In our society, the rule of law sets limits on what government can and cannot do, no matter how important its goals. To give a simple example, even when chasing a fleeing murder suspect, the police have a duty not to endanger bystanders. The government should pay the same care to our safety in pursuing threats online, but right now we don’t have clear, enforceable rules for government activities like hacking and “digital sabotage.” And this is no abstract question—these actions increasingly endanger everyone’s security.
The problem became especially clear this year during the San Bernardino case, involving the FBI’s demand that Apple rewrite its iOS operating system to defeat security features on a locked iPhone. Ultimately the FBI exploited an existing vulnerability in iOS and accessed the contents of the phone with the help of an “outside party.” Then, with no public process or discussion of the tradeoffs involved, the government refused to tell Apple about the flaw.Despite the obvious fact that the security of the computers and networks we all use is both collective and interwoven—other iPhones used by millions of innocent people presumably have the same vulnerability—the government chose to withhold information Apple could have used to improve the security of its phones.
Other examples include intelligence activities like Stuxnet and Bullrun, and law enforcement investigations like the FBI’s mass use of malware against Tor users engaged in criminal behavior. These activities are often disproportionate to stopping legitimate threats, resulting in unpatched software for millions of innocent users, overbroad surveillance, and other collateral effects.
That’s why we’re working on a positive agenda to confront governmental threats to digital security. Put more directly, we’re calling on lawyers, advocates, technologists, and the public to demand a public discussion of whether, when, and how governments can be empowered to break into our computers, phones, and other devices; sabotage and subvert basic security protocols; and stockpile and exploit software flaws and vulnerabilities.
Smart people in academia and elsewhere have been thinking and writing about these issues for years. But it’s time to take the next step and make clear, public rules that carry the force of law to ensure that the government weighs the tradeoffs and reaches the right decisions.
This long post outlines some of the things that can be done. It frames the issue, then describes some of the key areas where EFF is already pursuing this agenda—in particular formalizing the rules for disclosing vulnerabilities and setting out narrow limits for the use of government malware. Finally it lays out where we think the debate should go from here.
Recognizing That Government Intrusion and Subversion of Digital Security Is a Single Issue
The first step is to understand a wide range of government activities as part of one larger threat to security. We see the U.S. government attempt to justify and compartmentalize its efforts with terms like “lawful hacking” and “computer network attack.” It is easy for the government to argue that the FBI’s attempts to subvert the security of Apple iOS in the San Bernardino case are entirely unrelated to the NSA’s apparent sabotage of the Dual_EC_DRBG algorithm. Likewise, the intelligence community’s development of the Stuxnet worm to target the Iranian nuclear program was governed by a set of rules entirely separate from the FBI’s use of malware to target criminals using Tor hidden services.
These activities are carried out by different agencies with different missions. But viewing them as separate—or allowing government to present it that way—misses the forest for the trees. When a government takes a step to create, acquire, stockpile or exploit weaknesses in digital security, it risks making us all less safe by failing to bolster that security.
Each of these techniques should involve consideration of the tradeoffs involved, and none of them should be viewed as risk-free to the public. They require oversight and clear rules for usage, including consideration of the safety of innocent users of affected technologies.
There is hope, albeit indirectly. In the United States, high-ranking government officials have acknowledged that “cyber threats” are the highest priority, and that we should be strengthening our digital security rather weakening it to facilitate government access. In some cases, this is apparently reflected in government policy. For instance, in explaining the government’s policy on software vulnerabilities, the cybersecurity coordinator for the White House and the Office of the Director of National Intelligence have both stated in blog posts that the there is a “strong presumption” in favor of disclosing these vulnerabilities to the public so they can be fixed.
But the government shouldn’t engage in “policy by blog post.” Government action that actively sabotages or even collaterally undermines digital security is too important to be left open to executive whim.
