Hacking Necessary Safeguards
Government Hacking and Surveillance: 10 Necessary Safeguards
A growing number of governments around the world are embracing hacking to facilitate their surveillance activities. But many deploy this capability in secret and without a clear basis in law. In the instances where governments seek to place such powers on statutory footing, they are often doing so without the safeguards and oversight applicable to surveillance activities under international human rights law.
Hacking can present unique and grave threats to our privacy and security. For these reasons, even where governments conduct surveillance in connection with legitimate activities, such as gathering evidence in a criminal investigation or intelligence, they may never be able to demonstrate that hacking as a form of surveillance is compatible with international human rights law. To date, however, there has been insufficient public debate about the scope and nature of these powers and their privacy and security implications.
Our proposed safeguards are designed to help interested parties assess government hacking in light of applicable international human rights law. They are further designed to address the security implications of government hacking. Generally speaking, security considerations must be embedded into surveillance safeguards and oversight mechanisms. We separately explain the legal and conceptual bases for our proposed safeguards in “Government Hacking and Surveillance: Commentary to the 10 Necessary Safeguards.”
These safeguards form part of a comprehensive strategy pursued by Privacy International and others across civil society to ensure that:
- Governments and industry prioritise defensive security;
- Our devices, networks and services are secure and privacy-protective by design and that these protections are maintained; and
- Legal and technological protections apply to everyone across the world.
Scope of Our Safeguards
The term "hacking" is difficult to define. For these safeguards, Privacy International posits the following definition:
Hacking is an act or series of acts, which interfere with a system, causing it to act in a manner unintended or unforeseen by the manufacturer, user or owner of that system. System refers both to any combination of hardware and software or a component thereof.
Privacy International recognises that there may be instances of government hacking that do not conform to this definition and should nonetheless be subject to scrutiny. We are open to feedback as to how to alter this definition to accommodate those other forms of government hacking.
Governments conduct hacking for a broad range of purposes. The safeguards only address hacking activities whose purpose is either to gather evidence in a criminal investigation or intelligence or to assist the evidence or intelligence gathering process. The safeguards do not address hacking that rises to the level of a threat or a use of force or armed attack, or which is conducted as part of an active armed conflict. For example, a hacking operation to shut down critical infrastructure, such as an energy grid, in a foreign country would not be covered by these safeguards. However, an operation to re-route the traffic of a telecommunications provider so that such traffic will flow past an interception point, would be subject to these safeguards.
The safeguards apply to government hacking conducted both within the territory of a state and extraterritorially. One of the safeguards also explicitly addresses hacking conducted extraterritorially. The safeguards apply regardless of whether hacking is conducted by government officials or persons exercising elements of governmental authority, directed or controlled by a government, or whose conduct is later acknowledged and adopted by a government as its own.
Government hacking powers must be explicitly prescribed by law and limited to those strictly and demonstrably necessary to achieve a legitimate aim. That law must be accessible to the public and sufficiently clear and precise to enable persons to foresee its application and the extent of the interference. It should be subject to periodic review by means of a participatory legislative process.
Prior to carrying out a hacking measure, government authorities must assess the potential risks and damage to the security and integrity of the target system and systems generally, as well as of data on the target system and systems generally, and how those risks and/or damage will be mitigated or corrected. Government authorities must include this assessment in any application in support of a proposed hacking measure.
Government authorities must not compel hardware or software manufacturers or service providers to facilitate government hacking, including by compromising the security and integrity of their products and services.
Prior to carrying out a hacking measure, government authorities must, at a minimum, establish:
- A high degree of probability that:
A serious crime or act(s) amounting to a specific, serious threat to national security has been or will be carried out;
The system used by the person suspected of committing the serious crime or act(s) amounting to a specific, serious threat to national security contains evidence relevant and material to the serious crime or act(s) amounting to a specific, serious threat to national security interest alleged;
Evidence relevant and material to the serious crime or act(s) amounting to a specific, serious threat to national security alleged will be obtained by hacking the target system
To the greatest extent possible, the identity of the person suspected of committing the serious crime or act(s) amounting to a specific, serious threat to national security and uniquely identifying details of the target system, including its location and specific configurations;
All less intrusive methods have been exhausted or would be futile, such that hacking is the least intrusive option;
The method, extent and duration of the proposed hacking measure;
Data accessed and collected will be confined to that relevant and material to the serious crime or act(s) amounting to a specific, serious threat to national security alleged and the measures that will be taken to minimise access to and collection of irrelevant and immaterial data;
Data will only be accessed and collected by the specified authority and only used and shared for the purpose and duration for which authorisation is given;
The potential risks and damage to the security and integrity of the target system and systems generally, as well as of data on the target system and systems generally, and how those potential risks and damage will be mitigated or corrected, so as to enable an assessment of the proportionality of the proposed hacking measure against its security implications.
Prior to carrying out a hacking measure, government authorities must make an application, setting forth the necessity and proportionality of the proposed measure to an impartial and independent judicial authority, who shall determine whether to approve such measure and oversee its implementation. The judicial authority must be able to consult persons with technical expertise in the relevant technologies, who may assist the judicial authority in understanding how the proposed measure will affect the target system and systems generally, as well as data on the target system and systems generally. The judicial authority must also be able to consult persons with expertise in privacy and human rights, who may assist the judicial authority in understanding how the proposed measure will interfere with the rights of the target person and other persons.
Government authorities must not add, alter or delete data on the target system, except to the extent technically necessary to carry out the authorised hacking measure. They must maintain an independently verifiable audit trail to record their hacking activities, including any necessary additions, alterations or deletions. Where government authorities rely on data obtained through an authorised hacking measure, they must disclose the method, extent and duration of the hacking measure and their audit trail so that the target person can understand the nature of the data obtained and investigate additions, alterations or deletions to information or breaches of the chain of custody, as appropriate.
Government authorities must notify the person(s) whose system(s) have been subject to interference pursuant to an authorised hacking measure, regardless of where the person(s) reside, that the authorities have interfered with such system(s). Government authorities must also notify affected software and hardware manufacturers and service providers, with details regarding the method, extent and duration of the hacking measure, including the specific configurations of the target system. Delay in notification is only justified where notification would seriously jeopardize the purpose for which the hacking measure was authorised or there is an imminent risk of danger to human life and authorisation to delay notification is granted by an impartial and independent judicial authority.
Government authorities must immediately destroy any irrelevant or immaterial data that is obtained pursuant to an authorised hacking measure. That destruction must be recorded in the independently verifiable audit trail of hacking activities. After government authorities have used data obtained through an authorised hacking measure for the purpose for which authorisation was given, they must return this data to the target person and destroy any other copies of the data.
Government authorities must be transparent about the scope and use of their hacking powers and activities, and subject those powers and activities to independent oversight. They should regularly publish, at a minimum, information on the number of applications to authorise hacking approved and rejected; the identity of the applying government authorities; the offences specified in the applications; and the method, extent and duration of authorised hacking measures, including the specific configurations of target systems.
When conducting an extraterritorial hacking measure, government authorities must always comply with their international legal obligations, including the principles of sovereignty and non-intervention, which express limitations on the exercise of extraterritorial jurisdiction. Government authorities must not use hacking to circumvent other legal mechanisms – such as mutual legal assistance treaties or other consent-based mechanisms – for obtaining data located outside their territory. These mechanisms must be clearly documented, publicly available, and subject to guarantees of procedural and substantive fairness.