Government hacking needs to be addressed, Yale panel says

Sophisticated computer hacking software is finding its way to law enforcement agencies around the world, and neither the courts nor Congress is ready to handle the consequences, a Yale University panel said Tuesday.
It’s the sort of technology that can infect laptops, activate personal webcams and extract data from cellphones and tablets. Yet according to experts, it is not known how many law enforcement agencies have the software, how many times they’ve used it and whether or not such actions are constitutional.
“We don’t have a secure Internet, and I think we need one,” said Christopher Soghoian, principal technologist for the American Civil Liberties Union.
The multi-panel conference looked at the history of hacking technology, its current use by police and government groups and the legal implications. Wall Street Journal reporter Jennifer Valentino-Devries moderated the event.
Texas magistrate Judge Steve Smith told of a search warrant application for police hacking he received recently. It involved a person suspected of obtaining the password for another person’s bank card.
Investigators wanted to install “data extraction software” that would search through all the data stored on a particular computer and activate its webcam so investigators could take a photo of the computer’s user.
The problem, Smith said, was that investigators didn’t know the identity of the computer’s owner and didn’t know where the computer was located. Smith turned down the warrant request.
Georgetown University Law Center professor Laura Donahue said at least four FBI units, as well as the ATF and NSA, are using computer hacking tools. She’s identified dozens of law enforcement hacking cases around the country, from California to New York — many of them sealed from public scrutiny.
“These obviously raise Fourth Amendment concerns,” Donahue said. Often, hacking warrants seek to sift through someone’s computer for up to a month, searching for proof of criminal activity.
But Donahue and other panelists said the potential for abuse is high. What if the computer is located at an Internet cafe, a public library or a university? Do you search the activity of every person who used that computer? What if the hacking virus infects other computers in a network?
“These law enforcement techniques are stretching the bounds of statutory language and Congressional oversight,” said Stephanie Pell, a former national security prosecutor. This is particularly true when hacking software allows law enforcement to bypass Internet service providers to get at data.
“When government is accessing information directly, it is doing it invisibly,” Pell said.
There also is some question about whether evidence gathered through law enforcement hacking is always accurate. Panelists said the hacking technology sometimes provides a “back door” for other parties to manipulate the data being extracted, for example.
Such vulnerability is rampant throughout the spectrum of personal digital products, according to Matt Blaze, a computer security expert from the University of Pennsylvania.
“I have no idea how to defend these devices against outside attack,” Blaze said of cellphones.
Soghoian agreed. “Phones are just a disaster,” he said.
Meanwhile, politicians and the judiciary are struggling with the problem. As Judge Smith noted, secrecy at all levels tends to keep the issue hidden from view.
“It’s difficult for me to find out what’s going on in another district,” he said. “We’re basically crying out for authority. Tell us what to do.”