Government Hacking and Subversion of Digital Security
Too often, the policies and practices of law enforcement and intelligence agencies can be disastrous for security.
Attempts to weaken encryption through law, policy, or informal pressure can make technology devices less secure for everyone. Government agents may infiltrate, copy, delete, or damage data during digital investigations. The government may even actively create and disseminate malware that can damage computers. We’ve seen these dangerous techniques employed both in the United States and in countries around the world, and they inevitably have the same consequence: we are less secure.
Government attacks on security come in many disguises, including:
- State-sponsored malware. The government will design and deploy malicious code that infects computers, a technique often employed by authoritarian governments to uncover or silence dissent. Read about state-sponsored malware.
- Stockpiling or exploiting vulnerabilities. The government may find or purchase details of security vulnerabilities and then use them for investigative or "offensive" purposes. The U.S. government has created a policy, known as the Vulnerabilities Equities Process (VEP), to decide whether to disclose information about security vulnerabilities or instead withhold this information for its own purposes. This process is opaque, leaving the public in the dark about how frequently security vulnerabilities are left unaddressed. Although the government says the process is biased in favor of disclosure, there is no requirement in the VEP to tell technology makers about their security flaws.
- Promoting crypto backdoors. Whether through legislation, litigation, or unofficial pressure, government attempts to undermine crypto, defeat security features, obtain “keys” to unlock encrypted data, or insert vulnerabilities into software make us all less secure.
- Malicious hacking. Whether sanctioned by a court or not, the government may actively break into computers remotely. Agents may access, copy, delete, or even create data in order to suit their needs. Too often, these practices are shrouded in secrecy with inadequate oversight by the judicial system, beginning with opaque and overbroad warrants authorizing installation of malware, all the way up to refusals to share details of the malware with defendants as part of a fair trial.
These tools can have dire consequences for the security and privacy of users who have done nothing wrong and are not even connected to an investigation. In other cases, these tools are disproportionate to the threat, wreaking havoc on users’ computers when less invasive techniques would have been appropriate.
In balancing the need for strong security against the potential benefit of hacking and other anti-security techniques, the government—including the courts—must carefully consider the costs to society. The public needs to be able to access secure digital tools. And as a society, we have an interest in protecting innocent users from the collateral effects of intrusive surveillance, whether by law enforcement and intelligence agencies.
Above all, the government must be accountable to the people, and that means promoting strong crypto and security.
EFF Related Content: Government Hacking and Subversion of Digital Security
- With the global and debilitating WannaCry ransomware attack dominating the news in recent weeks, it’s increasingly necessary to have a serious policy debate about disclosure and patching of vulnerabilities in hardware and software. Although WannaCry takes advantage of a complex and collective failure in protecting key computer...
- Over the weekend a cyber attack known as " WannaCry " infected hundreds of computers all over the world with ransomware (malware which encrypts your data until you pay a ransom, usually in Bitcoin). The attack takes advantage of an exploit for Windows...
- The federal government thinks it should be able to use one warrant to hack into an untold number of computers located anywhere in the world. But EFF and others continue to make the case that the Fourth Amendment prohibits this type of blanket warrant. And courts are starting to listen...
- The Electronic Frontier Foundation, for example, commended the feds for asking a judge to review exactly what data the FBI would and would not touch in victimized devices, which were located across the country. It was a "positive step" toward accountability and transparency in FBI computer break-ins, EFF staff attorney...