We’re Suing the Government to Learn Its Rules for When It Hacks Into People’s Devices
Federal law enforcement is deploying powerful computer hacking tools to conduct domestic criminal and immigration investigations.
By Alex Betschen, Student Attorney, Civil Liberties & Transparency Clinic, University at Buffalo School of Law
Hacking by the government raises grave privacy concerns, creating surveillance possibilities that were previously the stuff of science fiction. It also poses a security risk, because hacking takes advantage of unpatched vulnerabilities in our devices and software.
By hacking into a phone, laptop, or other device, federal agents can obtain all kinds of sensitive, confidential information. They can even activate a device’s camera and microphone, log keystrokes, or otherwise hijack a device’s functions. Often, users are completely unaware that they are being surveilled.
Given the serious issues at stake, the public has a right to know the nature and extent of the government’s hacking activities and, importantly, the rules that govern these powerful surveillance tools. But so far, most of what we know is based on scattered news accounts.
That’s why on Friday, Privacy International, the ACLU, and the Civil Liberties & Transparency Clinic of the University at Buffalo School of Law filed a Freedom of Information Act lawsuit demanding disclosure of basic information about government hacking. We’re suing seven federal criminal and immigration enforcement agencies, including the FBI, Immigration and Customs Enforcement, and the Drug Enforcement Administration.
The lawsuit demands that the agencies disclose which hacking tools and methods they use, how often they use them, the legal basis for employing these methods, and any internal rules that govern them. We are also seeking any internal audits or investigations related to their use.
The little that we do know about government hacking is very troubling. In one case, the government commandeered an internet hosting service in order to set up a “watering hole” attack that may have spread malware to many innocent people who visited websites on the server. In another case, an FBI agent investigating fake bomb threats impersonated an Associated Press reporter in order to deploy malware on a suspect’s computer. The agent, posing as a reporter, created a fake story and sent a link to the story to a high school student. When the student visited the website, it implanted malware on his computer in order to report back identifying information to the FBI.
Recent news stories suggest that the FBI is deploying these techniques for investigating increasingly ordinary crimes. Motherboard reported last month that the bureau impersonated FedEx and created malware-laden Word documents and images in order to investigate an internet scammer, likely the one who allegedly defrauded the Wegmans supermarket chain on seafood orders.
We also know that the federal government has spent big sums on hacking tools and services. The DEA has reportedly spent almost $1 million on remote hacking technology sold by Hacking Team, an Italian surveillance technology company.
Without an understanding of what the government is doing — and what rules it follows — it is impossible for the public to meaningfully determine whether and when the government should engage in hacking, whether the government is collecting excessive information about the people it surveils, and how investigators handle innocent bystanders’ information. It is also impossible to determine how the government’s hacking impacts cybersecurity for everyone using the internet.
Our lawsuit is meant to shine a light on these activities and to hold government accountable, allowing meaningful public deliberations about activities that profoundly affect people’s rights and liberties.