SAYAKO QUINLAN AND ANDI WILSON A BRIEF HISTORY OF LAW ENFORCEMENT HACKING IN THE UNITED STATES SEPTEMBER 2016 About the Authors About the Cybersecurity Initiative The Internet has connected us. Yet the policies and Sayako Quinlan is a former intern at New America's debates that surround the security of our networks are Cybersecurity Initiative, where she researched incidents too often disconnected, disjointed, and stuck in an around government hacking and the landscape for unsuccessful status quo. This is what New America’s cyber capacity building. She is a junior at Georgetown Cybersecurity Initiative is designed to address. Working University's School of Foreign Service, majoring in Science, across our International Security program and the Open Technology, and International Affairs with a concentration Technology Institute, we believe that it takes a wider in Business Growth and Development. She is pursuing a network to face the multitude of diverse security issues. career in cybersecurity. We engage across organizations, issue areas, professional fields, and business sectors. And through events, writing Andi Wilson is a policy analyst at New America’s Open and research, our aim is to help improve cybersecurity in Technology Institute, where she researches and writes ways that work—for the countries, for companies and for about the relationship between technology and policy. individuals. With a specific focus on cybersecurity, Andi is currently working on issues including encryption, vulnerabilities Our work is made possible through the generous support equities, surveillance, and internet freedom. of the William and Flora Hewlett Foundation, the Arizona State University, Microsoft Corporation, Symantec Inc., The Acknowledgments Home Depot, Endgame Inc., and Facebook. The authors appreciate the help and support of New About New America America's staff, especially Emefa Agawu, Ethan Walker, Kayla Cross, Rob Morgus, Laura Bate, Ian Wallace, Robyn New America is committed to renewing American politics, Greene, Alison Yost, Kevin Bankston, and Ross Schulman. prosperity, and purpose in the Digital Age. We generate big ideas, bridge the gap between technology and policy, and curate broad public conversation. We combine the best of a policy research institute, technology laboratory, public forum, media platform, and a venture capital fund for ideas. We are a distinctive community of thinkers, writers, researchers, technologists, and community activists who believe deeply in the possibility of American renewal. Find out more at newamerica.org/our-story. Contents Introduction 2 Hacking the Mob with Keyloggers 3 Hacking a Bomb Threat with CIPAV 4 One Court Pushes Back on a Hack 5 Hacking the Onion Router 6 Hacking the San Bernardino iPhone 8 The Future of Hacking 9 Notes 11 INTRODUCTION Hacking by law enforcement has been front page evaluating policy options to address the issue: news since the FBI purchased a tool to bypass the what procedural and substantive standards must security of an encrypted iPhone while investigating be met when the government seeks authorization the San Bernardino shooting. However, this type to hack? Under what legal authority can this type of hacking is nothing new: it has been over fifteen of hacking be authorized? Could the hack damage years since the first known case of police intrusion the targeted device or infect untargeted devices? into a computer as part of an investigation.1 While How can the privacy of third parties be protected it is uncertain when this behavior began, we are when investigating a single individual? Should sure that, as of 1999, that the government had law enforcement be able to target only specific begun to use technological skills to access private individuals, or everyone that visits a particular digital networks and material in the process of website or uses a particular service? How should investigating crimes.2 Hacking methods can be as law enforcement minimize the collection of data simple as using a USB drive to install a malicious that isn’t relevant to their investigation? These are program, or tricking users into opening a phishing all critical questions, yet law enforcement has taken email, and as complex as tools that rely on very few steps to provide clear information about previously unknown or “zero-day” vulnerabilities to their procedures, tools, or tactics when it comes to allow a hacker to bypass the sophisticated security their hacking activities.4 functions of a mobile phone’s operating system. Understanding the history of government hacking Despite being a key tactic for law enforcement since is important in order to engage more people in the the turn of the century, hacking didn’t become on-going policy discussion. This paper focuses a major topic of public discussion until the San on a selection of illustrative historical cases, with Bernardino iPhone hack.3 That case received the understanding that due to the secret nature of such widespread media coverage that even the government investigations, we can only