Conflict & Justice

In US, government hacking is '40 years ahead' of the language in privacy laws


National Code Pink Coordinator Alli McCracken stands with giant glasses that read "Stop Spying" as she and other protesters prepare to stage a demonstration at the office of Senate Intelligence Committee chairwoman Dianne Feinstein as protesters from Code Pink hold a demonstration to "expose her two-faced stance on spying" in the Hart Senate Office Building on US Capitol in Washington, DC, March 12, 2014.



CAMBRIDGE—By now it’s no secret: Governments are increasingly using their expanding capabilities to access people’s digital lives. Most information stored online, on digital devices or on cloud-based services can now be searched and manipulated in the name of national security.

But while hacking techniques advance, our legal definition of ‘privacy’ remains rooted in traditional, historical concepts that predate even the thought of our current digital age.

Unless the language in US legislation is adapted for new technologies, experts say people may remain largely defenseless in protecting their digital information.

“Internet security is in a pretty deplorable state,” Axel Arnbak, a Europe-based digital rights activist, told a group gathered at Harvard University’s Berkman Center for Internet and Society last Tuesday. It “is being exploited by intelligence agencies.”

Speaking at a conference on government hacking and the constitutional right to cyber-security, Arnbak laid out some of the problems government hacking presents for Internet privacy.

“The technical reality [of hacking] is 40-years ahead of the legislative debate,” said Arnbak, who is also a joint fellow at Harvard’s Berkman Center and The Center for Information Technology Policy at Princeton.

And the technical reality is not slowing down. Governments now use hacking techniques in law enforcement investigations, cyber-war, and for “ubiquitous intelligence gathering,” according to Arnbak.

While traditional wiretapping allowed the gathering of information sent between devices, governments today use hacking to search entire networks, as well as the devices that are on those networks.

The recent revelations surrounding government practices in the United States, for example, showed that government agencies could turn on a device’s built-in camera without the owner ever becoming aware.

What’s more, warrants for hacking in law enforcement are usually sealed in the US, Arnbak said, or invisible to the public, making it difficult to understand what is at stake.

In an unusual occurrence, the information surrounding one Texas case last year was open to the public, and as a result, shed some light on how the issue of privacy in government hacking is treated by the courts. In this case, the judge denied a Federal Bureau of Investigation (FBI) request to use “malware,” or virus software, while looking for an unknown suspect and an unknown device.

It was too broad a request, the district court judge found, and violated the right to privacy outlined in the Fourth Amendment.

While there is no explicitly stated right to privacy in the Constitution, the Fourth Amendment of the Bill of Rights protects “against unreasonable searches and seizures.” Still, whether this broad wording applies to Internet privacy remains unclear—and that is precisely the problem.

One indicator for how legislative language might apply in some cases could be found in the treatment of wiretapping. When Internet technology (IT) privacy first came to the courts during the early use of wiretapping, Arnbak said, the Supreme Court found that “telephone messages” were not protected by the Fourth Amendment.

However, the decision was later overturned in the 1960s, on the basis that such conversations “are not tangible and…can neither be searched nor seized.”

This discussion about whether or not US citizens have or need a constitutional right to IT privacy—intensified by leaks from former National Security Agency (NSA) employee, Edward Snowden—has really only just begun, Arnbak said.

In parts of Europe, however, where IT privacy has been a concern for much longer, the climate has moved from conversation to action. Germany, for instance, is already leading a push for more privacy protections.

In 2008, a German federal court found “a new constitutional right” was necessary to protect IT systems and information. The decision and subsequent law set a precedent, making hacking in law enforcement cases illegal, with few exceptions.

In some cases, as with Article 8 of the European Convention on Human Rights, the right to take action to protect “personal data” and “information privacy” is granted to states.

But beyond this, there is the issue of scope, or, as it was referred to at the Berkman conference, the extent of “ubiquitous intelligence gathering.”

Though having previously been limited to specific sources, the United States NSA has greatly expanded its reach in recent years. It has automated certain malware, allowing programs to operate networks of millions of infected devices, used for “tracking criminals.”

But Arnbak said that new encryption techniques and the use of mobile devices has made it difficult for governments to monitor criminals, leading only to more advancements in the government’s capabilities with no advancements for privacy protection.

Consequently, the US has seen the creation of a cyber-arms race with criminals, which ultimately, is zero-sum.

Even more questions arise when considering the role of private companies in providing security for their users.

Bits of Freedom, a Dutch digital rights group, has raised important concerns about private companies facing government hacking, or being subpoenaed for user information.

Should Microsoft or Google, for instance, let authorities target their clients? Should antivirus software companies allow governments to spy on their customers?

According to Arnbak, who is part of Bits of Freedom’s founding core, involving private vendors in government hacking can make the “whole ecosystem vulnerable to attack.”

Still, the truth remains that this terrain is relatively new for the American people, whereas Internet privacy cases emerge every six or seven years in the European Court of Human Rights (ECHR).

Perhaps there is a model to look to in Europe, then—one that might aid in the creation of proper, relevant legislation to accompany the government’s widening abilities in the US.

For a start, technology-specific legislation would limit the scope of government hacking, Arnbak said. Currently, “neutral laws” dominate technology policy. With technology-specific legislation, the government would need approval from a legislator each time it wanted to expand its reach.

Also, he suggested, including knowledgeable experts in the legislative process is key to making better laws.

Activists also have a role to play in monitoring the progress of applicable legislation. Through fact finding, taking advantage of the Freedom of Information Act (FOIA), and working with whistle-blowers, they can help to pinpoint specific areas in need of reform.

Lastly, Arnbak said, allowing outside groups to report flaws in government malware is very important.

In this digital age in which we are all eager to put everything online, it is easy for governments to “look at our lives.” It is the legal reality we face. “We even structure the information on our devices to make it accessible,” Arnbak said.

But it’s how we move forward from the ongoing revelations about government spying that will now decide the future of Internet privacy, and the road ahead, the conference concluded, must include new language in our laws.