract data from the computer or phone itself.
Let us break that down for you.
A 0-day vulnerability or exploit refers to a security flaw in software that is unknown to the vendor. 0-day vulnerabilities get their name from the fact that, when identified, the computer user has had “0 days” to fix them before attackers can exploit the vulnerabilities. When researchers, white-hat hackers, and others discover vulnerabilities, they usually report the flaw to the company responsible for the security of the affected software. Unfortunately, each time intelligence services use a 0-day exploit, they also risk its discovery by criminals and other foreign agents who might use it against citizens.
The recent disclosures confirm that the DEA considered to acquiring overseas remote hacking capabilities from the Italian vendor Hacking Team. These could be deployed against both computer and mobile phone systems. The relevant DEA documents properly seek to make a case for the need for hacking into individuals’ devices. The documents do not reveal, however, if either institution took adequate stock of the onerous implications hacking can have and the data privacy and security risks associated with it, some of which we outlined above.
It’s not entirely clear whether either the DEA tried to take advantage of any zero-day exploits. In the past, the DEA has implied it was not particularly successful with Hacking Team’s solution. Nevertheless, it is important to underline that, even if directed against specific targets in the context of a criminal investigation, for instance, these hacking techniques would still need to abide by a series of safeguards, including among others prior judicial authorisation, necessity and proportionality.
What the documents seem to also suggest is the hacking solutions were purchased to be potentially used in a Spanish-speaking setting, potentially overseas. The statement of work makes reference to the need for the contractor to provide Spanish speaking helpdesk/phone support, and interestingly asks for the RCS Advanced Training to be carried out at a US embassy.
The part indicating the location of the embassy has been redacted. However, in 2015, The Intercept published an email suggesting that, in addition to the Hacking Team technology, the DEA is also using other spying equipment at the embassy in Colombia to perform dragnet Internet surveillance.
These findings around the potential extraterritorial use of hacking measures by the DEA raise important questions around the measure. Government authorities must always comply with their international legal obligations, including the principles of sovereignty and non-intervention, which express limitations on the exercise of extraterritorial jurisdiction. Government authorities should not use hacking to circumvent other legal mechanisms – such as mutual legal assistance treaties or other consent-based mechanisms – for obtaining data located outside their territory.
The disclosures received and reviewed thus far paint a concerning picture about the predisposition of US government agencies to rely on extremely intrusive hacking techniques that undermine users’ online privacy and security globally for a wide range of purposes. The exchange of information on government hacking across departments, dissemination of training materials, and product/services purchases – whether prospective or otherwise – all point towards an alarming trend: hacking is not only becoming commonplace, but potentially encouraged at an institutional level.
This presents a threat not only to individuals with high sensitivity to surveillance, but the population at large: where software vulnerabilities are allowed to persist and relied upon for law enforcement purposes, there is potential for innocent parties to be accidentally infected with government malware. Government hacking casts a wide net, not just in terms of collateral privacy damage, but also in terms of the personal data that is captured in relation to any targeted individual. Where a hacking operation results in access to a person’s files, browsing history, location, camera and microphone, the potential for unnecessary and even irrelevant personal data being captured is significantly amplified. Yet this is the nature of government malware.
We encourage our readers to continue to review the disclosures here. in an effort to identify the details of US government hacking to the fullest possible extent, so its ramifications can be openly debated and considered. If you find something of note that you think we may have missed, drop us an email at email@example.com.