A Framework for Government Hacking in Criminal Investigations

Since the first crypto war of the 1990s, governments have occupied themselves with the perceived and real challenges for law enforcement which arise from encryption technologies. While encryption enables secure communications that are vital for society, the economy, and the government itself, it can also be used by criminals to easily hide their communication and certain data from law enforcement. The FBI refers to the so-called “going dark” challenge as “a real and growing gap between law enforcement’s legal authority to access digital information and its technical ability to do so” -- even though law enforcement seems to not have assessed this issue thoroughly. Over the years, there have been numerous proposals to tackle this purported issue, such as government-mandated backdoors, a weakening of encryption standards, and direct access. This debate has recently been reinvigorated by the simultaneous publication of reports by the National Academy of Sciences - Engineering - Medicine (NAP) and the EastWest Institute (EWI). The NAP report laid out a broad range of questions by which any proposed encryption policy should be tested; the EWI focused instead on the pros and cons of “lawful hacking” and design mandates.

While there is a great variety of perspectives and opinions on the alleged “going dark” problem, most experts still agree on the fundamental point that strong encryption is the basis for secure digital communications, and weakening encryption, or requiring providers of encrypted products or services to redesign their offerings in order to facilitate government access, weakens security. A leaked 2009 US National Security Council document described encryption as the best defense to protect data, and warned that government and private sector systems were subject to attacks because of cryptography’s slow deployment. Several countries, among them Germany and the United States, have taken to enabling law enforcement to conduct investigations via hacking tools -- referred to as “government hacking,” “lawful hacking,” or “equipment interference” -- in order to access encrypted communications, pierce through anonymity-enabling technologies such as The Onion Router (TOR), or possibly even to avoid more tedious legal procedures to access information (e.g. through Mutual Legal Assistance Treaties – MLATs).

Governments view hacking as a partial alternative to regulating encryption. It is sometimes presented as a compromise between taking no action and mandating encryption backdoors. While government hacking might indeed be a partial solution to the purported going dark challenge, it is no panacea. It still has serious shortcomings that pose serious threats to human rights, privacy, IT security, and ultimately national security. Stockpiling certain vulnerabilities, for example, might make government hacking more effective, but at the same time it may keep systems vulnerable which can be exploited by criminals and state-backed attackers. When it comes to privacy concerns, government hacking can be extremely invasive and have unanticipated consequences, resulting from the vast amounts of multimedia data, communications, connected (Internet-of-Things) devices and sensors, all of which can potentially be accessed by law enforcement agencies during a government hacking operation.

Government hacking raises the following risks:

• Creating a government hacking industry and driving vulnerability markets;
• Potential loss of exclusive control by government over its hacking tools;
• Subverting (IT-)security, e.g. compromising communication infrastructure;
• Decreasing user trust, e.g. in IT-companies;
• Broadly targeting a large amount of highly private information;
• Hacking innocent users as “collateral damage” of hacking campaigns;
• Through chilling effects decreasing freedom of expression;
• Potential loss of integrity of electronic evidence;
• Extraterritorial implications;
• Liability concerns.

This paper suggests a minimum standard for how governments should behave when hacking. These underlying requirements attempt to address investigatory needs, human rights, privacy rights, IT security, and national security. These requirements are categorized into more general “structural” recommendations to govern a state’s government hacking program, and “operational” recommendations to govern the conduct of government hacking. The minimum standard for government hacking operations suggested in this paper through operational and structural requirements does not solve all above mentioned challenges but aims to substantially mitigate their potential negative impact.

Structural requirements form the pillars of a basic framework for government hacking:

1. Establish a legal framework for government hacking.
2. Foster research on encryption and government hacking workarounds.
3. Set up a capacity building program.
4. Implement guidelines for handling digital evidence.
5. Establish an interagency dialogue.
6. Limit government hacking to serious crimes.
7. Implement transparency reporting.
8. Define binding requirements for vendors of government hacking tools.
9. Establish a national vulnerability assessment and management process.

Operational requirements define how government hacking should be conducted:

• Requirements for a predictable framework such as handling of privileged communication and compelling third-party assistance.
• Requirements to maintain a high level of security and privacy, such as securing government hacking tools and vulnerabilities with state-of-the-art measures.
• Requirements for prior judicial oversight, such as required warrants.