The FBI Should be Enhancing US Cybersecurity, Not Undermining It

By Susan Landau
Thursday, December 1, 2016, 11:52 AM

I believe that  is a legitimate and necessary way for law enforcement to handle certain investigations in the Digital Age. But as Steve Bellovin, Matt Blaze, Sandy Clark, and I said in our , the default on using a vulnerability should be to report it. One can have exceptions just as the intelligence community , but these should be rare and only when the potential damage to innocent people is minimal.

As we know from the Apple iPhone case, the FBI does not appear to be following such rules. Nor has it made public what its vulnerabilities equities process is. So what we have now is . The FBI did not report the vulnerability it used to hack into a Tor-protected child pornography site, which has now been  by nefarious sorts to deanonymize Tor communications.

This news comes out similtaneously with the , allowing the FBI to use a single warrant to hack into victims' machines no matter where they may be. We know that a single  was used to hack into machines in 120 nations. This was in a case investigating child pornography, one of the ugliest forms of crime.

But one has to ask: what was the FBI thinking? Today the U.S. uses a single warrant issued in the United States to hack into computers in over a hundred nations around the world. Does that legitimize Chinese hacking into the machines of protesters living in the U.S., the U.K., or elsewhere? Or of the Russian, the Iranians, or the North Koreans to do so?

The Digital Age has changed the locus of crimes and made many criminal investigations more complex. Law enforcement needs new tools to handle this, a point I made during Congressional  earlier this year. The FBI must learn how to conduct computer investigations without weakening the security of U.S. citizens or undermining the rule of law. We have now seen evidence that it is doing both. I'd like to believe that these terrible policies are the result of misunderstanding how law and technology interact. They should be rolled back immediately for our safety and security.