US government hacking: preliminary findings on the FOIA replies

Office of Inspector General requests

Following our lawsuit, the agencies and offices started disclosing information with regard to the aforementioned activities. We are now close to finally receiving all of the requested documents. In this blog, we provide an overview of the disclosures we have received so far. We also discuss the main issues some of them seem to raise around government hacking.

It is worth noting that not all agencies disclosed documents. Out of the 11 authorities from whom we sought information, four told us that they didn’t hold any responsive documents. The US Customs and Border Protection agency, the DHS Office of the Inspector General, the Treasury Office of the Inspector General and the Treasury Inspector General for Tax Administration responded to our request stating that they do not hold any information regarding government hacking.

The remaining seven government agencies accepted that they held responsive records, i.e. ‘matches’ for the terms we had outlined in our FOIA requests. However, we note that much of the content of the documents we received from these agencies was redacted under US Freedom of Information laws, which allows some documents or information to be exempted from disclosure provided that specific conditions are met. The dominant explanations offered by agencies as a justification for non-disclosure was that the redacted information either (i) provided specific details on techniques and procedures to be followed in an undercover operation or - yes, you guessed it - (ii) full disclosure would reveal currently used hacking techniques and/or undermine their future use.

This exercise has underlined the continuing secrecy surrounding the engagement of US agencies with extremely intrusive surveillance techniques, such as hacking, and the difficulties for civil society to ensure that governments are not putting our freedoms and the security of the Internet as a whole at stake.

Here are our key findings on the disclosures thus far.

Increased inter-departmental cooperation on hacking

The disclosures revealed that government departments were openly discussing the possibility of hacking and its legality. We saw a redacted email thread between ICE and USSS with an attachment titled “Government Use of Malware”.

We also reviewed a heavily redacted email exchange between an Attorney Advisor to the USSS and the Department of Homeland Security, with a subject line “Government Use of Malware” with the former asking the latter whether they had dealt with an unspecified issue presumably relating to the subject line. This early exchange may have been the start of knowledge-sharing across the USSS and the Department for Homeland Security in respect of government hacking activities.

A legal advisor at the ICE Office of the Principal Legal Advisor (“OPLA”) is shown to have replied to Steve stating that:

We have encountered this question many times and I’m happy to share my experience with you.

The IRS may be potentially using Adobe software to support its hacking activities

The Internal Revenue Service (IRS) disclosure revealed documents attesting to the acquisition of Adobe software, specifically the Adobe Experience Manager Document Security 6.3 Software License.

We didn’t think much of it at first sight. However, we later came across a heavily redacted internal IRS email mentioning the Adobe software.

It seemed strange that a seemingly anodine email addressing the purchase of an Adobe package would be redacted to this extent. We read up on the IRS’ justification for redacting the email. The IRS’ explanation was, surprisingly, that the email had been redacted on account of containing information “regarding specific tools and procedures to be used to conduct a specific undercover operation which is currently ongoing”.

We are concerned that a request for information on hacking activities carried out by the IRS yielded information on the purchase and use of Adobe software, the hacking capabilities of which - if any - are currently unknown. We are left with open questions as to the role played by Adobe in enabling the government to carry out hacking activities. We can only speculate on the answers: testing the Adobe packages for security for subsequent exploitation could be an option, but equally it could also be that the IRS is using Adobe Forms to deliver malware to targets.

Staff at government agencies are receiving hacking training

Multiple disclosures by the US Department of Justice (Criminal Division) showed Powerpoint presentations covering government hacking. PI has so far found five different Powerpoint presentations touching on network investigative techniques (also referred to as “NIT”). Two of those presentations refer to Operation Torpedo - a 2011-2012 operation by the FBI which used malware to uncover child sex offenders visiting Tor-based child exploitation websites - as a “model” for future investigations.

Operation Torpedo was the first publicly known use of malware by the FBI to target child sex offenders. In 2015, it was followed by Operation Pacifier, a controversial episode in the FBI’s history: it consisted of the FBI seizing Playpen – a site distributing child pornography – and then running it from its own servers instead of immediately shutting it down. On that occasion, the disclosure documents reveal that the site remained operational while ran by the FBI, and enabled users to continue to upload child exploitation materials onto the site. 

Operation Pacifier wasn’t an isolated US-specific operation: in fact, it was a joint investigation between the FBI, the Italian police, and Europol.

Government hacking should be the last resort in any criminal investigation, not the starting point. However, the above Powerpoint slide seems to indicate the US DoJ considers malware is an acceptable solution for investigations involving browsers or platforms with robust in-built privacy safeguards.

“Mission creep” – the use of a surveillance technique for a broader range of purposes than originally foreseen – is not new for the US intelligence agencies. As early as 2015, there seems to have been internal pressure at the FBI for the Remote Operations Unit (ROU) to be able to support criminal cases beyond national security by using “technical capabilities”. We can make an educated guess as to what these technical capabilities are: the ROU was hacking from at least 2013.

Other topics covered by the presentations include “techniques to hide your identity online”, “encryption workarounds” and “seize and takeover - NIT deployment”. It would appear that the purpose of the presentations is not merely to provide a descriptive overview of government hacking operations, but instead to equip the audience with the necessary knowledge and tools to carry out these operations.

