On April 5, CIS and Mozilla hosted the final event in a series of discussions designed to identify and debate important policy issues related to the practice of government hacking. This event focused on evidentiary issues and court disclosure of vulnerabilities. Participants included a computer security researcher, a federal public defender, and a judge. The following summarizes the issues discussed during the event.
When law enforcement remotely accesses and searches computers, it presumably does so to collect evidence for use in criminal prosecutions. Doing so, however, raises evidentiary and procedural questions that have gone relatively underexplored in policy debates over government hacking.
How can we ensure that judges understand enough about how a hacking tool works to meaningfully authorize and oversee its use and ensure it complies with the law? Are the details of hacking techniques material to the case? If so, does the defendant have a right to obtain those details in discovery? If yes, can protective measures uphold that right while letting the case move forward, or will dismissal sometimes be more appropriate? What about the vendor and its users, who will not get notice of vulnerabilities exploited by investigators? If a presumption of disclosure evolves, what does that mean for government hacking’s robustness as an investigative tool?
In recent years, the Federal Bureau of Investigation (FBI) has used “network investigative techniques” (NITs) on at least two occasions to identify computer users masking their IP addresses by using the Tor web browser. In one, the FBI deployed a NIT against visitors to the “Playpen” child-pornography server that it had seized.
The Playpen operation has spawned well over a hundred prosecutions nationwide. In dozens of them, the defendants have challenged the use of the NIT, seeking (to varying degrees of success) to exclude evidence derived from the NIT and to compel the government to disclose details of how it worked. As panelist Nicholas Weaver explained here and here, the NIT comprises several components, two of which the government refuses to disclose to defendants: the vulnerability and the exploit.
Law enforcement may use hacking not only to identify a computer user, but also for other purposes such as: (1) to collect evidence stored on the computer; (2) to collect evidence going forward (through keystroke monitors, the camera, or the microphone); and/or (3) to disable functionality (such as full-disk encryption) that might impede evidence-gathering if the computer is seized. The Playpen cases don’t represent all of these goals, but they provide a framework for discussing issues that will reliably come up when prosecutors use evidence that was collected remotely. They cannot, however, resolve those issues for government hacking more generally.
How Do We Educate Courts about Government Hacking Techniques?
Courts overseeing government hacking need to understand the technique at both the investigatory stage and during a prosecution.
At the investigative phase, when applying for a warrant or other judicial authorization, investigators must explain the hacking technique to the issuing judge. Done properly, this requires an extensive search warrant declaration by a technically-competent affiant. However, the Department of Justice has argued, sometimes successfully, that no warrant is needed to install a NIT to collect users’ IP addresses. And for other forms of judicial authorization, the government’s burden is lower, giving the court less opportunity to learn about and evaluate the technique.
Further, the ex parte issuance of warrants means no opposing side to contest the government’s application—which judges often accept without question. This is a problem if the government’s account is inaccurate, misleading, or incomplete, as can happen with novel forms of surveillance (such as Stingray cell phone trackers). The Playpen NIT warrant application described the NIT accurately, but without detailing its components. It is not clear the issuing judge understood she was authorizing the FBI to (in lay terms) put malware on thousands of computers globally.
At the prosecution phase, a robust adversarial process should help educate the court and the jury. However, in the Playpen cases, prosecutors have resisted turning over some information about the hacking technique to the defense team. The government’s decisions about whether to provide certain information in discovery will constrain the court’s and the jury’s understanding of the hacking technique, and whether the evidence obtained pursuant to it can be relied on. That means disclosure in discovery is particularly important to a well-functioning court process.
Should All Information About Exploits Be Disclosed to the Defense?
The Case For Disclosure.
Defendants have asserted that the Sixth Amendment and Federal Rule of Criminal Procedure 16 entitle them to extensive information about the Playpen NIT. Revealing exploit details may lead to admissible evidence relevant to whether the government has proved its case beyond a reasonable doubt. The information could also corroborate, or rebut, a law enforcement agent’s testimony about the hacking technique. Specifically, such information could help determine whether:
flaws in the exploit code, or careless FBI execution of it, affected the integrity of data on the machine or data transmitted back to the FBI as evidence,
law enforcement deliberately exceeded the scope of the warrant, falsified data on the machine, or otherwise deceived the court,
the government’s techniques enabled subsequent unauthorized access by a third party who planted incriminating evidence—either by later re-use of the same vulnerability, or because the government’s exploit made the computer more vulnerable to hacking (both known risks of government hacking).
The Case Against Disclosure.
