SoylentNews

Arthur T Knackerbracket reports the Electronic Frontier Foundation (EFF) web site has the following story:

We Shouldn’t Wait Another Fifteen Years for a Conversation About Government Hacking

With high-profile hacks in the headlines and government officials trying to reopen a long-settled debate about encryption, information security has become a mainstream issue. But we feel that one element of digital security hasn't received enough critical attention: the role of government in acquiring and exploiting vulnerabilities and hacking for law enforcement and intelligence purposes. That's why EFF recently published some thoughts on a positive agenda for reforming how the government, obtains, creates, and uses vulnerabilities in our systems for a variety of purposes, from overseas espionage and cyberwarfare to domestic law enforcement investigations. [Emphasis added.]

Some influential commentators like Dave Aitel at Lawfare have questioned whether we at EFF should be advocating for these changes, because pursuing any controls on how the government uses exploits would be "getting ahead of the technology." But anyone who follows our work should know we don't call for new laws lightly.

To be clear: We are emphatically not calling for regulation of security research or exploit sales. Indeed, it's hard to imagine how any such regulation would pass constitutional scrutiny. We are calling for a conversation around how the government uses that technology. We're fans of transparency; we think technology policy should be subject to broad public debate, heavily informed by the views of technical experts. The agenda in the previous post outlined calls for exactly that.

There's reason to doubt anyone who claims that it's too soon to get this process started.

Consider the status quo: The FBI and other agencies have been hacking suspects for at least 15 years without real, public, and enforceable limits. Courts have applied an incredible variety of ad hoc rules around law enforcement's exploitation of vulnerabilities, with some going so far as to claim that no process at all is required. Similarly, the government's (semi-)formal policy for acquisition and retention of vulnerabilities—the Vulnerabilities Equities Process (VEP)—was apparently motivated in part by public scrutiny of Stuxnet (widely thought to have been developed at least in part by the U.S. government) and the long history of exploiting vulnerabilities in its mission to disrupt Iran's nuclear program. Of course, the VEP sat dormant and unused for years until after the Heartbleed disclosure. Even today, the public has seen the policy in redacted form only thanks to FOIA litigation by EFF.

Any and all original material on the EFF website may be freely distributed at will under the Creative Commons Attribution License, unless otherwise noted. All material that is not original to EFF may require permission from the copyright holder to redistribute.

The article is both well-written and thought-provoking, although it is too large to publish in full on our site. It discusses many of the problems that we have heard before - but has them all in one place and shows their inter-dependencies - and throws a few new ideas (for me at least) into the pot.

Original Submission