I believe that lawful hacking is a legitimate and necessary way for law enforcement to handle certain investigations in the Digital Age. But as Steve Bellovin, Matt Blaze, Sandy Clark, and I said in our paper, the default on using a vulnerability should be to report it. One can have exceptions just as the intelligence community does, but these should be rare and only when the potential damage to innocent people is minimal.
As we know from the Apple iPhone case, the FBI does not appear to be following such rules. Nor has it made public what its vulnerabilities equities process is. So what we have now is failure. The FBI did not report the vulnerability it used to hack into a Tor-protected child pornography site, which has now been used by nefarious sorts to deanonymize Tor communications.
This news comes out similtaneously with the changes in Rule 41, allowing the FBI to use a single warrant to hack into victims' machines no matter where they may be. We know that a single warrant was used to hack into machines in 120 nations. This was in a case investigating child pornography, one of the ugliest forms of crime.
But one has to ask: what was the FBI thinking? Today the U.S. uses a single warrant issued in the United States to hack into computers in over a hundred nations around the world. Does that legitimize Chinese hacking into the machines of protesters living in the U.S., the U.K., or elsewhere? Or of the Russian, the Iranians, or the North Koreans to do so?
The Digital Age has changed the locus of crimes and made many criminal investigations more complex. Law enforcement needs new tools to handle this, a point I made during Congressional testimony earlier this year. The FBI must learn how to conduct computer investigations without weakening the security of U.S. citizens or undermining the rule of law. We have now seen evidence that it is doing both. I'd like to believe that these terrible policies are the result of misunderstanding how law and technology interact. They should be rolled back immediately for our safety and security.