In the Playpen cases, the government has acknowledged that some hacking can create risks of third-party access to the defendant’s machine, but has contended (without revealing details) that this particular NIT exploit did not do so, and thus need not be disclosed to the defense. Judges have generally agreed, meeting with skepticism the theory that a third party may have planted child-exploitation images on a defendant’s machine when it is undisputed that he visited the Playpen site.
Playpen prosecutors also have argued (for example, in Darby and Gaver) that it is sufficient for them to provide the payload information (IP address and other unique identity information) and data connecting the payload to the defendant’s computer. The strength of this argument will vary depending on the particular tool in question, how it operates, and the information that hacking technique was designed to collect.
The government has also asserted a “law-enforcement privilege” against disclosure. As revealed in public filings, the government asserts that disclosure would harm the public interest by diminishing the NIT’s effectiveness in future investigations. That is, once disclosed, the flaw will be patched and the government won’t be able to use it reliably anymore. In the Michaud Playpen case, the court held that the NIT exploit details were both privileged and material to the defense. The government ultimately dropped the case. But Michaud is unusual: most courts (including that same judge in another Playpen case) have found the defense was not entitled to disclosure.
Another option is classification. After the Playpen cases began, the government, citing national security, classified parts of the NIT: “portions of the tool, the exploits used in connection with the tool, and some of the operational aspects of the tool.” Under the Classified Information Procedures Act (CIPA), which governs use of classified information in criminal proceedings, prosecutors won’t disclose classified information to defense counsel or experts unless they get a security clearance.
Given defendants’ Rule 16 and Sixth Amendment rights, the government’s concerns about ongoing viability of its vulnerability arsenal, and courts’ limited ability to understand each remote search tool in the absence of a robust adversarial process, how should courts fairly and reliably assess the discoverability of government hacking techniques? This is a question that deserves far more scholarly attention.
Potential Solution: Protective Measures for Limiting Disclosure
Disclosure subject to protective measures would seem to provide a middle ground between the all-or-nothing “disclose or dismiss” options. The defense gets the exploit evidence, and the government gets reassurances that it will not be divulged beyond the defense team. Several available protective measures include:
Restrictions on the circumstances in which the defense expert may review the exploit code: in a secure FBI facility, eyes-only (no note-taking), etc.
Issuance of a protective order (PO), prohibiting anyone who signs it from revealing info disclosed to them under the PO, except as the PO permits.
For classified exploits, the CIPA-required security clearance entails an in-depth background check for trustworthiness and stringent restrictions on information disclosure, subject to potential civil and criminal liability. (As an example, some Guantanamo detainees’ attorneys got security clearances.)
The government rejected a middle-ground approach in Michaud. It chose dismissal instead, indicating that the value to it of keeping at least this NIT absolutely secret outweighs the value of imprisoning someone accused of a heinous crime. Why deem these protective measures inadequate? The penalties for violation are steep. True, with so many Playpen cases pending, the government might think leaks more likely if dozens of defense teams review the exploit code. Yet outside experts with clearances are no less trustworthy than the FBI agents working on these cases.
Another shortcoming of this middle-ground approach is that it will not let a vendor whose product is affected learn what vulnerability the government exploited. The government explicitly wants to keep the vendor from getting the information it needs to patch the vulnerability. Thus, while POs could be an appropriate solution for accommodating defense and government interests in a court case, they would not resolve the security tradeoffs that government hacking inevitably entails.
The Future of Government Hacking
At minimum, the practice of government hacking must be accompanied by appropriate safeguards for defendants in order to constitute a valid evidence collection technique. Those safeguards must include access to information material to preparation of the defense. The Playpen cases that have considered the issue mostly have not required disclosure, but that won’t control future cases. Especially where law enforcement uses more intrusive access tools, or collects more delicate information, courts will have to determine discoverability case-by-case.
A bright-line rule for disclosure of vulnerabilities and exploits would lead to predictable, consistent outcomes in court and help the government decide when to use a particular technique, knowing a judge may order it disclosed. But agreement on such a rule currently seems unlikely. We will continue to see courts assessing discoverability, and possible dismissal in at least some cases if disclosure is ordered.
Previous events in this series explored the changes to Rule 41 of the Federal Rules of Criminal Procedure; the Vulnerabilities Equities Process; and the security risks of government hacking. Video recordings of all four events are available on the respective event pages and on CIS’s YouTube channel. We’d like to thank our panelists for taking part in this event, the Stanford Cyber Initiative for providing funding, and our friends at Mozilla for their tireless work helping to coordinate this event series.