Picture the following scenario: in order to investigate the activities of a criminal organization, policemen buy from a technology company a computer virus that attacks the smartphones and notebooks used by the investigated parties. The virus allows for a real-time infiltration in the communications and logs made by the individuals, it sends their location in real time and gives remote access to all data stored on the device. Is it past, present or future? Present. What seemed like science fiction is, today, a reality in the offices of several investigation and intelligence authorities.

These authorities have increasingly dedicated themselves to the development of new investigation capacities, above all in face of the fast-paced advancement of communication and information technologies. The argument is simple: if the use of such technology serves for the practice of evil doings and represents new obstacles for investigation tactics, then the State needs to expand its surveillance capacities to keep the efficiency of criminal prosecution.

In the digital context, this goes through developing hacking capacities, a term that refers to the manipulation activities of computer programs, data, systems, networks, and devices without the permission or knowledge of the user. [1] The expansion of these capacities is a global tendency: over the last few years, countries like Russia, USA, Mexico, Germany and even Brasil were linked to the use of these techniques.

The ends that justify the means: what can government hacking be used for?

To understand the circumstances in which policemen are “becoming hackers”, the NGO Access Now published a report identifying which are the main purposes of government hacking and which are the techniques that serve such objectives. In a general manner, the report indicates three situations that can justify the adoption of these techniques by the State: (i) the control of expression and discourses on the Internet; (ii) inflicting damage to determined targets of the State; and (iii) the collection of information for investigation and surveillance activities.

Control of expression and discourses on the Internet: this group of actions aims to hinder or interfere in the dissemination of messages or contents. The so-called “Russian botnet armies”, allegedly used to manipulate the dissemination of information in social networks and the promotion of fake news during the American elections would be an example of this category. In it can be included activities that represent an intromission and manipulation of IP addressing parameters, technologies that allow the rewriting of messages in transit, flooding communication channels or disfiguring apps or web pages, for instance.

Inflicting damage to determined targets of the State: in this category are included, for example, cyber attacks, such as the sabotage of systems and computers controlled by States or individuals considered “enemies”. The techniques used intend to, in general, modify data or physical systems, hinder the access to services or damage devices, making them stop or fail, as it can happen when you alter the route or the target of a drone, for instance. Perhaps the most pragmatic example of this kind is Stuxnet, a worm, a malware designed by the North American and Israeli intelligence services to infect systems of nuclear plants in Iran and compromise their functioning.

Collection of information for investigation and surveillance activities: to obtain access to a target’s information (which can feed criminal investigations or intelligence activities), States have explored the known or unknown vulnerabilities of computers and systems and/or infected networks or devices with malware (like trojan horses or other kinds of spying software). This can also involve the breaching of encrypted devices, apps or messages. In some cases, the State can even press telecommunication companies to buy or develop a spying software to make it able to access all data in a device, for example. In this case, this would work as a way to get around the protection offered by end-to-end encryption in messaging applications, once the access would happen in one of the ends of the communication. In Germany, for instance, a report by the Stiftung Neue Verantwortung think tank tells the details of the Federal Police operation that hacked the app Telegram in order to access the communications of suspects in an investigation of an extreme right group.

Which are the consequences of adopting these techniques for the security and privacy of citizens?

In several countries, State surveillance activities, such as interceptions, wiretaps, and breaches of secrecy are regulated by law. However, the rules present in these legislations rarely approach government hacking.

In these activities, there is a series of new issues to be faced. In relation to privacy, for instance, hacking activities are, in general, way more invasive than “classic” surveillance measures. This is because a spying software installed in a smartphone is (or at least it can be) capable of scrutinizing all data stored on the phone: contact list, notepad, calendar, photo gallery, wallet, health information, calls, instant messages, emails, transport routes, and visited websites logs. All of these can also be followed in real time or turn on the device’s camera and microphone.

In relation to the security of networks and devices, government hacking also raises concerns. The main reason relies precisely on the exploration of system vulnerabilities — whether they are known or unknown by the trader or developer (“0-days”), whether they are known and not yet corrected (“n-days”) or, even, ones which were already corrected, but that haven’t yet been updated by users.

When exploring these vulnerabilities — by omitting their existence, for instance –, the State is no longer contributing to increasing the system’s security for everyone who uses it. Take the recent WannaCry ransomware attack, which stopped several hospitals and courts in Brazil and the world: it happened due to a vulnerability silently explored by the NSA for a long time. After it was made public, Microsoft corrected it, but not all computers were updated — facts that increased the attack’s impact.

For this reason, there are people who propose the inclusion of regulatory mechanisms that address the issue, like the “Vulnerabilities Equities Process” — the name given to decision procedures linked to state authorities to determine whether vulnerabilities found in software or hardware should be released to developers and traders to be corrected or whether they will be kept secret, available to being explored in hacking activities. It’s a hard decision between the protection of their investigation capacities and the protection of the users of the product.