Finding Models for Transparency and Limits on When Government Can Harm Digital Security
While government hacking and other activities that have security implications for the rest of us are not new, they are usually secret. We should demand more transparency and real, enforceable rules.
Fortunately, this isn’t the first time that new techniques have required balancing public safety along with other values. Traditional surveillance law gives us models to draw from. The Supreme Court’s 1967 decision in Berger v. New York is a landmark recognition that electronic wiretapping presents a significant danger to civil liberties. The Court held that because wiretapping is both invasive and surreptitious, the Fourth Amendment required “precise and discriminate” limits on its use.
Congress added considerable structure to the Berger Court’s pronouncements with the Wiretap Act, first passed as Title III of the Omnibus Crime Control and Safe Streets Act of 1968. First, Title III places a high bar for applications to engage in wiretapping, so that it is more of an exception than a rule, to be used only in serious cases. Second, it imposes strict limits on using the fruits of surveillance, and third, it requires that the public be informed on a yearly basis about the number and type of government wiretaps.
Other statutes concerned with classified information also find ways of informing the public while maintaining basic secrecy. For example, the USA Freedom Act, passed in 2015 to reform the intelligence community, requires that significant decisions of the FISA Court either be published in redacted form or be summarized in enough detail to be understood by the public.
These principles provide a roadmap that can be used to prevent government from unnecessarily undermining our digital security. Here are a few areas where EFF is working to craft these new rules:
It’s no secret that governments look for vulnerabilities in computers and software that they can exploit for a range of intelligence and surveillance purposes. The Stuxnet worm, which was notable for causing physical or “kinetic” damage to its targets, relied on several previously unknown vulnerabilities, or “zero days,” in Windows. Similarly, the FBI relied on a third party’s knowledge of a vulnerability in iOS to access the contents of the iPhone in the San Bernardino case.
News reports suggest that many governments—including the U.S.—collect these vulnerabilities for future use. The problem is that if a vulnerability has been discovered, it is likely that other actors will also find out about it, meaning the same vulnerability may be exploited by malicious third parties, ranging from nation-state adversaries to simple thieves. This is only exacerbated by the practice of selling vulnerabilities to multiple buyers, sometimes even multiple agencies within a single government.
Thanks to a FOIA suit by EFF, we have seen the U.S. government’s internal policy on how to decide whether to retain or disclose a zero day, the Vulnerabilities Equities Process (VEP). Unfortunately, the VEP is not a model of clarity, setting out a bureaucratic process without any substantive guidelines in favor of disclosure, More concerning, we’ve seen no evidence of how the VEP actually functions. As a result, we have no confidence that the government discloses vulnerabilities as often as claimed. The lack of transparency fuels an ongoing divide between technologists and the government.
A report published in June by two ex-government officials—relying heavily on the document from EFF’s lawsuit—offers a number of helpful recommendations for improving the government’s credibility and fueling transparency.
These proposals serve as an excellent starting point for legislation that would create a Vulnerabilities Equities Process with the force of law, formalizing and enforcing a presumption in favor of disclosure. VEP legislation should also:
- Mandate periodic reconsideration of any decision to retain a vulnerability;
- Require the government to publish the criteria used to decide whether to disclose;
- Require regular reports to summarize the process and give aggregate numbers of vulnerabilities retained and disclosed in a given period;
- Preclude contractual agreements that sidestep the VEP, as in the San Bernardino case, where the FBI apparently signed a form of non-disclosure agreement with the “outside party.” The government should not be allowed to enter such agreements, because when the government buys a zero day, we should not have to worry about defending ourselves from a hostile state exploiting the same vulnerability. If tax dollars are going to be used to buy and exploit vulnerabilities, the government should also eventually use them to patch the security of affected systems, with benefits to all.
Above all, formalizing the VEP will go a long way to reassuring the public, especially members of the technology industry, that the U.S. government takes its commitment to strengthening digital security seriously.
Item 2: Preventing Disproportionate Use of Government Malware and Global Hacking Warrants