know a general public was talking about the ways that fraction of the hacking that has taken place. This law enforcement could, or could not, access the overview highlights major trends in investigative devices that we all carry in our pockets. But the hacking and will hopefully foster more inquiries repercussions of investigative hacking are unclear, into these practices by policymakers and the public. and important questions must be asked when 2 OPEN TECHNOLOGY INSTITUTE HACKING THE MOB WITH KEYLOGGERS The first known case of hacking by U.S. law the tool was akin to wiretapping and that the FBI enforcement was in an investigation into the Italian- had not obtained the proper warrant for its use.8 In American mafia. In January 1999, the FBI searched August 2001, the judge ordered the FBI to provide the New Jersey property of Nicodemo Scarfo, who more information on exactly how the keylogging was under suspicion of running an illegal gambling software worked. They responded by filing a business. When agents downloaded the contents memorandum claiming that the technology was of Scarfo’s computer, one file was encrypted, classified, and that revealing specifics would make using a program called “Pretty Good Privacy” or the keylogger useless in future cases.9 The judge PGP.5 Agents believed this to be the file containing ultimately rejected the defense’s argument to have the bookmaking information that would have that specific evidence excluded and, in March 2002, incriminated Scarfo, but it was not enough evidence Scarfo pleaded guilty.10 to arrest him.6 During the Scarfo trial MSNBC reported on a new A few months after the initial search, in the spring key logging software named “Magic Lantern” that of 1999, the FBI secured a warrant to secretly install the FBI could deliver remotely over email (unlike a Key Logger System (KLS) – technology that, as the the keylogger used in the Scarfo case which had to name would suggest, had the ability to record what be physically installed on the suspect’s computer).11 was typed into Scarfo’s computer. The FBI hoped Technology that could be installed remotely was the tool would help retrieve the password to Scarfo’s a new development, and showed a significant PGP key. advancement in the hacking strategies used by U.S. law enforcement. Although there are no publicly On May 10, 1999, after securing the key logging available warrants that describe law enforcement warrant, FBI agents snuck onto Scarfo’s property deploying Magic Lantern, there was a case in 2007 and installed the technology onto his computer. of two ecstasy manufacturers using PGP, in which After 14 days, the keylogger had collected the law enforcement used a keylogger that may have necessary data to decrypt his bookmaking file,7 and been remotely installed.12 In that same year, an even Scarfo was arrested and charged. But in a two-year newer forensic hacking tool, called CIPAV, started pretrial court fight, Scarfo challenged the legality grabbing headlines. of using the key logging software, claiming that OPEN TECHNOLOGY INSTITUTE A Brief History of Law Enforcement Hacking in the United States 3 HACKING A BOMB THREAT WITH CIPAV On May 30, 2007, a handwritten bomb threat username, registered computer name, and internet was discovered on the campus of Timberline history.15 After sending this information back High School in Washington state. The school was to the FBI, CIPAV would monitor the electronic evacuated, but no bomb was found. On June 4th, communication activity—but not the content of the an e-mail to the school warned that the school communications—of the computer for 60 days.16 district would go offline and that day, the Lacey When a computer accesses a website, the computer School District computer network was hit with a sends information about itself to the website over Denial-of-Service attack that brought down their the network to inform the website how a web computer network.13 Over the next three days, the page should display to the user. CIPAV exploits school received several bomb threats sent by e-mail this function by diverting the information that the from different accounts, all of which were traced computer sends to an FBI server.17 to a hacked server based in Italy. At the same time, a MySpace account was created under the name The FBI deployed CIPAV by impersonating an “timberlinebombinfo” and added 33 Timberline Associate Press reporter and messaging the students as friends. After each threat, the students “timberlinebombinfo” MySpace account.18 The were evacuated, but a bomb was never discovered.14 message contained a link to a fake news article Because the perpetrator was using a proxy server to which, when clicked, allowed CIPAV to access the obscure their true location, law enforcement could computer and send its information to an FBI server.19 not simply request the user’s information from At this point, CIPAV remained on the suspect’s MySpace – they had to get more high tech.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages20 Page
-
File Size-