The increased ubiquity and sophistication of encryption presents a serious problem for law enforcement. There has been a growing gap between law enforcement’s legal authority to access and intercept information, pursuant to court orders, and its practical ability to do so because of encryption. This capabilities gap has been coined the “going dark” problem.
Exceptional Access Proposals Are Presently Insufficient to Adequately Protect Privacy
As bad actors continue to target individuals’ sensitive data, which is increasingly stored online, the government should be encouraging, not discouraging, better security practices. Forcing companies to build inherently weak security infrastructures is not a practical solution in light of 21st century challenges.
Recent proposals that advocate forcing companies to build backdoors, or “exceptional access,” into data storage and communications systems would significantly weaken online privacy protections. These proposals would require companies to design systems so that the government could always access encrypted data (with a lawful search warrant). A landmark 2015 paper written by a group of computer security experts argued that there is unlikely to be any framework that can mandate exceptional access without creating massive vulnerabilities.
According to the report, such proposals would fail for a number of reasons. First, exceptional access would prevent companies from using stronger encryption practices, such as deleting decryption keys directly after use. Second, it would force systems to be more complex, making effective security more difficult. Third, it would create easy targets for malicious hackers to focus on. Moreover, establishing any sort of exceptional access framework would be difficult not just on a national scale, but particularly on a global scale with many different jurisdictions.
It is possible that law enforcement and the technology industry will find a compromise. There could be a solution that introduces a slightly increased risk to privacy protections, which would be outweighed by the social benefits of providing for lawful access. Indeed, there are some potentially promising solutions. But because technology companies have not engaged the government in a serious discussion, law enforcement needs to resort to alternative methods, at least temporarily.
Lawful Hacking as a Temporary Alternative
To combat the going dark problem, the U.S. can develop a lawful hacking framework that enables law enforcement (with a lawful search warrant) to exploit vulnerabilities and access encrypted data. Rather than forcing companies to create backdoors, law enforcement could exploit existing security holes. Encouraging the government to hack domestic targets is ethically problematic, but the stakes are high. It is critical that law enforcement agencies continue to be able to investigate serious crimes and thwart attacks.
The government has already used lawful hacking for similar purposes, at least on a limited scale. In 2016, the Justice Department took Apple to court when the FBI was unable to access an iPhone belonging to one of the San Bernardino terrorists. The government initially contended they could not access the phone due to Apple’s encryption. However, a few weeks later, the FBI successfully unlocked the phone with assistance from a contractor. A recently-released Justice Department inspector-general report suggests the FBI’s initial failure to access the phone may have been a result of a lack of effort, rather than a technical inability to do so.
The Intelligence Community has also reportedly used internet exploits to acquire foreign intelligence. For example, the National Security Agency (NSA) allegedly exploited a major flaw in Microsoft software for over five years, using a hacking tool called EternalBlue.
The FBI should lead an effort to develop greater lawful hacking capabilities. The FBI could draw on expertise from the government, particularly the NSA, to continually search for exploitable vulnerabilities. With appropriate funding, resources, and oversight mechanisms, the system would allow the government to search encrypted data, without forcing companies to make their systems less secure. The FBI could also aid state and local law enforcement, for whom it would be more difficult to develop hacking tools.
Even as companies develop stronger encryption and digital security, the government will still be capable of finding vulnerabilities. As discussed above, the NSA, which already uses similar tools to acquire intelligence, may not be as concerned about increased encryption. In contrast to the FBI, former NSA Deputy Director Rick Ledgett has described encryption challenges differently. Ledgett noted the world was getting “dimmer,” but not “dark.”
Appropriate safeguards would also need to be established to ensure lawful hacking is only done when absolutely necessary. The government should only use these methods after agents have acquired a search warrant. But the government should further be required to certify that the search cannot be done using any other less intrusive collection technique, similar to the provision in FISA warrant applications. Some have suggested limiting lawful hacking to the most serious offenses, such as violent crime, sexual offenses against children, large-scale narcotics trafficking, and terrorism.
Potential Problems with Lawful Hacking
While lawful hacking could provide a balanced approach to the going dark problem, there are a number of potential issues. First, authorizing and encouraging the FBI to exploit digital vulnerabilities could have unintended effects. For example, after a cybercriminal group leaked the EternalBlue code online, a massive cyberattack using the exploit spread around the globe. Thus, greater government use of security exploits will increase the risk of the vulnerabilities leaking and put individuals’ data at further risk. Adequate security measures would need to be taken to ensure that the collection techniques were well protected.
Additionally, lawful hacking would create an ethical dilemma for the government. In order for the program to work, the FBI could not inform companies of (at least some of) the vulnerabilities they discover. The NSA has already confronted the same issue. After the Snowden disclosures, the Obama Administration undertook a review to determine when security flaws should be disclosed. In 2017, the Obama Administration publicly released the new guidelines. The process involves multiple federal agencies that weigh competing interests including the possible intelligence value and the risk to the public from malicious actors.
Lastly, lawful hacking is only practicable if the government is not required to disclose its access techniques to defendants during discovery. If courts require disclosure, the government would not be able to use exploits for very long, which would create an unworkable system. To address this, the government could classify its exploit tools. Under the Classified Information Procedures Act, prosecutors would only have to disclose sensitive exploits to defense counsel with a proper security clearance.
Lawful hacking could enable the government to prevent the world from going dark without forcing companies to sacrifice good security practices. Technology companies and law enforcement may be able to reach a compromise that introduces exceptional access with only a minimal amount of increased risk. But until that happens, lawful hacking should be embraced as a temporary solution.