Government hacking is unlike any other form of existing surveillance technique. Hacking is an attempt to understand a system better than it understands itself, and then nudging it to do what the hacker wants. Fundamentally speaking, hacking is therefore about causing technologies to act in a manner the manufacturer, owner or user did not intend or did not foresee.
Governments can wield this power remotely, surreptitiously, across jurisdictions, and at scale. A single hack can affect many people, including those who are incidental or unrelated to a government investigation or operation.
Governments may resort increasingly to hacking to facilitate surveillance in the future. In the digital age, data about individuals often resides in the hands of companies, and those companies may be based in a foreign jurisdiction. Governments have therefore typically relied on the cooperation of a third party – a company, foreign government, or even both – to access this data. This process is typically time-consuming and may prove fruitless if the company or foreign government is unwilling or unable to provide access. Hacking can therefore be more convenient than legal processes involving multiple parties.
Sometimes companies may place their users’ data out of their own reach, for example, by choosing not to collect it or by encrypting it. Under claims of “going dark,” governments are pressuring companies for privileged access to their systems and to redesign security mechanisms. All the while, governments are developing and procuring capabilities to hack those very same companies’ products and services, which may allow them to collect data that would otherwise not be captured, or to bypass encryption and other security features.
Through hacking, governments may directly exert influence over or interfere with technologies, which are ever more seamlessly integrated into lives, economies, and societies. Government hacking capabilities are constrained only by a government’s own resources and capacities. We believe we must prioritise systems and data security and that further constraints must be applied to restrict and restrain the power of governments to hack.
Hacking permits governments remote access to systems and therefore potentially to all of the data stored on those systems. For an increasing number of people, personal digital devices contain the most private information they store anywhere, replacing and consolidating address books, physical correspondence, journals, filing cabinets, photo albums and wallets. Increasingly, governments may direct their hacking powers towards new and emerging devices, like the Internet of Things and body-worn and –embedded devices, such as health sensors.
Hacking also permits governments to conduct novel forms of real-time surveillance. Hacking permits governments to covertly turn on a device’s microphone, camera, and GPS-based locator technology. Through hacking, a government can also capture continuous screenshots of the hacked device or see anything input into and output from that device, including login details and passwords, internet browsing histories, and documents and communications the user never intended to disseminate.
Hacking permits the manipulation of data in a world that is increasingly data-driven. By controlling the functionality of systems, hacking permits governments to delete data or recover data that has been deleted. Hacking also permits governments to corrupt or plant data, send fake communications or data from the device, or add or edit code to add new capabilities or alter existing ones and erase any trace of the intrusion. In a world where information about us is increasingly expressed as data, minute changes to that data – a password, GPS coordinates, a document – can have radical effects.
The privacy intrusions of hacking are enormously amplified should a government interfere with communications networks and their underlying infrastructure. By hacking a network provider, for instance, a government might gain access not only to the provider’s system, but also through the data stored there, to the systems of all its users. Governments may also interfere with different types of networks and their infrastructure, such as those connecting banks. Hacking directed at networks could be for the purpose of conducting surveillance against specific individuals, groups or countries, or across numerous jurisdictions.
Government hacking also encompasses the hacking of devices in the government’s physical custody. While this type of hacking raises many of the same concerns articulated above, it also presents unique privacy implications. Data that resides on devices can include data that the user of that device does not even know exists and cannot access. For instance, mobile phones may contain data the user believes was deleted or sensor-generated data unknown and unavailable to the user that could divulge biographic, physiological or biometric information.
Government hacking for surveillance is equally concerning from a security perspective. Computer systems are complex and, almost with certainty, contain vulnerabilities. People are also complex and their interactions with systems also give rise to vulnerabilities; they can be exploited to interfere with their own systems.
Identifying vulnerabilities, testing them by developing exploits, and sharing these results is necessary for security. But government hacking for surveillance does not seek to secure systems. In the surveillance context, the government identifies vulnerabilities, not to secure systems through testing and coordinated disclosure, but to exploit them to facilitate a surveillance objective. This activity may not only undermine the security of the target system but also of other systems.
Security concerns also abound when governments take advantage of people to interfere with their own systems. Phishing, for example, is a common social engineering technique whereby a hacker impersonates a reputable person or organization. Phishing attacks typically take the form of an email or text message, which may contain a link or attachment infected with malware. These techniques prey on user trust, which is critical to maintaining the security of systems and the internet as a whole.
Security is hard and the government is not the only critical actor. For a more detailed discussion of the interplay between security and hacking, see our piece, “A conflict of security: why we are so concerned about government hacking from a security perspective.”