lolloj - Fotolia

Government hacking tactics questioned at OURSA

The ACLU's Jennifer Granick took government hacking to task at the OURSA Conference this week, calling out mass surveillance techniques and the limited scope of search warrants.

Jennifer Granick had harsh words at the Our Security Advocates Conference for the growing state of mass surveillance and government hacking in the United States.

Granick, surveillance and cybersecurity counsel at the American Civil Liberties Union, took the stage at OURSA on Tuesday to discuss the state of modern surveillance and hacking performed by the U.S. government, arguing that both cross the line of traditional legal searches.

"Increasingly, modern surveillance is mass surveillance," Granick said. "We used to target people for surveillance because of their political opinions or their religion or their race. Now the mainstream is being surveilled."

This mass surveillance is not only mainstream, but it's still mostly secret from the public, Granick said. This is partially because the secrecy that covers surveillance is legal -- either by classification or the sealing of surveillance orders that is built into the legal process.

"People should care about this," Granick said, "because any issue we may care about -- be it racism, the environment, poverty and so on -- will require social change to overpower the entrenched interests. "Surveillance makes that hard because those people who are in power can use that [collected] information against activists in order to try to silence or neutralize us."

Granick cited government actions in countries such as Egypt and Ethiopia over the last few years against human rights activists. These governments were performing surveillance on activists and using that information to hack them. And government hacking is an extension of surveillance, Granick said.

It's also clear governments use hacking in this way because democratic countries are starting to pass laws that make hacking legal, such as in the United Kingdom.

"At least in the U.K. they call it 'equipment interference.' I appreciate the honesty," Granick said.

Search warrants are cutting it

The U.S. doesn't currently have specific hacking laws, though the U.S. government uses hacking for law enforcement and intelligence operations. Instead, Granick noted, the U.S. relies on the same legal process for hacking that it does for regular searches -- the warrant. While warrants are crucial, they don't cover enough ground.

"Government hacking is different from regular searches in five particular ways that the warrant requirement can't really address," Granick said.

Those ways include the amount of data being collected; the invasiveness of the techniques the government uses to hack and surveil, such as turning on the cameras and microphones on personal laptops and smart devices; and the falsification of data.

That means the incentives are misaligned with the defense, and everybody in this room knows that defense is losing.
Jennifer Granicksurveillance and cybersecurity counsel, ACLU

"If this information is being collected for criminal prosecution purposes, how can we know that the very act of accessing the computer hasn't changed the information that's there in ways that impinge upon the defendants' rights?" Granick posed. "How can the defense test that theory and see that the evidence is not altered in any way if the government insists on keeping the exploit and the vulnerability secret? It interferes with the due process rights of the defendant in the criminal justice system."

The fourth way in which government hacking is out of scope with regular search warrants is the potential cybersecurity harms.

"When you have the government as an incentivized attacker on the network, that is a very different thing from having the government be on the side of defense. That means the incentives are misaligned with the defense, and everybody in this room knows that defense is losing" when it comes to cybersecurity, Granick said. "But also there's the problem of the government losing exploits and them getting in the hands of the wrong people, as has happened with WannaCry."

Granick said another threat to cybersecurity is when the government doesn't share information about vulnerabilities or exploit with the vendors or manufacturers so that they could fix the problem.

The final problem, Granick said, is that of public trust.

"In order to serve malware, we've seen the government pretend to be an Associate Press reporter; serve up child pornography for a period of two weeks; we've seen them try to force vendors into creating malicious software updates for their products. How can the public trust the government or trust the commercial entities, the devices, the software that we deal with every day if this is going to be the way that government hacking operates?"

Dig Deeper on Security operations and management