Abstract
Law enforcement use of hacking techniques has become well-established and is an inevitable consequence not only of endemic anonymization used by computer-based criminals, but also of the increasing dominance of cloud-based computing models that challenge traditional notions of jurisdiction. Whilst recognising the many and legitimate concerns of privacy watchdogs this article explores how and why law enforcement uses malware to target criminals who would otherwise operate with virtual impunity.
Similar content being viewed by others
Notes
Of course, these formalities vary from country to country.
UNODC, [48], p. 169.
An Internet Protocol (or IP) address is required for every device connected to the Internet and indicates the country of origin and the service provider involved. The service provider can then be approached to identify who was using that IP address at the relevant time.
This phenomenon is sometimes referred to as ‘Going Dark’ in that law enforcement is increasingly blinded and placed ‘in the dark’ by encryption and anonymization. See FBI [24].
A ‘zombie’ is a computer device that has been compromised by malware so that it is under the remote control of another and can be used to perform tasks without the owner being aware.
Mason [35].
A Carrier-Grade Network Address Translation is a network management response to the limited number of IPv4 addresses available. In a Carrier-Grade NAT one IPv4 address is configured by the Internet Service Provider to apply, in some cases, to hundreds of users. See Europol [21].
Ghappour [25] p. 2.
One definition for malware is: “… software that is specifically designed to gain access to or damage a computer, usually without the knowledge of the owner.” Norton [37].
KLS stands for ‘Key Logger System’.
The affidavit of Supervisory Special Agent Murch gives a very clear and highly cogent description of this software and its application. Murch [36].
Lemos [33].
Brunker [7].
Leyden [34].
Schroeder [43] p. 179.
The DEA cut short its use of this ‘tool’ in 2015. DoJ [19].
It is important to note that the use of Tor is not of itself indicative of criminal intent. Indeed, it was invented by the US Naval laboratory for laudable reasons and supports many legitimate uses. Further information can be found here: www.torproject.org.
Cox [16].
This excerpt contains references not reproduced here. Altvater [2], p. 6.
FBI [23].
Rule 41 of the Federal on Search and Seizure has since been amended as we shall see presently. Justia [29].
For a discussion of such concerns see Rumold [42].
Nodes are computers volunteered by their owners to act as relays for Tor traffic.
Tor Blog [47].
Kerr and Murphy [30] p. 63.
Steifel [44].
The State Trojan has also been called ‘Remote Communication Interception Software’ by the German Federal Police (BKA). Bundtzen [8].
Oerlemans [38].
Cox [13].
Vitaris [49].
BBC [6].
Coleman [9] p. 303.
Times of Israel [45].
Wikipedia [51].
Regev [41].
Bell [3]. NB Graymail is also used to refer to bulk spam email that was originally authorised by the recipient, but no longer wanted.
A good example of this is the Stuxnet case. Unknown nation state actors produced an extremely elegant and sophisticated malware program called Stuxnet that was designed to damage centrifuges allegedly producing enriched uranium in Iran. Stuxnet was surgically and exclusively targeted against a particular process in a particular Siemens device. However, the malware eventually ‘escaped into the wild’ and the code was soon re-engineered into new versions for criminal use (including DuQu, Gauss and Flame). For a fascinating, if slightly technical, account of the whole saga, please see Zetter [52].
Zoetekouw [53] p. 1.
Ghappour [25] p. 1108.
Ghappour [25] p. 1114.
Ghappour [25] p. 1133.
Kerr and Murphy actually argue that international cooperation in these matters trumps the threat to sovereignty. ‘One government’s use of NITs to investigate crimes on the dark web is generally welcomed by other governments rather than feared.’ Kerr and Murphy [30] p. 63. But I would suggest the lack of objection is more likely a case of reluctant acquiescence to a situation over which there is little control. It is also politically easier to acquiesce and to justify a lack of objection when the matters under investigation relate to universally repugnant crimes such as paedophilia.
Zoetekouw [53] p. 10.
Zoetekouw [53] p. 13.
Bellovin et al. [4] p. 28 Fn10 citing Krempl.
CoE [12].
i.e. malware that allows unauthorised access to a device.
This article also appears to suggest that Cellebrite may have been using software written by hackers to remove software restrictions on Apple devices to allow the installation of unapproved apps. Cox [17].
