Published 20 February 2014 on Freedom to Tinker.
Governments around the world are increasingly hacking into IT-systems. But for every apparent benefit, government hacking creates deeper problems. Time to unpack 9 of them, and to discuss one unique perspective: in response to a proposed hacking law in 2008, the German Constitutional Court created a new human right protecting the ‘confidentiality and integrity of IT-systems’. The rest of the world should follow suit, and outlaw government hacking until its deep problems are addressed.
The NSA has been hacking for a while now, but the FBI, state and even local authorities also seem to be hacking at will without public accountability. Yale ISP and Chris Soghoian put together a great conference on Law Enforcement Hacking to start the discussion (video online soon). Probably because of its constitutional DNA, some law enforcement agencies in Europe have felt obliged to provide some details to the public. So in my short talk [slides pdf] I could discuss the 2010 Bredolab botnet case, as well as the 2008 German Constitutional Court ‘Bundestrojaner’ ruling (English summary, excellent case note).
In the landmark ‘Federal Trojan’ case, the German court established a constitutional right the ‘confidentiality and integrity of IT-systems’ (recognize the c.i.a.-triad?). It held that IT-systems are a qualitatively unique space with regard to surveillance, and that government hacking is a stepping stone into further violations. IT-systems contain our most intimate and sensitive data – ‘the core of personality’ that is inviolate under art. 1 of its Constitution. As devices are increasingly networked, a successful hack also gives insight into the lives of people you interact with. Furthermore, devices might become a one stop-shop for law enforcement as we concentrate and even structure our lives on our devices or in the cloud. The Court also reflected on the internet of things: if your future fridge has ‘general purpose’ functionality such as storage, it may fall within the new constitutional right in Germany. The Court left a possibility open for future hacking laws, but only if such laws meet the strictest legal criteria the Court set to date. Much stricter than placing a wiretap, or searching a house.
Its rulings have had global impact before. In 1983, the German election census case created a new constitutional right to ‘informational self-determination’, providing a solid constitutional basis in Europe for data protection and the concept of consent. Interestingly, the European Court of Human Rights case-law is slowly but surely moving forward: I v. Finland (2008, para. 37-39) establishes positive obligations to ensure data security through specific legislation, and the Bernh Larsen v. Norway case (2013, para. 106) rules that ‘all data on a server’ deserves protection, not ‘only’ personal data. The fast-tracked and pending post-Snowden case may push it further.
Constitutional protection provides the normative baseline to evaluate government surveillance law. And to condemn actual practices. The Chaos Computer Club discovered a few years after the ‘Bundestrojaner’ (love that term) ruling that German authorities continued to spread malware anyway. It got hold of a Bundestrojan and reverse-engineered it (recommended read). With the Dutch bredolab case and the comments made by the panel at the conference, a fascinating problem set emerges:
- Judicial oversight: judges face a hard or impossible task assessing the admissibility of government hacking warrant. The hacking tools and payload of government malware are either lied about (as in Germany), sealed in court documentation, or obscured in newspeak: ‘network investigation tool’ or any other of over 20 synonyms.
- Insecure malware: the reverse engineered German malware was of so deplorable state, that it in facr facilitated man in the middle attacks on suspect and even law enforcement IT-systems. The commends to the trojan were unencrypted. All serious problems in themselves, also creating evidence issues in trial. A suspect may be able to claim someone else has placed code or data on its device.
- Bad incentives: governments get an incentive to weaken information security. Bits of Freedom launched a campaign on the role of antivirus companies, which many co-signed, asking whether they will let badly crafted government malware through. FinFisher and FinSpy are existing, deeply troubling commercial hacking toolkit governments can get installed at ISPs. And at the conference we discussed OS software updates as an attack vector for governments. Will Microsoft, Apple or Google be forced to comply with government requests to provide backdoored updates to specific targets?
- Parallel Construction: a major issue. This occurs when, say, the NSA hacks into a target, tips a law enforcement agency, which re-creates the same evidence from a different source. At a CITP reading group, we discussed whether this had actually happened in the Silkroad/DPR case.
- Jurisdiction: when can a law enforcement agency act? What determines a sovereign territory? ‘Citizenship’, ‘ip-address block’, or can governments hack across borders? Dutch authorities used the Bredolab botnet to hack into and remotely install a unverifiable .executable at thousands of infected machines across the internet.
- Constitutional scope: if I VPN my connection to Amsterdam, even though I’m physically based in the U.S., do I lose my reasonable expectation to 4th amendment protection that I would have if the government would raid my U.S. apartment?
- Geopolitics: what about the geopolitical Pandora’s box? if you happen to hack into a foreign government system, what about reciprocity, or retaliation?
- No reliable data: We don’t have reliable data about the size of the problem. Not aggregate, not in individual cases. Threats are systematically inflated, the size of the Bredolab botnet easily by an order of magnitude.
- Necessity: is government malware, or hacking even necessary? Many well-respected technologists frame the debate as “either mass surveillance, or targeted hacking”. While I agree that mass surveillance and weakening of infrastructure is even more problematic, I think that frame is incorrect in this golden age of surveillance. Less problematic alternatives will exist: the recent takedown of Utopia, a TOR hidden service widely regarded as a Silk Road heir, employed intrusive but well-established undercover techniques.
The list doesn’t end here. The cynic and realist would say, “it’s happening anyway so why bother?” The simple answer is: government hacking is different than a wiretap, so needs a specific policy response. Until aforementioned problems are addressed and legal safeguards are in place, judges should push back and government hacking should be considered what it currently is: illegal.