WASHINGTON—We already know that law enforcement agencies can hack our phones. But we don’t know what they find, how they find it, or even who helps them discover the information. Top cybersecurity experts and lawmakers argued about how much should be revealed at a July 11 meeting of the Congressional Internet Caucus.
“Government hacking has already happened. The question of whether it should happen is actually way past the point,” said Harley Geiger, director of public policy at Rapid 7, an Internet security company.
Geiger and others cited the FBI-Apple encryption dispute as a troubling example. Apple refused to help the FBI unlock the iPhone belonging to one of the terrorists involved in the December, 2015 attack in San Bernardino, California. The agency sued Apple, then dropped the lawsuit when it used a third party to crack the passcode in the phone instead. The issue of whether law enforcement should be able to take advantage of vulnerabilities remains unresolved, and government hacking is still unregulated.
Phone hacking is not like wire-tapping
Rapid 7’s Geiger contended that phone hacking couldn’t be lumped with wire-tapping, a longstanding surveillance method. “Hacking is fundamentally different from things like traditional wiretaps,” Geiger said, in part because of the greater potential for harm. “With hacking you need to expect system failures and damages to computers that you are hacking,” he pointed out.
Geiger also criticized the FBI for not disclosing the source or methods used to hack into the iPhone, saying the silence may put other iPhones in danger. “We think the process needs to be qualified and transparent so that society can have a better understanding and open discussion on what the criteria should be,” he said.
Kurt Opsahl, deputy executive director of the Electronic Frontier Foundation, agreed. If people don’t know about the vulnerabilities, Opsahl cautioned, they can’t take precautions. Criminals looking for vulnerabilities might find the backdoors and exploit them, he added.
The official position of the Obama Administration appears cautious. There are federal guidelines for determining whether the government should disclose so-called “zero day” vulnerabilities to the at-risk companies or individuals—or the public generally, In a June paper, cybersecurity experts Ari Schwartz and Rob Knake of the White House National Security Council recommended fixes to those guidelines.
“Some individual … decisions must remain classified,” they wrote, “but the high-level criteria that informs disclosure or retention decisions should be subject to public debate and scrutiny.” The authors recommended more transparency. “Public and official release of information about the process with clear oversight would increase public confidence in the program,” they concluded.
Safety over secrecy
Heather West, senior policy manager of the tech nonprofit Mozilla, said her company wants the information because “no matter who found the vulnerabilities, we want to tackle the problem.”
West urged user safety over issues of secrecy. “At the end of the day, if we can fix this problem, the Internet is safer,” she said. “Given the user base, that is a huge impact.”