Cornell Law School [10].
Ghappour [25] p. 1075.
There is a useful summary by Big Brother Watch [5].
The term ‘British Islands’ is not defined in the Act. In Schedule 1 to the Interpretation Act 1978 it is defined as the United Kingdom, the Channel Islands and the Isle of Man.
It would appear, therefore, to be limited to traffic and transaction data. Metadata (or data that describes other data) can often provide an understanding of the meaning of a message and it is not clear from the wording to what extent this may be captured under an interference warrant. S100(2)(c) uses the wording ‘anything that might reasonably to be considered the meaning (if any) of the communication or the item of information, disregarding any meaning arising from the fact of the communication or the existence of the item of information or from any data relating to that fact.’
EU Parliament [20].
Govt. of the Netherlands [27].
Deutsche Welle [18].
Ghappour [25] p. 1114.
The discussion here is related and restricted to matters of criminal investigation and not to military or intelligence attacks on cybersecurity or critical infrastructure.
Kerr and Murphy [30] p. 67.
Kerr and Murphy [30] p. 63.
References
ACLU: Challenging government hacking in criminal cases (2017). Available at https://www.aclu.org/sites/default/files/field.../malware_guide_3-30-17-v2.pdf. Accessed 9 July 2018
Altvater, B.J.: Combatting Crime on the Dark Web (2016). Available at http://www.ndaa.org/dyk/20161219-Dark%20Web_FINAL.pdf. Accessed 10 July 2018
Bell, C.: Surveillance technology and graymail in domestic criminal prosecutions. Georgetown J. Law Public Policy 16, 537 (2018). Available at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3269915. Accessed 6 March 2019
Bellovin, S., et al.: Lawful hacking: using existing vulnerabilities for wiretapping on the Internet. Northwest. J. Technol. Intellect. Prop. 12, 1 (2014)
Big Brother Watch: Equipment interference (14 March 2016). Available at https://bigbrotherwatch.org.uk/?s=equipment+interference. Accessed 8 July 2018
British Broadcasting Corporation: Snowden leaks: GCHQ ’attacked anonymous’ hackers (2014). Available at https://www.bbc.co.uk/news/technology-26049448. Accessed 8 July 2018
Brunker, M.: Judge OKs FBI hack of Russian computers (2001). Available at https://www.zdnet.com/article/judge-oks-fbi-hack-of-russian-computers/. Accessed 4 July 2018
Bundtzen, S.: Why you should know about Germany’s new surveillance law (2017). Available at https://www.opendemocracy.net/digitaliberties/sara-bundtzen/why-you-should-know-about-germanys-new-surveillance-law. Accessed 5 March 2018
Coleman, G.: Hacker, Hoaxer, Whistleblower, Spy: The Many Faces of Anonymous. Verso, New York (2013)
Cornell Law SchoolFederal Rules of Criminal Procedure (2018). Available at https://www.law.cornell.edu/rules/frcrmp/rule_41. Accessed 8 July 2017
Corte di Cassazione: Penale Sent. Sez. 6, Num. 45486, Anno 2018 (2018). Available at www.italgiure.giustizia.it/xway/application/nif/clean/hc.dll?verbo=attach&db=snpen&id=./20181009/snpen@s60@a2018@n45486@tS.clean.pdf. Accessed 18 May 2019
Council of Europe T-CY assessment report (T-CY(2013)17rev): The mutual legal assistance provisions of the Budapest Convention on Cybercrime Para 5.1.1. Conclusion 1 (2013). Available at http://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=09000016802e726c. Accessed 10 July 2018
Cox, J.: Australian dark web hacking campaign unmasked hundreds globally (2017). Available at https://motherboard.vice.com/en_us/article/4xezgg/australian-dark-web-hacking-campaign-unmasked-hundreds-globally. Accessed 5 March 2018
Cox, J.: In a First, Judge Throws Out Evidence Obtained from FBI Malware (2016). Available at https://motherboard.vice.com/en_us/article/gv5yqj/in-a-first-judge-throws-out-evidence-obtained-from-fbi-malware. Accessed 5 July 2018