What are the rules of this game? The debate on government hacking around the world

Concerns such as the mentioned above make the legal discussion on government hacking quite complex. We gathered here some of the issues that are part of the debate in three countries: the United States, Germany, and Brazil.

United States

One of the most emblematic cases of government hacking for the obtention of information in the US is “Pen Play”, the name of a child pornography portal targeted by an investigation in 2015. To end the investigation, first, the FBI got a warrant from a judge in North Carolina to seize the servers in which the portal would be hosted. After the seizure, the FBI began operating the website and got a specific court order that allows it to use hacking activities (“Network Investigative Technique warrant”). After that, it manipulated the platform in order for it to send a malware to every visitor of the page. This was the method found to discover the origin of the connections and process consumer users of the prohibited content published on the website.

The case repercuted for many reasons. The main one is a technical issue, linked to the jurisdiction. As the order authorizing the hacking activity was issued by a judge from Virginia, where the FBI is headquartered, some people argued that there would be a violation of “Rule 41” of the Federal Rules of Criminal Procedure, which prohibited federal judges from authorizing searches that extrapolated the limits of their jurisdiction.

These limits, however, no longer exist. In December 2016, the territorial restrictions were removed from “Rule 41”. With the change, judges can authorize searches and seizures for computers outside of jurisdictions if (i) the actual location of the computer is “hidden” or (ii) in an investigation for crimes of invasion and fraud of computers and systems, the investigated devices are located in at least 5 districts.

In practice, this means that a single order from a US judge can now authorize the remote access to computers anywhere in the world when they are hidden by Tor or VPN, and target not only suspects of a crime but even victims of botnet attacks, for instance.

Several NGOs have been engaged in the discussion, arguing that court orders that authorize hacking from several computers violate the Fourth Amendment to the American Constitution for not meeting the “particularity” requirement. The Challenging Government Hacking in Criminal Cases report made by ACLU, EFF and NACDL presents legal grounds to lawyers who want to challenge actions of government hacking. In an interview to InternetLab, Amie Stepanovich, of Access Now, also condemned the change.

Germany

While in the US there isn’t a yet a legal framework that deals with the cases of government hacking, in Germany the Legislative Branch has already regulated the issue. On June 22nd of this year, the German Parliament approved amendments to the country ‘s code of criminal procedure that expand the possibilities of “virtual infiltrations” in computers and smartphones by public security authorities of the State.

The reach of “online search” measures (Online-Durchsuchung), through which one can access all communications, data, and features of a device, and also the measures of “telecommunications interception at the source” (Quelle-Telekommunikationsüberwachung), through which electronic conversations can be monitored in real time before they are encrypted were expanded.

In Germany, “online searching” was already allowed to prevent terrorist, extreme danger, and risk of death crimes. Now, with the changes in the legislation, its use is allowed for the prevention and repression of diverse serious crimes but categorized as “common” (child pornography, drug trafficking, homicide, tax evasion, fraud in asylum requests, treason, among others).

Experts consider that the amendments are in disagreement with decisions of the German Federal Constitutional Court. In 2008, the court pondered that hacking activities raise concerns that go beyond the secrecy of communications and privacy. From provisions that protect dignity and freedom in the German Constitution, the court concluded that there is a fundamental right to the reliability and the integrity of computer systems. Due to this, as it once again confirmed in a 2016 decision, infiltrations are admissible only in the case of serious crimes against life and before rigorous safeguards. [2] These orientations were not respected in the approved law.

Brazil

The current legislative framework enforced to government hacking in Brazil (or the lack thereof) is revealed by the State Surveillance of Communications in Brazil report, made by InternetLab.

The report determined that several Brazilian authorities have already tried to support the use of malware for surveillance in the Law of Interceptions (Law n. 9.296/96). The problem is that Law n. 9.296/96 regulates the access to prospective information, that is, to calls or electronic communications of a target from the moment in which the investigation is initiated, and for a limited period of days. In the case of the malware invasions, the authorities might have access to all the data stored on the devices, including everything that is done and stored on apps installed on the device. The enforcement of this law is, therefore, inadequate, as pointed by other experts. [3]

The Law of Criminal Organizations (Law n. 12.850/13), in turn, authorizes, “in any phase of the criminal persecution”, the infiltration of policemen as a means of obtaining evidence in investigations against criminal organizations (art. 3, VII). The measure is only admitted when there are indications of this criminal infraction, that is, the framing of a criminal organization, and indispensability of the means of evidence (art. 10, paragraph 2). It also depends on a representation of the Chief of Police or a request by the Public Attorney’s Office and a judicial authorization, which imposes its limits (art. 10, caput). The requests should demonstrate the necessity of the measure, the reach of the agents’ tasks and, when possible, the names of the investigated parties and the place of the infiltration (art. 11). In any moment, however, the law specifically deals with virtual infiltrations by investigative authorities — effectively of hacking. Therefore, it is not clear whether it can be used as a legal ground for measures of this nature.

