Stanford CIS

Looking back at 2016, A Status Check on Government Hacking

By Marshall Erwin on

Last year, the ongoing encryption debate took a backseat to a steady drip of stories and developments related to government hackings. This set the stage for a set of policy and legal innovations that are critical but that now seem unlikely to occur. As a result, we may look back on 2016 as the year we legitimized government hacking without establishing safeguards to prevent its abuse.

Before talking about the implications of that fact, it is worth walking through some of the events of the last year and take stock of what we learned:

1. Apple iPhone Hack. In March, the Federal Bureau of Investigation (FBI) procured the means from a third party to independently hack into the iPhone of the San Bernardino attacker and to access the data on that phone. The FBI then withdrew its request compelling Apple to design a unique version of the iPhone operating system that would have allowed it to unlock the phone. The Bureau subsequently said that it would not be submitting the iPhone vulnerability to the Vulnerabilities Equities Process (VEP), the Executive branch process used to determined whether to disclose or exploit product vulnerabilities. When it procured the ability to unlock the phone, it had not obtained sufficient technical detail about the product vulnerability being exploited.

The Apple case served as a proof point for those who have argued law enforcement should exploit existing product vulnerabilities rather than seek an access mandate. It also called attention to the VEP and raised questions about how the government’s disclosure process should be applied to vulnerabilities procured from third parties.

2. Playpen Criminal Cases. The ongoing series of prosecutions resulting from the FBI’s remote hacking operation of Playpen, a child pornography website, raised questions about the admissibility of evidence obtained through hacking and about whether vulnerabilities used in hacking operations need to be disclosed in order to allow defendants to confront the evidence against them. Many judges appeared to lack the mooring to know how to tackle these questions, reaching drastically different conclusions based on analysis of the same technology, expert testimony, and points of law. Some elected to throw out evidence. One found that a warrant wasn’t even necessary for this type of remote hacking operation. We have seen some convergence more recently, and I tend to agree with those who found that evidence specifically in these Playpen cases should be admissible without requiring court disclosure of the vulnerability.

What we’ve learned more generally from these ongoing prosecutions is that answers to evidentiary questions will be very fact dependent. These questions do not appear likely to present a huge impediment to criminal prosecutions, but they will need to be adjudicated on an individual basis, and answers will vary depending on the specifics of the hacking technique. This means that in some cases vulnerabilities will need to be disclosed in court in order to protect a defendant’s rights, introducing a degree of unpredictability for law enforcement and possibly putting a product’s users in greater jeopardy.

Read the full post at Just Security.