Why it matters: After 11 federal agencies, including the FBI, ICE and the Drug Enforcement Administration failed to respond to a Freedom of Information Act request, ACLU decided to take it a step further and sue them for breaching democratic practices. The two main issues the ACLU hopes to bring to light are the number of bystanders whose information caught in the crossfire, and the lack of oversight these agencies have.
‘Ethical hacking’ or so it’s called, when cybercriminals get taken down by hackers. No one is complaining when the FBI go ruthlessly on terrorists or drug lords, but the ACLU isn’t wrong when they say “it’s impossible for the public to meaningfully determine whether and when the government should engage in hacking.” The American public has very little insight into the hacking federal agencies do.
What we do know has come from a variety of leaks and court documents. For example, last month Motherboard obtained documents that detailed how the FBI impersonated FedEx to deploy malware to catch scammers, and how they mimicked a news agency to trick a teenager into downloading malware to determine if his joke about a bomb threat was true. Wouldn’t therapy be a little more appropriate?
The FBI has also been known to use “waterhole” attacks, where they capture servers and use NITs (Network Investigative Techniques) to deploy malware on any devices that connect to those servers. It was good when they deployed the NIT on a child pornography site, slightly less so when they used it on a popular Tor website host. To be clear, none of these actions are necessarily bad, but they do highlight how the government can do whatever it wants when it comes to spying.
“Given the serious issues at stake, the public has a right to know the nature and extent of the government’s hacking activities and, importantly, the rules that govern these powerful surveillance tools. But so far, most of what we know is based on scattered news accounts.
The lawsuit demands that the agencies disclose which hacking tools and methods they use, how often they use them, the legal basis for employing these methods, and any internal rules that govern them. We are also seeking any internal audits or investigations related to their use.”
There certainly is some oversight of the application of NITs, but it’s still mostly hidden from the public.
In the warrant regarding the use of an NIT to catch a scammer, the FBI actually noted that they didn’t think they needed to have a warrant but got one just in case over legal questions about the victim clicking “exit protected mode” in a Word document to trigger the attack.
Additionally, it’s a known fact that the FBI keeps several exploits under lock and key. Assuming they use them correctly and morally 100% of the time, then users’ devices remain unpatched, though there is always potential for one of these exploits to be leaked at some point. It'll be interesting to watch the results of the lawsuit. The FBI declined to comment.