Skip to main content

Advertisement

SpringerLink
Log in

Hacking for evidence: the risks and rewards of deploying malware in pursuit of justice

  • Article
  • Published:
ERA Forum Aims and scope

Abstract

Law enforcement use of hacking techniques has become well-established and is an inevitable consequence not only of endemic anonymization used by computer-based criminals, but also of the increasing dominance of cloud-based computing models that challenge traditional notions of jurisdiction. Whilst recognising the many and legitimate concerns of privacy watchdogs this article explores how and why law enforcement uses malware to target criminals who would otherwise operate with virtual impunity.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

Notes

  1. Of course, these formalities vary from country to country.

  2. UNODC, [48], p. 169.

  3. An Internet Protocol (or IP) address is required for every device connected to the Internet and indicates the country of origin and the service provider involved. The service provider can then be approached to identify who was using that IP address at the relevant time.

  4. This phenomenon is sometimes referred to as ‘Going Dark’ in that law enforcement is increasingly blinded and placed ‘in the dark’ by encryption and anonymization. See FBI [24].

  5. A ‘zombie’ is a computer device that has been compromised by malware so that it is under the remote control of another and can be used to perform tasks without the owner being aware.

  6. Mason [35].

  7. A Carrier-Grade Network Address Translation is a network management response to the limited number of IPv4 addresses available. In a Carrier-Grade NAT one IPv4 address is configured by the Internet Service Provider to apply, in some cases, to hundreds of users. See Europol [21].

  8. Ghappour [25] p. 2.

  9. One definition for malware is: “… software that is specifically designed to gain access to or damage a computer, usually without the knowledge of the owner.” Norton [37].

  10. KLS stands for ‘Key Logger System’.

  11. The affidavit of Supervisory Special Agent Murch gives a very clear and highly cogent description of this software and its application. Murch [36].

  12. Lemos [33].

  13. Brunker [7].

  14. Leyden [34].

  15. Schroeder [43] p. 179.

  16. The DEA cut short its use of this ‘tool’ in 2015. DoJ [19].

  17. It is important to note that the use of Tor is not of itself indicative of criminal intent. Indeed, it was invented by the US Naval laboratory for laudable reasons and supports many legitimate uses. Further information can be found here: www.torproject.org.

  18. Cox [16].

  19. This excerpt contains references not reproduced here. Altvater [2], p. 6.

  20. FBI [23].

  21. Rule 41 of the Federal on Search and Seizure has since been amended as we shall see presently. Justia [29].

  22. For a discussion of such concerns see Rumold [42].

  23. Cox [14] and [15], Vitaris [50].

  24. Nodes are computers volunteered by their owners to act as relays for Tor traffic.

  25. Tor Blog [47].

  26. The number of sites taken down varies in different reports. Greenberg [26]; Tor Blog [46].

  27. Kerr and Murphy [30] p. 63.

  28. Steifel [44].

  29. The State Trojan has also been called ‘Remote Communication Interception Software’ by the German Federal Police (BKA). Bundtzen [8].

  30. Oerlemans [38].

  31. Cox [13].

  32. Vitaris [49].

  33. BBC [6].

  34. Coleman [9] p. 303.

  35. Times of Israel [45].

  36. Wikipedia [51].

  37. Regev [41].

  38. Bell [3]. NB Graymail is also used to refer to bulk spam email that was originally authorised by the recipient, but no longer wanted.

  39. See, for example: Kim [31] or ACLU [1].

  40. A good example of this is the Stuxnet case. Unknown nation state actors produced an extremely elegant and sophisticated malware program called Stuxnet that was designed to damage centrifuges allegedly producing enriched uranium in Iran. Stuxnet was surgically and exclusively targeted against a particular process in a particular Siemens device. However, the malware eventually ‘escaped into the wild’ and the code was soon re-engineered into new versions for criminal use (including DuQu, Gauss and Flame). For a fascinating, if slightly technical, account of the whole saga, please see Zetter [52].

  41. Zoetekouw [53] p. 1.

  42. Ghappour [25] p. 1108.

  43. Ghappour [25] p. 1114.

  44. Ghappour [25] p. 1133.

  45. Kerr and Murphy actually argue that international cooperation in these matters trumps the threat to sovereignty. ‘One government’s use of NITs to investigate crimes on the dark web is generally welcomed by other governments rather than feared.’ Kerr and Murphy [30] p. 63. But I would suggest the lack of objection is more likely a case of reluctant acquiescence to a situation over which there is little control. It is also politically easier to acquiesce and to justify a lack of objection when the matters under investigation relate to universally repugnant crimes such as paedophilia.

