The FBI Should be Enhancing US Cybersecurity, Not Undermining It

Susan Landau
Thursday, December 1, 2016, 11:52 AM

I believe that lawful hacking is a legitimate and necessary way for law enforcement to handle certain investigations in the Digital Age. But as Steve Bellovin, Matt Blaze, Sandy Clark, and I said in our paper, the default on using a vulnerability should be to report it.

Published by The Lawfare Institute
in Cooperation With
Brookings

I believe that lawful hacking is a legitimate and necessary way for law enforcement to handle certain investigations in the Digital Age. But as Steve Bellovin, Matt Blaze, Sandy Clark, and I said in our paper, the default on using a vulnerability should be to report it. One can have exceptions just as the intelligence community does, but these should be rare and only when the potential damage to innocent people is minimal.

As we know from the Apple iPhone case, the FBI does not appear to be following such rules. Nor has it made public what its vulnerabilities equities process is. So what we have now is failure. The FBI did not report the vulnerability it used to hack into a Tor-protected child pornography site, which has now been used by nefarious sorts to deanonymize Tor communications.

This news comes out similtaneously with the changes in Rule 41, allowing the FBI to use a single warrant to hack into victims' machines no matter where they may be. We know that a single warrant was used to hack into machines in 120 nations. This was in a case investigating child pornography, one of the ugliest forms of crime.

But one has to ask: what was the FBI thinking? Today the U.S. uses a single warrant issued in the United States to hack into computers in over a hundred nations around the world. Does that legitimize Chinese hacking into the machines of protesters living in the U.S., the U.K., or elsewhere? Or of the Russian, the Iranians, or the North Koreans to do so?

The Digital Age has changed the locus of crimes and made many criminal investigations more complex. Law enforcement needs new tools to handle this, a point I made during Congressional testimony earlier this year. The FBI must learn how to conduct computer investigations without weakening the security of U.S. citizens or undermining the rule of law. We have now seen evidence that it is doing both. I'd like to believe that these terrible policies are the result of misunderstanding how law and technology interact. They should be rolled back immediately for our safety and security.


Susan Landau is Professor of Cyber Security and Policy in Computer Science, Tufts University. Previously, as Bridge Professor of Cyber Security and Policy at The Fletcher School and School of Engineering, Department of Computer Science, Landau established an innovative MS degree in Cybersecurity and Public Policy joint between the schools. She has been a senior staff privacy analyst at Google, distinguished engineer at Sun Microsystems, and faculty at Worcester Polytechnic Institute, University of Massachusetts Amherst, and Wesleyan University. She has served at various boards at the National Academies of Science, Engineering and Medicine and for several government agencies. She is the author or co-author of four books and numerous research papers. She has received the USENIX Lifetime Achievement Award, shared with Steven Bellovin and Matt Blaze, and the American Mathematical Society's Bertrand Russell Prize.

Subscribe to Lawfare