LegiStorm

Summary:

There has been increased discussion about law enforcement legally “hacking” and accessing certain information about or on devices or servers. Law enforcement has explored various avenues to discover and exploit vulnerabilities in technology so it may attempt to uncover information relevant to a case that might otherwise be inaccessible. For instance, as people have adopted tools to conceal their physical locations and anonymize their online activities, law enforcement reports that it has become more difficult to locate bad actors and attribute certain malicious activity to specific persons. As a result, officials have debated the best means to obtain information that may be beneficial to the administration of justice. Exploiting vulnerabilities is one such tool. Law enforcement’s use of tools that take advantage of technology vulnerabilities has evolved over the years. The first reported instances of law enforcement hacking involved authorities using keylogging programs to obtain encryption keys and subsequent access to devices. More recently, law enforcement has been relying on specially designed exploits, or network investigative techniques (NITs), to bypass anonymity protections of certain software. In addition, investigators have leveraged vulnerabilities discovered in software designed to encrypt or otherwise secure data and limit access to information. In exploiting vulnerabilities, law enforcement may leverage previously known vulnerabilities that have not yet been patched. Alternatively, it may develop tools to detect and take advantage of previously unknown and undisclosed vulnerabilities. It is law enforcement’s use and disclosure of these previously unknown vulnerabilities that has become the subject of some debate. The Obama Administration established a process, known as the Vulnerabilities Equities Process (VEP), to help decide whether or not to disclose information about newly discovered vulnerabilities. The VEP is triggered whenever a federal government entity, including law enforcement, discovers or obtains a new hardware or software vulnerability. The discussion on whether the government, and law enforcement, should generally retain or disclose discovered vulnerabilities lacks a number of data points that may help inform the conversation. For example, in what number or proportion of cases does law enforcement leverage technology vulnerabilities to obtain evidence? Are there tools other than vulnerability exploits or NITs that law enforcement can use to obtain the same evidence, and how often are those tools utilized? Congress may examine a range of policy issues related to law enforcement using and disclosing vulnerabilities. For example, how does law enforcement’s ability to lawfully hack, or exploit vulnerabilities, influence the current debate surrounding whether law enforcement is “going dark,” or being outpaced by technology? In addition, how does law enforcement acquire the knowledge of vulnerabilities and associated exploits? Might law enforcement consider establishing its own (or supporting others’) reward programs in order to gain knowledge of vulnerabilities or exploits? Given the current VEP framework, is it the most effective method for law enforcement to use in determining whether to share vulnerability information with the technology industry, and how might law enforcement share such information with their multilateral law enforcement partners?