  46. Zoetekouw [53] p. 10.

  47. Zoetekouw [53] p. 13.

  48. Bellovin et al. [4] p. 28 Fn10 citing Krempl.

  49. CoE [12].

  50. i.e. malware that allows unauthorised access to a device.

  51. This article also appears to suggest that Cellebrite may have been using software written by hackers to remove software restrictions on Apple devices to allow the installation of unapproved apps. Cox [17].

  52. Fox-Brewster [22]. See also Goodin [26].

  53. Cornell Law School [10].

  54. Ghappour [25] p. 1075.

  55. Legislation.gov.uk [32].

  56. There is a useful summary by Big Brother Watch [5].

  57. The term ‘British Islands’ is not defined in the Act. In Schedule 1 to the Interpretation Act 1978 it is defined as the United Kingdom, the Channel Islands and the Isle of Man.

  58. It would appear, therefore, to be limited to traffic and transaction data. Metadata (or data that describes other data) can often provide an understanding of the meaning of a message and it is not clear from the wording to what extent this may be captured under an interference warrant. S100(2)(c) uses the wording ‘anything that might reasonably to be considered the meaning (if any) of the communication or the item of information, disregarding any meaning arising from the fact of the communication or the existence of the item of information or from any data relating to that fact.’

  59. EU Parliament [20].

  60. Govt. of the Netherlands [27].

  61. Deutsche Welle [18].

  62. Corte di Cassazione [11]. See also Privacy International [39] and [40].

  63. Ghappour [25] p. 1114.

  64. The discussion here is related and restricted to matters of criminal investigation and not to military or intelligence attacks on cybersecurity or critical infrastructure.

  65. Kerr and Murphy [30] p. 67.

  66. Kerr and Murphy [30] p. 63.

References

  1. ACLU: Challenging government hacking in criminal cases (2017). Available at https://www.aclu.org/sites/default/files/field.../malware_guide_3-30-17-v2.pdf. Accessed 9 July 2018

  2. Altvater, B.J.: Combatting Crime on the Dark Web (2016). Available at http://www.ndaa.org/dyk/20161219-Dark%20Web_FINAL.pdf. Accessed 10 July 2018

    Google Scholar 

  3. Bell, C.: Surveillance technology and graymail in domestic criminal prosecutions. Georgetown J. Law Public Policy 16, 537 (2018). Available at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3269915. Accessed 6 March 2019

    Google Scholar 

  4. Bellovin, S., et al.: Lawful hacking: using existing vulnerabilities for wiretapping on the Internet. Northwest. J. Technol. Intellect. Prop. 12, 1 (2014)

    Google Scholar 

  5. Big Brother Watch: Equipment interference (14 March 2016). Available at https://bigbrotherwatch.org.uk/?s=equipment+interference. Accessed 8 July 2018

  6. British Broadcasting Corporation: Snowden leaks: GCHQ ’attacked anonymous’ hackers (2014). Available at https://www.bbc.co.uk/news/technology-26049448. Accessed 8 July 2018

  7. Brunker, M.: Judge OKs FBI hack of Russian computers (2001). Available at https://www.zdnet.com/article/judge-oks-fbi-hack-of-russian-computers/. Accessed 4 July 2018

  8. Bundtzen, S.: Why you should know about Germany’s new surveillance law (2017). Available at https://www.opendemocracy.net/digitaliberties/sara-bundtzen/why-you-should-know-about-germanys-new-surveillance-law. Accessed 5 March 2018

  9. Coleman, G.: Hacker, Hoaxer, Whistleblower, Spy: The Many Faces of Anonymous. Verso, New York (2013)

    Google Scholar 

  10. Cornell Law SchoolFederal Rules of Criminal Procedure (2018). Available at https://www.law.cornell.edu/rules/frcrmp/rule_41. Accessed 8 July 2017

  11. Corte di Cassazione: Penale Sent. Sez. 6, Num. 45486, Anno 2018 (2018). Available at www.italgiure.giustizia.it/xway/application/nif/clean/hc.dll?verbo=attach&db=snpen&id=./20181009/snpen@s60@a2018@n45486@tS.clean.pdf. Accessed 18 May 2019

  12. Council of Europe T-CY assessment report (T-CY(2013)17rev): The mutual legal assistance provisions of the Budapest Convention on Cybercrime Para 5.1.1. Conclusion 1 (2013). Available at http://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=09000016802e726c. Accessed 10 July 2018

  13. Cox, J.: Australian dark web hacking campaign unmasked hundreds globally (2017). Available at https://motherboard.vice.com/en_us/article/4xezgg/australian-dark-web-hacking-campaign-unmasked-hundreds-globally. Accessed 5 March 2018

  14. Cox, J.: In a First, Judge Throws Out Evidence Obtained from FBI Malware (2016). Available at https://motherboard.vice.com/en_us/article/gv5yqj/in-a-first-judge-throws-out-evidence-obtained-from-fbi-malware. Accessed 5 July 2018

