Sections

Research

Lawful hacking and the case for a strategic approach to “Going Dark”

Susan Hennessey
Susan_Hennessey
Susan Hennessey Former Brookings Expert, Senior Counsel, National Security Division - Department of Justice

October 7, 2016


Technological advances in encryption and other forms of data security have created problems for government and law enforcement agencies. They may have an investigative need and legal right to access particular communications, but often lack the technical ability to do so. The federal government needs to take a more pragmatic approach to “lawful hacking” that will protect individual privacy and secure information but still allow law enforcement agencies to conduct criminal investigations that may be needed to protect its citizens.

U.S. Attorney General Loretta Lynch (L-R), Federal Bureau of Investigation Director James Comey and Manhattan U.S. Attorney Preet Bharara hold a news conference to announce indictments on Iranian hackers for a coordinated campaign of cyber attacks in 2012 and 2013 on several U.S. banks and a New York dam, at the Justice Department in
Editor's note:

The following brief is part of Brookings Big Ideas for America—an institution-wide initiative in which Brookings scholars have identified the biggest issues facing the country and provide ideas for how to address them. (Updated January 27, 2017)

Buy the book- Brookings Big Ideas for America

Following two years of intense discussion and a series of mutually bruising legal stand-offs, the U.S. government and Silicon Valley are no closer to resolving the “going dark” debate. Going dark refers to the phenomenon by which government agencies have a legal right to access particular communications but lack the technical ability to do so, often because technology companies have deployed strong encryption to shield the information. Not only are the various participants unable to find a resolution to the problem, they are unable to agree on the proper analogy for it—or even whether there actually is a problem.

Legislative efforts have failed. Legal battles ended without producing additional clarity. Attempts at voluntary cooperation have gone nowhere. Finding a more productive path is critical to the future public-private cooperation which will be necessary for many unrelated cybersecurity efforts. A new approach is needed.

The federal government in a new administration should adopt and articulate a pragmatic approach that fully embraces lawful hacking as a possible alternative to legislative mandates. A coordinated interagency position should clearly communicate the tradeoffs, stakes, and strategic aims of lawful hacking. Moreover, recognizing that future legislative efforts may be required, the government should seek to develop empirical data to inform long-term decisionmaking on cybersecurity policy in law enforcement investigations.

Background

In 2011, then-FBI General Counsel Valerie Caproni used the term “going dark” to describe “a potentially widening gap between our legal authority to intercept electronic communications pursuant to court order and our practical ability to actually intercept those communications.” That prediction has proved largely accurate. Although some technological developments and trends have assisted law enforcement collection, a variety of pressures place ever more communications content beyond the reach of a warrant. The underlying factors include broader adoption of end-to-end encryption, full disk encryption, and stronger security defaults, but also extend to widely-available anonymization tools, trends toward data localization, and the availability of large-storage removable media devices, among others. In short, the factors underlying the phenomenon are varied and not limited to technological developments alone.

Although going dark also impacts intelligence collection, the most pressing concerns arise in the context of law enforcement. In ordinary criminal investigations, end-to-end encrypted messaging, stronger device encryption, and IP anonymization tools present acute challenges.

The problem’s scale has increased dramatically over the past few years, as a number of major communications providers have taken steps towards offering end-to-end encrypted messaging and sophisticated device encryption broadly and by default. Anyone not holding the required keys, including the providers themselves, is unable to access communications sent using those platforms or stored on those devices. Unquestionably, these features offer substantial security benefits to consumers. But the effect—whether intentional or unintended—is that even when law enforcement obtains a warrant, the content is inaccessible unless investigators can obtain the keys directly from individuals.

What had been a simmering tension between the government and technology companies boiled over into a heated public debate in February 2016. That month, the Department of Justice sought a court order to compel Apple to assist the government in unlocking an iPhone belonging to San Bernardino terrorist Sayed Farook. The precise legal questions centered on whether a court could require Apple to provide a particular form of technical assistance, where it unquestionably retained the capacity to do so. The case resolved itself out of court when a third party demonstrated the ability to unlock the phone at issue and the government withdrew its motion. While the San Bernardino case was actually about what technical assistance a company must provide to the government where it is able, the public debate centered on a distinct, and important, question: should companies be required to ensure the government has access to communications content when required for an investigation?

At issue is the relative risks and merits of requiring “exceptional access” for law enforcement, which is often characterized by opponents as a “backdoor.”

