The Obama administration has apparently decided not to support exceptional access proposals that would provide law enforcement with the means to access data on iPhones and other personal devices.
As I argued previously on Just Security, instead of pursuing exceptional access, policymakers should seek to build a durable legal structure that would provide the FBI with the authority, under appropriate oversight, to exploit software vulnerabilities. Because these vulnerabilities already exist, lawful hacking, as this is sometimes called, can help get law enforcement what it needs without introducing the additional security risks associated with exceptional access. It is worth revisiting this issue now that the administration has seemingly reached a decision regarding its encryption policy.
The law scholars I have subsequently spoken with disagree about whether the legal structure exists today to support lawful hacking. Although there are a few excellent treatments of the subject (for example, here and here), the issue seems to me to be under-examined.
But putting the legal questions aside, I want to highlight two other outstanding issues that require further consideration in order to put lawful hacking on a sound footing.
First, growing use of lawful hacking may limit transparency into law enforcement activities. We’ve now built a significant infrastructure around providing transparency into the scope and types of government requests for data. One of the primary mechanisms for this is company transparency reports. The current level of transparency into government data requests will decrease if law enforcement authorities resort to lawful hacking. Consider the obvious case of Apple, which began releasing transparency reports in 2013 that include requests for device information. Now, imagine that the FBI develops the means to hack into encrypted data sitting on an iPhone, a capability it might deploy after getting a warrant. When the FBI uses this capability, that activity will never be documented in Apple’s transparency report, as it would have been previously.
We know from publicly released documents and official statements that the FBI is using malware and other hacking tools, but we have no insight into the frequency or scope of use. For example, a 2013 letter from Assistant Attorney General Mythili Raman to the chair of the Advisory Committee on the Criminal Rules argued that it was increasingly common for law enforcement authorities to require remote access to a target’s computer in cases where the location of the computer is unknown. We also know (see here, here, and here) the FBI has used remote access tools for these purposes. We just don’t know how often it has done so.
Second, lawful hacking capabilities might be more likely to be abused than more traditional law enforcement tools. This is because, even if we establish the appropriate legal standards to govern this activity, there will almost certainly be fewer external checks to ensure those standards are met. Lawful hacking cuts the relevant company out of the process law enforcement must use to gain access to data. To state the obvious, companies will therefore not do any due diligence on data access requests. More importantly, because there will be no company to vet court orders, hacking could obviate the practical need (but not the legal requirement) to get court approval in the first place. This means that law enforcement authorities can more easily execute remote searches without getting search warrants at all. Further, targets may also be less likely to know they are the subjects of lawful hacking and may therefore be unable to challenge the validity of these searches.
To prevent such abuse, lawful hacking may require a much more sophisticated compliance regime on the order of that which exists at the National Security Agency (NSA) today. We’ve learned over the last two years that NSA does have a robust compliance program to govern its expansive intelligence collection (check out these very detailed NSA reports to the President’s Intelligence Oversight Board to see this compliance program in action). While some might still question the effectiveness of that program, the public at least has a lot of information upon which to judge its strengths and weaknesses. In comparison, we don’t have nearly as much insight into the strength of the FBI’s compliance program.
These two issues regarding transparency and compliance are solvable if we start examining them now, rather than after sophisticated lawful hacking capabilities are already in place. We might, for example, consider legislation establishing reporting requirements that substitute for any loss of insight from companies’ transparency reports.
In raising these issues here, my intention isn’t to further constrain law enforcement activities. I am in fact quite weary of those who would whittle away at law enforcement capabilities from every angle in pursuit of ideological ends. Rather, I hope to simply identify additional pieces necessary to place lawful hacking within a durable framework. In recent press accounts, it was reported that the administration is still looking for ways that law enforcement agencies can work with the tech industry to address public safety concerns. Lawful hacking offers just such an opportunity. It raises a lot of tough, complex policy challenges that have yet to be resolved, only two of which I’ve discussed here. But those challenges may be more tractable than the binary choice presented by the exceptional access debate.