Stories
Slash Boxes
Comments

SoylentNews is people

EFF on Government-Sponsored Hacking

posted by janrinok on Sunday August 21 2016, @03:57PM   Printer-friendly

Arthur T Knackerbracket reports the Electronic Frontier Foundation (EFF) web site has the following story:

We Shouldn’t Wait Another Fifteen Years for a Conversation About Government Hacking

With high-profile hacks in the headlines and government officials trying to reopen a long-settled debate about encryption, information security has become a mainstream issue. But we feel that one element of digital security hasn't received enough critical attention: the role of government in acquiring and exploiting vulnerabilities and hacking for law enforcement and intelligence purposes. That's why EFF recently published some thoughts on a positive agenda for reforming how the government, obtains, creates, and uses vulnerabilities in our systems for a variety of purposes, from overseas espionage and cyberwarfare to domestic law enforcement investigations. [Emphasis added.]

Some influential commentators like Dave Aitel at Lawfare have questioned whether we at EFF should be advocating for these changes, because pursuing any controls on how the government uses exploits would be "getting ahead of the technology." But anyone who follows our work should know we don't call for new laws lightly.

To be clear: We are emphatically not calling for regulation of security research or exploit sales. Indeed, it's hard to imagine how any such regulation would pass constitutional scrutiny. We are calling for a conversation around how the government uses that technology. We're fans of transparency; we think technology policy should be subject to broad public debate, heavily informed by the views of technical experts. The agenda in the previous post outlined calls for exactly that.

There's reason to doubt anyone who claims that it's too soon to get this process started.

Consider the status quo: The FBI and other agencies have been hacking suspects for at least 15 years without real, public, and enforceable limits. Courts have applied an incredible variety of ad hoc rules around law enforcement's exploitation of vulnerabilities, with some going so far as to claim that no process at all is required. Similarly, the government's (semi-)formal policy for acquisition and retention of vulnerabilities—the Vulnerabilities Equities Process (VEP)—was apparently motivated in part by public scrutiny of Stuxnet (widely thought to have been developed at least in part by the U.S. government) and the long history of exploiting vulnerabilities in its mission to disrupt Iran's nuclear program. Of course, the VEP sat dormant and unused for years until after the Heartbleed disclosure. Even today, the public has seen the policy in redacted form only thanks to FOIA litigation by EFF.

Any and all original material on the EFF website may be freely distributed at will under the Creative Commons Attribution License, unless otherwise noted. All material that is not original to EFF may require permission from the copyright holder to redistribute.

The article is both well-written and thought-provoking, although it is too large to publish in full on our site. It discusses many of the problems that we have heard before - but has them all in one place and shows their inter-dependencies - and throws a few new ideas (for me at least) into the pot.

Original Submission

 
This discussion has been archived. No new comments can be posted.
EFF on Government-Sponsored Hacking | Log In/Create an Account | Top | 8 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Sunday August 21 2016, @04:22PM

    by Anonymous Coward on Sunday August 21 2016, @04:22PM (#391069)

    On technology is that the other guys aren't bound by them. Even if you can get a treaty there will be important non-signees such as rogue states, and countries that do sign that violate the treaty anyway.

    That goes for biotech, bio warfare, drones, cyber warfare, etc.

  • (Score: 1) by Francis on Sunday August 21 2016, @04:27PM

    by Francis (5544) on Sunday August 21 2016, @04:27PM (#391071)

    We wouldn't need the limits if the NSA would stick to their charter and restrict their activities to foreign powers.

    The FBI though has absolutely no business with the hacking they do. That's internal security and there should be significant restrictions to what they do and how they do it. But, considering that the agency spends most of it's time looking at child pornography, I'm not surprised that they feel they're above the law in other areas as well.

  • (Score: 1, Insightful) by Anonymous Coward on Sunday August 21 2016, @04:58PM

    by Anonymous Coward on Sunday August 21 2016, @04:58PM (#391088)

    Which rogue state forgot to sign the land mine treaties and also forgot to sign the Law of the sea,routinely tortures suspects and indiscriminately bombs civilians if they are of the right age to be classed as enemy combatants?

    • (Score: -1, Troll) by Anonymous Coward on Sunday August 21 2016, @11:26PM

      by Anonymous Coward on Sunday August 21 2016, @11:26PM (#391329)

      I'm gonna say Iraq - "a regime that developed and used weapons of mass destruction, that harbored and supported terrorists, committed outrageous human rights abuses, and defied the just demands of the United Nations and the world." Amirite?

      • (Score: 0) by Anonymous Coward on Monday August 22 2016, @03:45AM

        by Anonymous Coward on Monday August 22 2016, @03:45AM (#391437)

        Of course supplying, supporting and allying with them (before you stabbed them in the back and destroyed their country (and entire region of the world)) was all completely above board wasn't it.

        Farcical illogical trolls make everyone laugh.