On May 8th 2017, the Federal Law n. 13.441, which alters the Child and Adolescent Statute (Law n. 8069/1990) came into effect. It includes a specific section on the infiltration of police agents on the Internet for the investigation of crimes against the sexual dignity of the child and the adolescent. The infiltration can be made through a request by the Public Attorney’s Office and depends on a reasoned judicial authorization. It can only occur if the evidence cannot be obtained through other legal means and has a maximum duration of 90 days, renewable until the maximum deadline of 720 days when the effective need is demonstrated. The text, however, does not define what is understood as “infiltration”. Thus, there is no clarity if this infiltration would regard the action on social networks, groups, and online forums, for example, or if it could also be used to justify the use of devices as spyware by the investigative authorities.

Not everything can be possible: the law and the limits of government hacking

This scenery of uncertainties should be urgently corrected in Brazil. In a hearing for the discussion of cryptography and WhatsApp blocks, technicians incentivized the Brazilian security authorities to get modernized: to adapt themselves to a reality in which the usage of cryptography is ordinary. Among the mentioned alternatives, the possibility of “hacking” investigated parties for the gathering of evidence was discussed. For this measure to be applied respecting the fundamental rights, an informed public debate resulting in a rigorous treatment of the theme and respecting the constitutional protections is crucial.

On its report about government hacking, the NGO Access Now defends, based on the International Principles on the Application of Human Rights to Communications Surveillance, that its regulation should go through the imposition of limits that safeguard human rights, such as:

— it can only be used within clearly specified circumstances by law;

— sought information should be previously established and the tools used to obtain it should be able to capture only this information;

— it can only be justified if it meets the requisites of necessity, adequacy and proportionality, specifying why the hacking is necessary, which tools and means and where they will be used, for how long;

— it should be carefully approved by an independent authority (like a judge), who is aware of the details of the operation and the risks of unintentional consequences.

In Italy, a bill that aims to establish clear rules and limitations for the possibilities of using government hacking techniques is being discussed. The bill includes several provisions that dialogue with the logic of protecting the human rights in this context, as for example: (i) it establishes that the use of this activities should be connected to the investigation of specific crimes and for a determined time, avoiding that a diversion of purpose by the State happens; (ii) it demands the maintenance of security, secrecy and integrity of the collected data and information; and (iii) it preserves the differentiated treatment that is granted to searches applied in the digital context, which can be much more invasive that searches made in the physical world.

With the quick advance of the usage propositions of hacking activities by the State and the development of these capacities by the authorities, it is necessary to think about regulatory instruments that make its use more compatible with the protection of human rights, inside and outside the Internet.

[1] Definition adapted from the version given by the NGO Access Now.

[2] See MENDES, Gilmar Ferreira; PINHEIRO, Jurandi Borges. “Interceptações e privacidade: novas tecnologias e a Constituição”. In: MENDES, Gilmar Ferreira; SARLET, Ingo Wolfgang; COELHO, Alexandre Zavaglia P. (coord.). Direito, Inovação e Tecnologia. Volume 1. São Paulo: Saraiva, 2015, pp. 231-250, p. 237-40.

[3] See MENDES, Laura Schertel, “Uso de softwares espiões pela polícia: prática legal?”, Jota, published on June 4th 2015, available at http://jota.info/uso-de-softwares-espioes-pela-policia-pratica-legal, Acessed on: 03.08.15. Mendes highlights that the infection of electronic devices by trojan horses is capable of uncovering all information stored on the device. This goes beyond the interception of in transit communications, a restriction ruled by the Law of Telephonic Interceptions. He also emphasizes that, in Germany, the analysis of the constitutionality of this kind of procedure made the German Constitutional Court conclude for the existence of a fundamental right for reliability and integrity of computer systems. See also MENDES, Gilmar Ferreira; PINHEIRO, Jurandi Borges. “Interceptações e privacidade: novas tecnologias e a Constituição”. In: MENDES, Gilmar Ferreira; SARLET, Ingo Wolfgang; COELHO, Alexandre Zavaglia P. (coord.). Direito, Inovação e Tecnologia. Volume 1. São Paulo: Saraiva, 2015, pp. 231-250, p. 237-40 (arguing that in face of “the inexistence of a specific law on the matter and the express insufficiency of the Law n. 9.296/96 provisions, the illegal infiltration in personal computers is of difficult conformation with the constitutional guarantee of the right to privacy”).

By Dennys Antonialli and Jacqueline de Souza Abreu

Translation: Ana Luiza Araujo