Broadly speaking, at issue is the relative risks and merits of requiring “exceptional access” for law enforcement, which is often characterized by opponents as a “backdoor.” Most notably, Senators Dianne Feinstein and Richard Burr advanced draft legislation to require companies to retain the technical capacity to comply with court orders to produce plain text communications. This legislation would, in effect, prohibit companies from deploying security features that place communications content beyond their own reach. Critics decried the draft as technologically illiterate and dangerous, arguing that it compromised user security overall.

Unsurprisingly, the heated rhetoric allowed little room for facts and common sense. Most of the public engagements consisted of each side assuming away the other side’s concerns, either by insisting that exceptional access does not necessarily compromise information security or by alleging that law enforcement overstates its need to see communications content.

One strain of criticism to “backdoors,” however, recognized law enforcement’s concerns and offered a potential solution: so-called “lawful hacking.” Instead of creating additional vulnerabilities to an already-fragile security ecosystem in the form of exceptional access, these commentators argued that law enforcement should exploit existing vulnerabilities in software and hardware. In theory, the position offers a workable middle ground by which law enforcement is able to access a sufficient amount of communications and companies are unimpeded in designing secure systems. But in order for lawful hacking to be a meaningful alternative—as opposed to a diversionary tactic to delay government action—a number of questions must be addressed.

The government has employed hacking techniques since long before the Apple v. FBI controversy. And unsurprisingly, it faces opposition to those actions from many of the same groups that oppose exceptional access. Despite some express suggestions posing lawful hacking as an alternative to backdoors, the specific debates over the procedural rules, operational policies, and legal standards central to the feasibility of lawful hacking, have proceeded largely in parallel to the conversation regarding going dark.

In reality, the two are deeply related. Congress and the executive branch are accountable to a public that expects the government to discharge law enforcement functions. And despite critics declaring periodic victories or insisting that access to communications content is unnecessary for law enforcement, the going dark problem is not going away. Therefore, if the executive branch is unable to successfully develop lawful hacking tools to address a sufficient amount of the need for government access to communications to meet the expectations of the general public, it becomes dramatically more likely that it will feel compelled to seek comprehensive legislative solutions mandating exceptional access.

A strategic approach to moving forward

FBI Director James Comey Jr. testifies at a Senate Judiciary Committee hearing on Capitol Hill in Washington December 9, 2015. The couple who killed 14 people in San Bernardino last week were radicalized before they met online and spoke of jihad and martyrdom to each other as early as late 2013, Comey said on Wednesday. REUTERS/Joshua Roberts - RTX1XXWU
FBI Director James Comey Jr. testifies at a Senate Judiciary Committee hearing on Capitol Hill in Washington December 9, 2015. The couple who killed 14 people in San Bernardino last week were radicalized before they met online and spoke of jihad and martyrdom to each other as early as late 2013, Comey said on Wednesday. REUTERS/Joshua Roberts - RTX1XXWU

Thus far, the FBI has been the public face of the government’s engagement in the going dark debate. This has created ambiguity as to whether FBI Director Jim Comey speaks on behalf of the federal government, on behalf of law enforcement, or only for himself. The federal government is not monolithic, after all, and technological developments have uneven effects on the equities of different agencies. Therefore, it is not surprising that there is no consensus view even within government on the best way to address the problem. But the lack of any clear government position gives the impression of internecine battles and masks shared principles.

Stronger leadership is needed in order to clarify the government’s interests and goals. A coordinated interagency position does not require reaching agreement on the ultimate solution. Instead, the White House should coordinate a position that articulates the government’s view regarding the general scope and severity of the impact of going dark on law enforcement specifically.

Some forms of communication will always remain inaccessible, and the proper balance of information security and law enforcement needs will require trade-offs. But the government must be clear that the American people expect law enforcement to prevent, investigate, and prosecute crimes. It would be unacceptable and intolerable for the executive branch to simply accept that police function be significantly impaired, especially in the context of serious offenses. However, where experts agree that the most direct and comprehensive solution—a legislative decryption mandate—would have significant security downsides and potentially wide-ranging unintended consequences, prudence requires investigating potential alternatives.

It would be unacceptable and intolerable for the executive branch to simply accept that police function be significantly impaired, especially in the context of serious offenses.

The executive branch should deliberately set itself to solving as much of going dark as is possible before resorting to costly and controversial legislation, especially since it is clear that a legislative solution is unlikely to become politically feasible any time soon. Under the best outcome, a genuine investment in varied alternative strategies—possibly coupled with technological developments favoring law enforcement equities—would create a stable situation moving forward. But even if it does not, exhausting alternatives is useful in demonstrating the necessity of comprehensive mandates.