  15. Cox, J.: Second judge argues evidence from FBI mass hack should be thrown out (2016). Available at https://motherboard.vice.com/en_us/article/78kxkx/second-judge-argues-evidence-from-fbi-mass-hack-should-be-thrown-out. Accessed 5 July 2018

  16. Cox, J.: The FBI hacked over 8,000 computers in 120 countries based on one warrant (2016). Available at https://motherboard.vice.com/en_us/article/53d4n8/fbi-hacked-over-8000-computers-in-120-countries-based-on-one-warrant. Accessed 7 March 2018

  17. Cox, J.: Hacker dumps iOS cracking tools allegedly stolen from cellebrite (2017). Available at https://motherboard.vice.com/en_us/article/5355ga/hacker-dumps-ios-cracking-tools-allegedly-stolen-from-cellebrite. Accessed 3 July 2018

  18. Deutsche Welle: Things to know about Germany’s recent surveillance laws (2017). Available at https://www.dw.com/en/things-to-know-about-germanys-recent-surveillance-laws/a-39421060. Accessed 18 May 2019

  19. DOJ: US DoJ/OLA letter to Senator Grassley (14 July 2015). Available at https://www.judiciary.senate.gov/download/justice-department-to-grassley_-dea-spyware. Accessed 10 February 2018

  20. EU Parliament LIBE Committee: Legal frameworks for hacking by law enforcement: identification, evaluation and comparison of practices (2017). Available at http://www.europarl.europa.eu/thinktank/en/document.html?reference=IPOL_STU(2017)583137. Accessed 8 March 2018

  21. Europol: Are you sharing the same IP address as a criminal? Press release (12 October 2017). Available at https://www.europol.europa.eu/newsroom/news/are-you-sharing-same-ip-address-criminal-law-enforcement-call-for-end-of-carrier-grade-nat-cgn-to-increase-accountability-online. Accessed 28 June 2018

  22. Fox-Brewster, T.: An NSA cyber weapon might be behind a massive global ransomware outbreak (2017). Available at https://www.forbes.com/sites/thomasbrewster/2017/05/12/nsa-exploit-used-by-wannacry-ransomware-in-global-explosion/#64d7f487e599. Accessed 3 July 2017

  23. FBI: Playpen creator sentenced to 30 years. Press release (5 May 2017). Available at https://www.fbi.gov/news/stories/playpen-creator-sentenced-to-30-years. Accessed 6 July 2017

  24. FBI: Going dark (2018). Available at https://www.fbi.gov/services/operational-technology/going-dark. Accessed 16 July 2018

  25. Ghappour, A.: Searching places unknown: law enforcement jurisdiction on the dark web. Stanf. Law Rev. 69, 1075 (2017)

    Google Scholar 

  26. Goodin, D.: NSA-leaking shadow brokers just dumped its most damaging release yet (2017). Available at https://arstechnica.com/information-technology/2017/04/nsa-leaking-shadow-brokers-just-dumped-its-most-damaging-release-yet/. Accessed 3 July 2017

  27. Government of the Netherlands: new law to help fight computer crime (2019). Available at https://www.government.nl/topics/cybercrime/news/2019/02/28/new-law-to-help-fight-computer-crime. Accessed 18 May 2019

  28. Greenberg, A.: Global web crackdown arrests 17, seizes hundreds of dark net domains (2014). Available at https://www.wired.com/2014/11/operation-onymous-dark-web-arrests/. Accessed 11 July 2017

  29. Justia: US Law Rule 41 Search and Seizure (2018). Available at https://law.justia.com/codes/us/2001/title18/app/federalru/dup1/rule41. Accessed 8 July 2018

  30. Kerr, O.S., Murphy, S.D.: Government hacking to light the dark web: what risks to international relations and international law? 70 Stan. L. Rev. Online 58 (2017)

  31. Kim, S.: Privacy international’s work on hacking (2017). Available at https://medium.com/privacy-international/privacy-internationals-work-on-hacking-153a0565e1ce. Accessed 9 July 2018

  32. Legislation.gov.uk: Investigatory Powers Act 2016 (2018). Available at http://www.legislation.gov.uk/ukpga/2016/25/contents/enacted. Accessed 11 July 2018

  33. Lemos, R.: FBI “hack” raises global security concerns (2002). Available at https://www.cnet.com/news/fbi-hack-raises-global-security-concerns/. Accessed 4 July 2018

  34. Leyden, J.: Russians accuse FBI agent of hacking (2002). Available at https://www.theregister.co.uk/2002/08/16/russians_accuse_fbi_agent/. Accessed 4 July 2018

