by Sasha Romanosky and Cortney Weinbaum
This commentary originally appeared on Inside Sources on August 24, 2016.
Judge Robert J. Bryan of the U.S. District Court for the Western District of Washington might not realize it, but his actions may affect the extent to which the FBI emphasizes the law enforcement or intelligence gathering aspects of its mission. Bryan recently excluded evidence presented by the FBI in the case of U.S. v. Jay Michaud showing that a defendant allegedly accessed child pornography. It was excluded because the FBI was unwilling to reveal the particular software exploit used to collect the evidence.
Here’s what happened: The FBI developed a capability to exploit a computer’s vulnerability and installed software to collect evidence from a suspect’s computer. The FBI awkwardly calls this capability a “network inspection tool.” The defense attorneys filed numerous motions to compel the FBI to reveal the complete method by which it acquired the evidence, to ensure that the search was legal under the Fourth Amendment. While the FBI revealed the code used to collect the evidence, it chose not to reveal the specific vulnerability used to gain access to the suspect’s computer in the first place.
Essentially, the FBI argued that a judge doesn’t need to know how a lock was picked in order to rule on the lawfulness of evidence found inside a house. And the reason the agency wants to conceal the technique is that exposing the particular software exploit would enable criminals to patch their systems, which would prevent the FBI from using this capability. By refusing to provide the court with information about the exploit, the FBI made the decision to continue using it, potentially jeopardizing this and other prosecutions based on the same exploit.
This is not the first time the FBI has exploited a vulnerability on a suspect’s computer in order to install software that collected evidence. In 2007, the FBI installed software on the computer of a person suspected of making bomb threats against a school. From the computer, the software collected information that was then transmitted back to the FBI. The tool was known as a “computer and internet protocol address verifier.” But in this case, the suspect pleaded guilty to the charges without forcing the FBI to reveal exactly how it compromised the suspect’s computer.
This is also not the first time that the FBI exploited an unknown software vulnerability (often referred to as a zero-day vulnerability) to acquire digital evidence. The recent battle between the FBI and Apple to unlock the cellphone of the alleged killer in the San Bernardino case promptly ended when the FBI was able to exploit a zero-day vulnerability and gain access to the phone.
Nor is it the first time that law enforcement withdrew critical evidence over concerns of exposing their cyber techniques. In 2014, state police in Baltimore withdrew evidence allegedly collected using a Stingray, an electronic device that mimics a cellphone tower and enables law enforcement to intercept cellphone calls.
But there is an important difference between these cases and the U.S. v. Jay Michaud. This is the first time that the FBI has voluntarily withdrawn evidence collected by exploiting a zero-day vulnerability. The FBI’s dilemma going forward is that the more it relies on exploiting these kinds of hidden software vulnerabilities, the more it will be forced to reveal them to the public.
If the FBI chooses to use and reveal the agency’s exploits, it risks exposing its capabilities, enabling other criminals to patch their computers. On the other hand, if the FBI conceals its exploits, then it risks the ability to successfully prosecute cyber criminals should further evidence be questioned and ultimately withdrawn.
This raises two important concerns. First, whether, in the cyber domain, the FBI will operate less like a law enforcement agency, and more like a de facto cyber-intelligence agency that collects inadmissible information. While the judge’s decision may well be appealed, the fact remains that the more crimes are committed in cyberspace, and the more law enforcement must rely on the tradecraft of finding and exploiting software vulnerabilities, the more pressure will be placed on them to reveal their capabilities and maintain an effective role as a federal law enforcement agency.
The second concern regards the public’s ability to exercise effective oversight of the FBI’s activities. As the FBI withdraws more evidence in fear of revealing its techniques, the less insight the public will have concerning the agency’s methods and whether they comply with the rules. If the public isn’t told how the lock was picked, then it becomes even more important to have oversight over the lock pickers.