Adopting a strategic position of pursuing alternatives also has the benefit of clarifying the opposition. Many companies and advocacy organizations state that they support law enforcement action and believe crimes should be fully investigated; their objection is only to making imprudent security sacrifices to that end. This strategy would present a good-faith attempt to reconcile those views by pursuing “least bad” alternatives. But those who oppose not only performance standard legislation, but also all feasible alternatives, in effect endorse a view that it is tolerable for law enforcement to be unable to detect, prevent, investigate, or prosecute certain offenses.

Lawful hacking should be viewed as the central element of a comprehensive alternative strategy.

A national strategy on lawful hacking

Lawful hacking is a necessary, though possibly not sufficient, element of a workable solution without mandated exceptional access. Therefore, lawful hacking should be viewed as the central element of a comprehensive alternative strategy, which includes investments in using metadata and the emerging Internet of Things to offset the losses to communication content that make up the going dark problem.

The ultimate utility of lawful hacking will depend as much on legal developments as technological ones. This series of complex and interrelated legal questions is central to the future of law enforcement and U.S. national security. Those questions should not be answered haphazardly or based on the expedient incentives of individual criminal cases, and instead must be given adequate thought.

To achieve this, the administration should direct the Department of Justice to develop a national strategy on lawful hacking. Below are recommendations for elements of an effective national strategy.

Coordinate lawful hacking investigations and prosecutions.

Categories of cases related to lawful hacking should be coordinated by Main Justice, including those involving the use of sensitive government tools, novel network investigative techniques, or where a single warrant is expected to result in prosecutions in numerous but unidentified jurisdictions. Coordination ensures consistent representation of the government’s position on the legal questions central to the success of this alternative strategy.

The Department’s litigation strategy should focus on obtaining the clearest possible answers, and not fear establishing unfavorable precedents. Here, the resolution of legal questions may be more important than the answers themselves. For example, one controversy currently being litigated is whether a defendant is entitled to review sensitive computer code related to law enforcement techniques. Hacking tools are necessarily perishable, but an obligation to disclose in court would dramatically reduce the useful lifespan. While some proponents advocate for law enforcement to temporarily exploit and then quickly disclose a vulnerability for patching, this is infeasible in practice and would significantly limit the efficacy of lawful hacking as a broader solution. The sooner the executive knows whether such code must be disclosed, the sooner it can strategically invest resources in further pursing the strategy or instead seeking legislation in Congress.

Support a technologically-informed judiciary.

The executive branch should call on the Federal Judicial Center to develop a reference manual on computer science aimed at empowering the federal judiciary to independently evaluate the relevance and materiality of evidence involving computer code and information technology systems. The executive branch has a significant interest in ensuring correct, technologically informed judicial decisions related to lawful hacking and should provide technical support, and expertise to aid the development of such a guide.

The executive branch should, to the extent possible, support the designation of independent court-appointed experts. Pursuant to federal evidence rules, courts are entitled to appoint experts of its choosing. In the context of lawful hacking investigations, this would be valuable to assist judges in determining the relative credibility of defense and prosecution expert testimony. And where tools related to lawful hacking contain classified or highly-sensitive information, the government should seek to designate specially-cleared, impartial experts. This is a limited solution, but similar strategies have been successful mechanisms for independent assessment of highly-sensitive materials in the context of Foreign Intelligence Surveillance Court.

Develop Ethical Use Guidelines for federal investigatory agencies

Policy guidelines should specify the circumstances in which the use of lawful hacking is permitted. Broadly, policies should ensure that hacking techniques are deployed only after less intrusive means have been exhausted, as is required when wiretapping.

Policy should also set guidelines, similar to those for undercover operations, governing lawful hacking that temporarily facilitates criminal activity. Standards should be set to balance probable harms and benefits and to ensure criminal activity is only facilitated where strictly necessary to prevent ongoing harm.

Invest resources in investigating the most serious offenses

Lawful hacking is resource intensive, both to develop or purchase the necessary tools and to properly coordinate investigations. Consequently, executive policy should invest these limited resources in investigations of the most serious offenses—violent crime, sexual offenses against children, large-scale narcotics trafficking, and terrorism. Limiting lawful hacking to serious cases ensures appropriate allocation of research and development resources, better protects tools, and facilitates coordinated prosecution strategies.