  35. Mason, J.: Are VPNs legal in your country? Thebestvpn.com (2018). Available at https://thebestvpn.com/are-vpns-legal-banned-countries/. Accessed 11 July 2018

  36. Murch, R.S.: FBI files brief on Scarfo Keylogger (2001). Available at https://yro.slashdot.org/:story/01/10/10/161256/fbi-files-brief-on-scarfo-keylogger. Accessed 4 July 2018

  37. Norton.com: Malware (2017). Available at https://us.norton.com/internetsecurity-malware.html. Accessed 28 June 2017

  38. Oerlemans, J.: Hacking without a legal basis (2014). Available at http://leidenlawblog.nl/articles/hacking-without-a-legal-basis. Accessed 20 November 2016

  39. Privacy International: Italy’s Supreme Court decision limits hacking powers and applies safeguards (2 November 2018). Available at https://www.privacyinternational.org/blog/2423/italys-supreme-court-decision-limits-hacking-powers-and-applies-safeguards. Accessed 18 May 2019

  40. Privacy International: Privacy International’s analysis of the Italian hacking reform, under DDL Orlando (2017). Available at www.privacyinternational.org/sites/default/files/2018-01/PI_hacking_DDL%20Orlando.pdf. Accessed 18 May 2019

  41. Regev, D.: WhatsApp’s security breach: made in Israel. implemented worldwide (17 May 2019). Deutsche Welle. https://www.dw.com/en/whatsapps-security-breach-made-in-israel-implemented-worldwide/a-48740524

  42. Rumold, M., Playpen: The story of the FBI’s unprecedented and illegal hacking operation (2016). Available at https://www.eff.org/deeplinks/2016/09/playpen-story-fbis-unprecedented-and-illegal-hacking-operation. Accessed 7 March 2018

  43. Schroeder, S.: The Lure (2012). Course Technology, Boston

    Google Scholar 

  44. Steifel, K.: Bundestrojaner geknackt Wiener Zeitung (10 October 2011). Available at https://www.wienerzeitung.at/themen_channel/wz_digital/digital_news/403092_Bundestrojaner-geknackt.html. Accessed 8 July 2018

  45. Times of Israel: Israel reached out to US hackers for ‘Zero Days’ tools (2016). Available at https://www.timesofisrael.com/israel-reached-out-to-us-hackers-for-zero-days-exploits/. Accessed 30 June 2018

  46. Tor Blog: Did the FBI pay a university to attack Tor users? (11 November 2015). Available at https://blog.torproject.org/did-fbi-pay-university-attack-tor-users. Accessed 11 July 2017

  47. Tor Blog: Tor security advisory: “relay early” traffic confirmation attack (30 July 2014). Available at https://blog.torproject.org/tor-security-advisory-relay-early-traffic-confirmation-attack. Accessed 11 July 2017

  48. UNODC: Comprehensive study on cybercrime (2013). Available at https://www.unodc.org/documents/organized-crime/UNODC_CCPCJ_EG.4_2013/CYBERCRIME_STUDY_210213.pdf. Accessed 6 June 2018

  49. Vitaris, B.: Australian DarkWeb pedo site admin sentenced to 35 years in jail. www.deepdotweb.com (11 August 2015). Available at https://www.deepdotweb.com/2015/08/11/australian-darkweb-pedo-site-admin-sentenced-to-35-years-in-jail/ Accessed 5 March 2018

  50. Vitaris, B.: Third judge rules FBI’s playpen warrant invalid. www.deepdotweb.com (29 September 2016). Available at https://www.deepdotweb.com/2016/09/29/third-judge-rules-fbis-playpen-warrant-invalid/. Accessed 11 July 2016

  51. Wikipedia: Hacking team (2018). Available at https://en.wikipedia.org/wiki/Hacking_Team. Accessed 11 July 2018

  52. Zetter, K.: Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon (2014). Crown Publishers, USA

    Google Scholar 

  53. Zoetekouw, M.: Ignorantia Terrae Non Excusat Conference Paper Crossing Borders: Jurisdiction in Cyberspace Conference (March 2016). Available at https://c.ymcdn.com/sites/www.iisfa.net/resource/resmgr/Slide_seminari/Convegno_Milano/c-mzoetekouw-ignorantia-terr.pdf. Accessed 12 July 2018

Download references

Author information

Authors and Affiliations

  1. Vienna, Austria

    Steven David Brown

Authors
  1. Steven David Brown
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Steven David Brown.

Additional information

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Brown, S.D. Hacking for evidence: the risks and rewards of deploying malware in pursuit of justice. ERA Forum 20, 423–438 (2020). https://doi.org/10.1007/s12027-019-00571-z

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s12027-019-00571-z

Keywords

Search

Navigation