U.S. government seeking easier hacking sparks privacy debate

A government request to change federal court rules to make it easier to hack into computers during criminal investigations places a new twist in the debate over privacy rights versus fighting crime in the digital world.

The Justice Department is arguing for warrants that provide law enforcement with more flexibility in tracking down suspects using anonymizing tools, such as Tor, The Wall Street Journal reported.

The government is arguing that the number of criminals taking advantage of anonymization technologies is increasing, so law enforcement needs help in penetrating these cloaks for criminal activity. In essence, the government wants to obtain one warrant that allows it to hack one computer and use it as a springboard for searching systems it is connected to over the Internet.

For example, Tor scrambles governments' ability to identify people on the network by passing communications through many computers run by volunteers. To locate the system used by a suspect, the governments wants one warrant that would allow it to search many computers at the same time, as well as related storage, email and social media accounts.

While the government would break into computers using the same techniques as cybercriminals, such as sending carefully crafted email to get the recipient to click on a malicious attachment, the government avoids the word hacking and prefers such euphemisms as "network investigative tools" (NITs).

Authorizing law enforcement to cast such a wide net during criminal investigations concerns privacy advocates.

"We're obviously very worried about it because the government's 'network investigative tools' are really just invasive malware that should be used only in the most extreme of circumstances," Hanni Fakhoury, staff attorney for the Electronic Frontier Foundation, told CSOonline.

Giving the government to much flexibility threatens Americans' rights under the Fourth Amendment, which limits searches only to places where evidence is likely to be found, Fakhoury said. The DoJ proposal would allow "open-ended access to a whole host of information."

In addition, allowing the government to increase its use of exploits for software would hurt Internet security overall, since the malware used by law enforcement would eventually be discovered by cybercriminals.

"The more malware and exploits that are available on the market, the more everyone is exposed, regardless of whether they are criminals or not," Fakhoury said. "I would think it would be in the tech industry's best interest to be against this, as it leaves vulnerabilities exposed to the DoJ and malicious actors alike."

Al Pascual, analyst for security, risk and fraud at Javelin Strategy & Research, believes there is a middle ground. The courts could require greater specificity on what data is collected, from whom and in support of what charge, he said.

In addition, the DoJ could be required to reveal to the court the exact method it plans to use to snatch data, along with the steps being taken to minimize the gathering of information from uninvolved third parties. The government could also be required to say when and how that data would be destroyed.

"Transparency and data minimization are critical," Pascual said.

Denying law enforcement needed tools to catch criminals in the electronic world would damage society as much as going too far in compromising privacy rights.

"To deny law enforcement the ability to effectively hack criminals in the course of an investigation, because you believe that it violates privacy, would be tantamount to saying that police officers shouldn't carry firearms because you don't believe in violence," Pascual argued.

As an example of how criminals use Tor, the government submitted documents to the courts' rule-making body, called the U.S. Judicial Conference, describing an investigation of suspected child pornographers who visited a U.S. site on the network.

"In this case, law enforcement knew the physical location of the servers used to host the hidden service," the document said. "However, without use of a NIT, investigators could not identify the administrators or users of the hidden service."

While some judges have already granted warrants for hacking systems, one judge denied a government request, because of the current rules, The Journal reported.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about Electronic Frontier FoundationJavelinWall Street

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts