The American Civil Liberties Union, along with Privacy International, a similar organization based in the United Kingdom, have now sued 11 federal agencies, demanding records about how those agencies engage in what is often called “lawful hacking.
The activist groups filed Freedom of Information Act requests to the FBI, the Drug Enforcement Agency, and nine others. None responded in a substantive way.
“Law enforcement use of hacking presents a unique threat to individual privacy,” the ACLU argues in its lawsuit, which was filed Friday in federal court in New York state.
“Hacking can be used to obtain volumes of personal information about individuals that would never previously have been available to law enforcement.”
In recent years, there have been a few instances when the public has learned about the government’s attempts to hack websites, including its pursuit of Freedom Hosting, a Tor-hidden hosting firm, back in 2013.
Last year, federal prosecutors dropped charges in at least two child-porn cases connected to a notorious Tor-hidden site, Playpen. As Ars has previously reported, in order to unmask Playpen’s users, federal authorities seized and operated the site for 13 days before closing it down. During that period, the FBI deployed a Tor exploit that allowed them to uncover those users’ real IP addresses. The use of Tor, which obscures and anonymizes IP addresses and browser user agents, makes tracking individuals online significantly more difficult. With the exploit, it became extremely easy for suspects to be identified and located.
The DOJ has called this exploit a “network investigative technique” (NIT), while many security experts have referred to it as “malware.” The source code of that particular exploit has been classified, making it all but impossible for the public to know precisely how it works.
Due to this secrecy, lawmakers have a hard time adequately vetting how these tools work.
As the ACLU further argues :
For example, the public does not know when law enforcement agencies believe they can use hacking without obtaining a warrant or other judicial authorization. The public does not even know whether many of the defendant agencies have internal rules or protocols governing hacking. Without more information, the public is not able to exercise meaningful democratic oversight of this new and intrusive law enforcement capability. Even criminal defendants may not be fully aware of whether the government has engaged in hacking to search their devices, nor the scope and process of those searches. This degree of secrecy creates significant opportunities for misuse and abuse.
The FBI did not immediately respond to Ars’ request for comment.