Cox, J.: Second judge argues evidence from FBI mass hack should be thrown out (2016). Available at https://motherboard.vice.com/en_us/article/78kxkx/second-judge-argues-evidence-from-fbi-mass-hack-should-be-thrown-out. Accessed 5 July 2018
Cox, J.: The FBI hacked over 8,000 computers in 120 countries based on one warrant (2016). Available at https://motherboard.vice.com/en_us/article/53d4n8/fbi-hacked-over-8000-computers-in-120-countries-based-on-one-warrant. Accessed 7 March 2018
Cox, J.: Hacker dumps iOS cracking tools allegedly stolen from cellebrite (2017). Available at https://motherboard.vice.com/en_us/article/5355ga/hacker-dumps-ios-cracking-tools-allegedly-stolen-from-cellebrite. Accessed 3 July 2018
Deutsche Welle: Things to know about Germany’s recent surveillance laws (2017). Available at https://www.dw.com/en/things-to-know-about-germanys-recent-surveillance-laws/a-39421060. Accessed 18 May 2019
DOJ: US DoJ/OLA letter to Senator Grassley (14 July 2015). Available at https://www.judiciary.senate.gov/download/justice-department-to-grassley_-dea-spyware. Accessed 10 February 2018
EU Parliament LIBE Committee: Legal frameworks for hacking by law enforcement: identification, evaluation and comparison of practices (2017). Available at http://www.europarl.europa.eu/thinktank/en/document.html?reference=IPOL_STU(2017)583137. Accessed 8 March 2018
Europol: Are you sharing the same IP address as a criminal? Press release (12 October 2017). Available at https://www.europol.europa.eu/newsroom/news/are-you-sharing-same-ip-address-criminal-law-enforcement-call-for-end-of-carrier-grade-nat-cgn-to-increase-accountability-online. Accessed 28 June 2018
Fox-Brewster, T.: An NSA cyber weapon might be behind a massive global ransomware outbreak (2017). Available at https://www.forbes.com/sites/thomasbrewster/2017/05/12/nsa-exploit-used-by-wannacry-ransomware-in-global-explosion/#64d7f487e599. Accessed 3 July 2017
FBI: Playpen creator sentenced to 30 years. Press release (5 May 2017). Available at https://www.fbi.gov/news/stories/playpen-creator-sentenced-to-30-years. Accessed 6 July 2017
FBI: Going dark (2018). Available at https://www.fbi.gov/services/operational-technology/going-dark. Accessed 16 July 2018
Ghappour, A.: Searching places unknown: law enforcement jurisdiction on the dark web. Stanf. Law Rev. 69, 1075 (2017)
Goodin, D.: NSA-leaking shadow brokers just dumped its most damaging release yet (2017). Available at https://arstechnica.com/information-technology/2017/04/nsa-leaking-shadow-brokers-just-dumped-its-most-damaging-release-yet/. Accessed 3 July 2017
Government of the Netherlands: new law to help fight computer crime (2019). Available at https://www.government.nl/topics/cybercrime/news/2019/02/28/new-law-to-help-fight-computer-crime. Accessed 18 May 2019
Greenberg, A.: Global web crackdown arrests 17, seizes hundreds of dark net domains (2014). Available at https://www.wired.com/2014/11/operation-onymous-dark-web-arrests/. Accessed 11 July 2017
Justia: US Law Rule 41 Search and Seizure (2018). Available at https://law.justia.com/codes/us/2001/title18/app/federalru/dup1/rule41. Accessed 8 July 2018
Kerr, O.S., Murphy, S.D.: Government hacking to light the dark web: what risks to international relations and international law? 70 Stan. L. Rev. Online 58 (2017)
Kim, S.: Privacy international’s work on hacking (2017). Available at https://medium.com/privacy-international/privacy-internationals-work-on-hacking-153a0565e1ce. Accessed 9 July 2018
Legislation.gov.uk: Investigatory Powers Act 2016 (2018). Available at http://www.legislation.gov.uk/ukpga/2016/25/contents/enacted. Accessed 11 July 2018
Lemos, R.: FBI “hack” raises global security concerns (2002). Available at https://www.cnet.com/news/fbi-hack-raises-global-security-concerns/. Accessed 4 July 2018
Leyden, J.: Russians accuse FBI agent of hacking (2002). Available at https://www.theregister.co.uk/2002/08/16/russians_accuse_fbi_agent/. Accessed 4 July 2018
