PRIVACY INTERNATIONAL, ACLU DEMAND GOVERNMENT DISCLOSE NATURE AND EXTENT OF HACKING ACTIVITIES

FOR IMMEDIATE RELEASE

December 21, 2018

CONTACTS:

Alex Betschen, Civil Liberties & Transparency Clinic, alexbets@buffalo.edu, 716–531–6649

Colton Kells, Civil Liberties & Transparency Clinic, coltonke@buffalo.edu, 585–766–5119

Abdullah Hasan, ACLU, ahasan@aclu.org, 646–905–8879

NEW YORK — Privacy International, the American Civil Liberties Union, and the Civil Liberties & Transparency Clinic of the University at Buffalo School of Law filed a lawsuit today demanding federal law enforcement and immigration authorities turn over information about the nature and extent of their computer hacking activities.

The lawsuit was filed against 11 federal agencies, including the FBI, U.S. Customs and Border Protection, Drug Enforcement Administration, and ICE. The organizations are requesting the government disclose what hacking tools and methods the government is using, how often such tools and methods are used, the legal interpretations used to justify hacking, and any internal rules and protocols that govern the intrusive practice.

“Government hacking presents unique and grave threats to our privacy and undermines the security of our devices,” said Scarlet Kim, legal officer at Privacy International. “If the FBI can get into our phones and laptops, so can scammers or foreign adversaries. The public has a right to know how and how often the government is exploiting security holes in our personal devices to access intimate information about us or surveil us, often without our knowledge.”

Recent reports indicate the government is increasingly deploying powerful computer hacking tools to conduct criminal and immigration investigations, outside national security and foreign intelligence contexts. The tools often take advantage of security vulnerabilities in everyday personal devices, including cell phones and laptops.

In many instances, hacking involves installing malicious software on a target device, which then sends information back to law enforcement or allows agents to control the device. For example, some hacking tools allow a government agent to activate a device’s camera and microphone, to log keystrokes, or to otherwise remotely control a device’s functions. Crucially, hacking is often conducted without users being aware that they are being searched or surveilled by authorities.

“The public has a right to know the rules that apply to government use of these powerful surveillance tools,” said Jennifer Granick, surveillance and cybersecurity counsel at the ACLU Speech, Privacy, and Technology Project. “Without more information about government hacking, the public cannot decide whether or when the government should be able to deploy these methods. So far, we’ve likely only seen the tip of the iceberg when it comes to the government’s use of hacking in criminal and immigration investigations.”

While relatively little is known about the scope of the government’s hacking activities — or the rules that govern them — a handful of high-profile examples have been reported. In one case, the government set up a “watering hole” attack that spread malware to many innocent people who happened to visit websites hosted on a server that the government had commandeered. In another case, a federal agent investigating fake bomb threats at a high school impersonated an Associated Press reporter in order to deploy malware onto a suspect’s computer.

Hacking tools and services are increasingly widespread and commercially accessible. Federal agencies have already spent millions of dollars on hacking. The DEA, for example, has reportedly spent almost $1 million on hacking technology sold by the Italian surveillance technology company, Hacking Team, and was reportedly in discussions with another company, NSO Group.

“We are pursuing these requests in order to vindicate the core purpose of the Freedom of Information Act: to understand what the government is doing and to ensure the public can meaningfully engage with our democratic institutions,” said Colton Kells, a student attorney representing the plaintiffs. “The government’s refusal to shed light on its hacking activities prevents all of us from voicing informed opinions about whether, how, and when hacking should be used.”

Today’s lawsuit seeks to enforce FOIA requests by the organizations for records concerning the government’s hacking activities. To date, no agency has produced responsive records not already in the public domain.

* * *

The Civil Liberties and Transparency Clinic of the University at Buffalo School of Law defends free speech, privacy, and other individual rights while pressing for greater transparency and accountability in government. Student attorneys Alex Betschen, Colton Kells, and RJ McDonald developed this litigation under the supervision of Prof. Jonathan Manes.

The complaint can be found here: https://www.aclu.org/legal-document/privacy-international-v-fbi-hacking-foia-complaint