Embrace Mass Hacking

Lawful hacking often, though not always, constitutes a search under the Fourth Amendment and thus requires law enforcement to obtain a search warrant. Opponents of lawful hacking warn of the government’s ability to target thousands of computers pursuant to a single warrant, calling it “mass hacking.” But the government should embrace mass hacking as an paradigm shift necessary for investigations to respond to going dark and the Justice Department should clearly articulate how warrants for such operations can satisfy all constitutional requirements. Individuals who use computers to facilitate the most serious offenses, particularly those related to child sexual exploitation, avail themselves of the most sophisticated available technologies to hide their identities and crimes. Because of better tools and stronger defaults, those offenders make fewer mistakes which limits available opportunities for law enforcement intervention. When opportunities to uncover serious crimes and rescue victims present—and warrants can be obtained—law enforcement should be encouraged to unmask as many offenders as possible.

Demand security in exchange for disclosure.

The government should clearly articulate the vulnerabilities equities process applicable to law enforcement hacking tools that rely on undisclosed flaws in commercial software. The public should have a clear understanding as to the considerations and safeguards in developing such tools and be confident that the balance between disclosure and use maximizes overall security benefits.

The government should mandate that technology companies that are notified of a vulnerability pursuant to the equities process either patch the flaw within a reasonable time period or provide periodic updates detailing the reason for their failure to protect consumers. This policy maximizes security benefits. The reason to disclose a vulnerability is so that it can be patched to eliminate the threat that bad actors will discover and exploit it, but disclosure represents some degree of loss to the security interests served by government use. Typically, that loss is more than offset by the ubiquitous information security gains of patching, but we should avoid the net harm that results when a vulnerability is disclosed and no patch is deployed.

Develop empirical data to inform long-term decisionmaking.

The government should seek to develop data regarding the precise scope of going dark and the impact on law enforcement. This includes tracking instances in which law enforcement was unable to effectuate a court order to view communications content and the disposition of cases where such content could not be obtained.

The government should also support empirical research regarding the probable consequences of legislative options and lawful hacking methods. For example, while software updates might provide an existing mechanism to push, in effect, malicious updates to the target of a warrant, experts fear this could result in fewer individuals updating software and create widespread insecurity. Where probable behavioral responses are measurable propositions, the government should seek evidence to inform policy that promotes cybersecurity benefits—by avoiding more drastic and potentially harmful solutions—and minimizes harm. Similarly, research is needed into the genuine consequences of law enforcement retaining vulnerabilities, which is the most controversial element of lawful hacking.

A strategic, solution-minded policy facilitates law enforcement function and allows for the development of much-needed evidence to inform law and policy choices.

Conclusion

Going dark presents fundamental tradeoffs. Maximally secure information technology systems mean paying some real costs in terms of how effective law enforcement can be. Conversely, maximally efficient law enforcement may require some genuine compromise to our information system security. Ultimately, that choice will have to be made either all at once, in the form of comprehensive legislation, or continually over time as we refine the balance through “good enough” alternatives.

Standing still, however, is not an option. The continued evolution of technologies alters the available options over time—solutions that are available today may not be in the near future. The choices here are neither easy nor obvious, but it is not yet necessary to determine the ultimate conclusion.

A strategic, solution-minded policy facilitates law enforcement function and allows for the development of much-needed evidence to inform law and policy choices. What is required now is pragmatic and clear leadership. The stakes are too high to wait.

Read more in the Brookings Big Ideas for America series »

  • Footnotes
    1. Valerie Caproni, Statement Before the House Judiciary Committee, February 17, 2011.
    2. Report of The Manhattan District Attorney’s Office on Smartphone Encryption and Public Safety, November 2015, p. 2-6.
    3. Compliance with Court Orders Act, 114th Congress (2016).
    4. Steven Bellovin et al., Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet, Northwestern Journal of Technology and Intellectual Property, Vol 12, Issue 1 (2014).
    5. Matthew Olsen et al., Don’t Panic: Making Progress on the “Going Dark” Debate, Berkman Center for Internet & Society at Harvard University (2016).
    6. Federal Rule of Evidence 706(a).
    7. 50 U.S.C. § 1803(i)(1).
    8. Ron Wyden, (2016) Wyden Calls For A Vote on SMH Act to Stop Massive Expansion of Government Hacking Into Americans’ Personal Devices [Press release].
    9. Ari Schwartz & Rob Knake, Government’s Role in Vulnerability Disclosure, Belfer Center for Science and International Affairs, Harvard Kennedy School, p. 12-14.