Mason, J.: Are VPNs legal in your country? Thebestvpn.com (2018). Available at https://thebestvpn.com/are-vpns-legal-banned-countries/. Accessed 11 July 2018
Murch, R.S.: FBI files brief on Scarfo Keylogger (2001). Available at https://yro.slashdot.org/:story/01/10/10/161256/fbi-files-brief-on-scarfo-keylogger. Accessed 4 July 2018
Norton.com: Malware (2017). Available at https://us.norton.com/internetsecurity-malware.html. Accessed 28 June 2017
Oerlemans, J.: Hacking without a legal basis (2014). Available at http://leidenlawblog.nl/articles/hacking-without-a-legal-basis. Accessed 20 November 2016
Privacy International: Italy’s Supreme Court decision limits hacking powers and applies safeguards (2 November 2018). Available at https://www.privacyinternational.org/blog/2423/italys-supreme-court-decision-limits-hacking-powers-and-applies-safeguards. Accessed 18 May 2019
Privacy International: Privacy International’s analysis of the Italian hacking reform, under DDL Orlando (2017). Available at www.privacyinternational.org/sites/default/files/2018-01/PI_hacking_DDL%20Orlando.pdf. Accessed 18 May 2019
Regev, D.: WhatsApp’s security breach: made in Israel. implemented worldwide (17 May 2019). Deutsche Welle. https://www.dw.com/en/whatsapps-security-breach-made-in-israel-implemented-worldwide/a-48740524
Rumold, M., Playpen: The story of the FBI’s unprecedented and illegal hacking operation (2016). Available at https://www.eff.org/deeplinks/2016/09/playpen-story-fbis-unprecedented-and-illegal-hacking-operation. Accessed 7 March 2018
Schroeder, S.: The Lure (2012). Course Technology, Boston
Steifel, K.: Bundestrojaner geknackt Wiener Zeitung (10 October 2011). Available at https://www.wienerzeitung.at/themen_channel/wz_digital/digital_news/403092_Bundestrojaner-geknackt.html. Accessed 8 July 2018
Times of Israel: Israel reached out to US hackers for ‘Zero Days’ tools (2016). Available at https://www.timesofisrael.com/israel-reached-out-to-us-hackers-for-zero-days-exploits/. Accessed 30 June 2018
Tor Blog: Did the FBI pay a university to attack Tor users? (11 November 2015). Available at https://blog.torproject.org/did-fbi-pay-university-attack-tor-users. Accessed 11 July 2017
Tor Blog: Tor security advisory: “relay early” traffic confirmation attack (30 July 2014). Available at https://blog.torproject.org/tor-security-advisory-relay-early-traffic-confirmation-attack. Accessed 11 July 2017
UNODC: Comprehensive study on cybercrime (2013). Available at https://www.unodc.org/documents/organized-crime/UNODC_CCPCJ_EG.4_2013/CYBERCRIME_STUDY_210213.pdf. Accessed 6 June 2018
Vitaris, B.: Australian DarkWeb pedo site admin sentenced to 35 years in jail. www.deepdotweb.com (11 August 2015). Available at https://www.deepdotweb.com/2015/08/11/australian-darkweb-pedo-site-admin-sentenced-to-35-years-in-jail/ Accessed 5 March 2018
Vitaris, B.: Third judge rules FBI’s playpen warrant invalid. www.deepdotweb.com (29 September 2016). Available at https://www.deepdotweb.com/2016/09/29/third-judge-rules-fbis-playpen-warrant-invalid/. Accessed 11 July 2016
Wikipedia: Hacking team (2018). Available at https://en.wikipedia.org/wiki/Hacking_Team. Accessed 11 July 2018
Zetter, K.: Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon (2014). Crown Publishers, USA
Zoetekouw, M.: Ignorantia Terrae Non Excusat Conference Paper Crossing Borders: Jurisdiction in Cyberspace Conference (March 2016). Available at https://c.ymcdn.com/sites/www.iisfa.net/resource/resmgr/Slide_seminari/Convegno_Milano/c-mzoetekouw-ignorantia-terr.pdf. Accessed 12 July 2018
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Brown, S.D. Hacking for evidence: the risks and rewards of deploying malware in pursuit of justice. ERA Forum 20, 423–438 (2020). https://doi.org/10.1007/s12027-019-00571-z
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12027-019-00571-z