These Powerpoint presentations are a concerning discovery. Beyond showing an institutional reliance on hacking as an effective tool for criminal investigations and prosecutions, they cast in a negative light well-established privacy safeguards afforded online, such as encryption, and the use of browsers - such as Tor - which enable users to preserve their anonymity.

Moreover, what recent cyberattacks have underlined is that hoarding system vulnerabilities might have onerous consequences for citizens globally. WannaCry, for example, was developed by hackers who effectively managed to exploit vulnerabilities stockpiled by the United States National Security Agency (NSA), and seriously impacted European infrastructure operators in the sectors of health, energy, transport, finance and telecoms.

One DoJ presentation even went as far as listing the patching of vulnerabilities as a “limitation” on government hacking. While that may be true, such limitation should not be considered an unfortunate event, as patching vulnerabilities in software is a good thing for online users at large. It closes the loopholes that may have otherwise been exploited by malicious actors.

Close monitoring of the courts’ views on the legality of government hacking

The documents disclosed reveal a keen interest in the courts’ assessment of the legality of government hacking - and the admissibility of information obtained as a result of hacking in court proceedings.

Governments very often seek to justify intrusive hacking methods for law enforcement purposes. But the reality is that not all information obtained via hacking will be admissible as evidence in criminal proceedings. The concern that information obtained through government hacking could be ignored by the courts was at the forefront for many of the agencies we submitted FOIAs to.

Taken alongside the email exchanges between ICE and other government agencies on the use of malware, this email is likely to have as its intended purpose the reaffirmation of hacking as an effective gateway to obtain evidence that can then be relied on in court. Agencies were quick to spread the word: hacking works (for them).

The DEA approached an Italian surveillance company to develop hacking capabilities

In 2015, an investigation by Privacy International in co-operation with VICE Motherboard, revealed that Hacking Team, a Milan-based surveillance company, had sold its Remote Control System to the US Drug Enforcement Agency and US military via a front company based in the US.

The investigation catalogued what was known about Hacking Team’s intrusive spyware that can remotely switch on the microphone on mobile phones, activate webcams, as well as modify and/or extract data from the computer or phone itself.

Let us break that down for you.

A 0-day vulnerability or exploit refers to a security flaw in software that is unknown to the vendor. 0-day vulnerabilities get their name from the fact that, when identified, the computer user has had “0 days” to fix them before attackers can exploit the vulnerabilities. When researchers, white-hat hackers, and others discover vulnerabilities, they usually report the flaw to the company responsible for the security of the affected software. Unfortunately, each time intelligence services use a 0-day exploit, they also risk its discovery by criminals and other foreign agents who might use it against citizens.

The recent disclosures confirm that the DEA considered to acquiring overseas remote hacking capabilities from the Italian vendor Hacking Team. These could be deployed against both computer and mobile phone systems. The relevant DEA documents properly seek to make a case for the need for hacking into individuals’ devices. The documents do not reveal, however, if either institution took adequate stock of the onerous implications hacking can have and the data privacy and security risks associated with it, some of which we outlined above.

It’s not entirely clear whether either the DEA tried to take advantage of any zero-day exploits. In the past, the DEA has implied it was not particularly successful with Hacking Team’s solution. Nevertheless, it is important to underline that, even if directed against specific targets in the context of a criminal investigation, for instance, these hacking techniques would still need to abide by a series of safeguards, including among others prior judicial authorisation, necessity and proportionality.

What the documents seem to also suggest is the hacking solutions were purchased to be potentially used in a Spanish-speaking setting, potentially overseas. The statement of work makes reference to the need for the contractor to provide Spanish speaking helpdesk/phone support, and interestingly asks for the RCS Advanced Training to be carried out at a US embassy.

The part indicating the location of the embassy has been redacted. However, in 2015, The Intercept published an email suggesting that, in addition to the Hacking Team technology, the DEA is also using other spying equipment at the embassy in Colombia to perform dragnet Internet surveillance.

These findings around the potential extraterritorial use of hacking measures by the DEA raise important questions around the measure. Government authorities must always comply with their international legal obligations, including the principles of sovereignty and non-intervention, which express limitations on the exercise of extraterritorial jurisdiction. Government authorities should not use hacking to circumvent other legal mechanisms – such as mutual legal assistance treaties or other consent-based mechanisms – for obtaining data located outside their territory.

Conclusion

The disclosures received and reviewed thus far paint a concerning picture about the predisposition of US government agencies to rely on extremely intrusive hacking techniques that undermine users’ online privacy and security globally for a wide range of purposes. The exchange of information on government hacking across departments, dissemination of training materials, and product/services purchases – whether prospective or otherwise – all point towards an alarming trend: hacking is not only becoming commonplace, but potentially encouraged at an institutional level.

This presents a threat not only to individuals with high sensitivity to surveillance, but the population at large: where software vulnerabilities are allowed to persist and relied upon for law enforcement purposes, there is potential for innocent parties to be accidentally infected with government malware. Government hacking casts a wide net, not just in terms of collateral privacy damage, but also in terms of the personal data that is captured in relation to any targeted individual. Where a hacking operation results in access to a person’s files, browsing history, location, camera and microphone, the potential for unnecessary and even irrelevant personal data being captured is significantly amplified. Yet this is the nature of government malware.

We encourage our readers to continue to review the disclosures here. in an effort to identify the details of US government hacking to the fullest possible extent, so its ramifications can be openly debated and considered. If you find something of note that you think we may have missed, drop us an email at info@privacyinternational.org.