Safeguards for “Lawful Hacking”

When and how should law enforcement organizations like the FBI be able to hack their targets? That is a looming question on the frontier of technology and law that we all need to grapple with. Lawful hacking, as this is sometimes called, is an approach that many say would allow law enforcement to meet the challenges it faces from encryption. When used appropriately, it offers a way for the FBI to get the data it needs without requiring companies to purposefully weaken the security of their products. But a lot of work needs to be done to make sure that lawful hacking actually remains lawful.

We’ve started to tackle this issue from a few directions at Mozilla. Our policy team has looked at reforms to the vulnerability disclosure process, so that agencies that hack also disclose the vulnerabilities they use in those hacks. And last month we filed a brief in an ongoing court case about what process should apply when vulnerabilities the FBI uses are disclosed in court. Today I want to dig into yet another component of this issues — internal safeguards against abuse of hacking tools.

One drawback of lawful hacking is the fact that exploitation tools used by federal agencies may be more likely to be abused than other law enforcement tools. This is the key downside of this approach; it introduces civil liberties risks and removes external checks and accountability mechanisms that must be replaced by stronger internal compliance processes.

Lawful hacking should operate under the same legal standards as traditional law enforcement tools, and federal agencies should still be required to seek court approval for hacking operations. If the FBI wants to hack into an iPhone, it should still need to go to a judge and get a warrant, just as it would if Apple was going to be compelled to unlock the phone. But, even if the same legal standards apply, there will be fewer external checks to ensure those standards are actually met. As demonstrated in the San Bernardino case, lawful hacking does not require the compelled assistance of technology companies. Those companies will not receive law enforcement requests and will not have the opportunity to ensure hacking operations are properly scoped.

More importantly, the practical effect of cutting the company out of the process is that courts could be more easily cut out of the investigative process as well. When company assistance is no longer necessary, the court’s power to compel is no longer needed by law enforcement. This removes a powerful incentive for law enforcement to seek court approval in the first place (even when approval is still legally required).

This means that law enforcement agencies like the FBI will need much stronger compliance departments to compensate for lack of external constraints. We know very little about the FBI’s compliance program today. The FBI’s Integrity and Compliance Program was established in 2007, in response to serious deficiencies found in the Bureau’s use of National Security Letters. Indeed, experience with NSLs, which do not require court approval and typically include non-disclosure provisions, offers a cautionary tale of one of the things that can occur when external checks are removed without being replaced by stronger internal process.

Given experience with NSLs and the compliance challenges presented by lawful hacking, policymakers need to examine law enforcement compliance programs, with an eye towards identifying how they should be adapted and strengthened.

When I talk to folks about lawful hacking, their eyes often glaze over when I get to this compliance issues. It is the least juicy of all interesting questions about lawful hacking. But I believe it is actually the most important piece of any hacking oversight structure; it is the piece we are most likely to ignore and, if ignored, will lead to huge problems.