Accountable state spying: Government hacking needs to be regulated
There are some key conditions that must be met before governments are authorised to hack, and these must limit the uses of hacking.
There is a palpable fear gripping South African politicians, activists and journalists at the moment about whether their communication devices are being hacked. Even President Cyril Ramaphosa claims to have been hacked during his campaign for the presidency. Every public figure and prominent politician must dread the possibility of waking up one Sunday to find their hacked and leaked intimate videos circulating on some WhatsApp group.
Yet, surprisingly little is being said about hacking and what to do about it. This is in spite of the fact that regulation of hacking is big news in other countries. This lack of attention is puzzling, as it is probably the most invasive and damaging communication surveillance method of all.
Hacking can be defined broadly as interference with a system to make it act in ways that were not intended or foreseen by the manufacturer or user. Cellphones and laptops can be hacked, but so too can devices that contain sensors and linked to the Internet of Things. This includes everything from the energy grid to your smart electricity meter, your security system, television, fridge, autonomous car and Fitbit.
Hacking presents unique threats to privacy and freedom of expression because it can do things that other forms of surveillance cannot do. Unlike passive forms of surveillance, such as bulk surveillance, you cannot protect yourself against hacking even if you encrypt your communications. This danger leaves people working in sensitive professions (such as journalism) exposed. The dangers are amplified if it is the government that hacks your devices.
Governments should not have these powers without public and judicial scrutiny, but throughout the world, all too often, they do. Government hackers can suck everything out of your device whether there is evidence of a crime or not. They can turn your device against you to spy on you, and alter your personal information to embarrass you or even incriminate you. When placed in the hands of unaccountable governments, this capability can be very invasive indeed.
In Mexico, for instance, the government has hacked the emails of opposition politicians, journalists and even estate agents, regularly and with impunity. It has also been known to alter the hacked communications slightly to make their victims look worse than they actually are, release them publicly and then sit back and laugh as their victims squirm with embarrassment.
The South African government has not publicly avowed that it hacks, unlike some other countries. But there is publicly available evidence to suggest that these capabilities do exist, and are a factor in the South African surveillance set-up.
In spite of this, the recent High Court judgment about the unconstitutionality of sections of South Africa’s main communication surveillance law, Rica, did not even touch on hacking. Perhaps this is because the facts of the case, involving the surveillance of journalist Sam Sole, did not lend themselves to including this issue.
Hacking and South Africa
The University of Toronto’s Citizen Lab – which specialises in using internet scanning techniques to detect surveillance tools on communication networks – has detected FinFisher on two IP addresses belonging to communications parastatal Telkom in South Africa.
FinFisher is a weapons-grade intrusive hacking suite sold exclusively to governments and has been implicated in several surveillance abuses in authoritarian countries such as Bahrain and Ethiopia.
FinFisher is particularly useful for monitoring security-conscious and mobile targets like journalists, who make extensive use of encryption. Governments can use it to take control of a target’s computer as soon as it is connected to the internet, and it can even be used to turn on web cameras and microphones for surveillance purposes.
According to documents leaked from the manufacturers’ systems, and subsequently published by WikiLeaks, by 2014, FinSpy was the most popular product in the suite. This tool inserts a Trojan into a device (a malicious computer program enabling its controller to take complete control of the infected device).
Once it is inserted, the controller can do everything the device user can do, such as intercept and record a wide variety of information from an infected device, including Skype chats and calls, instant messaging, emails and even passwords. The controller can also turn the user’s phone into a little spying device in meetings and in their home, by remotely turning on the microphone and videocam.
According to the WikiLeaks documents, South Africa purchased base licences for FinSpy and was the third-largest named user of FinFisher after Slovakia and Estonia, with a total of 23 licences, with the largest unnamed user holding 47 licences: in other words, the WikiLeaks evidence pointed to South Africa being a significant FinFisher user.
Citizenlab detected FinFisher command-and-control servers on the Telkom network in 2013, and more seriously, it detected a master server in South Africa, which meant that not only was FinFisher present in South Africa, but that it was most likely being operated by a government department, given that the manufacturers only sell to governments.
In September 2018, Citizen Lab detected infections by the Israel firm NSO Group’s powerful mobile phone hacking tool, Pegasus, in South Africa, suggesting that an NSO operator was spying here.
In correspondence with Citizen Lab, the NSO Group claimed: “Contrary to statements made by you, our product is licensed to government and law enforcement agencies for the sole purpose of investigating and preventing crime and terror. Our business is conducted in strict compliance with applicable export control laws.”
Pegasus exploits vulnerabilities in computer systems that are not known to the manufacturers or users (zero-day vulnerabilities), to take over a user’s device for surveillance purposes. The user is duped into clicking on a link that takes them to a web domain that delivers the spyware.
Why authoritarian governments would want the powers to hack is self-evident, but why would democratic governments want these powers if they are so invasive of privacy? Is there a sound operational case for government hacking?
The government spy agency case for hacking
Increasingly, law enforcement and intelligence agencies are arguing that encryption is making it more and more difficult for them to spy for legitimate purposes. Hacking allows them to gain access to the device of a terrorist or criminal suspect and circumvent encryption by reading a message at the source.
In fact, spy agencies have bemoaned the fact that Edward Snowden’s revelations about massive and abusive government spying have led to the democratisation of encryption. Consequently, they claim, encryption is creating a law-free zone where they cannot obtain information about what suspects are thinking or doing, reducing their abilities to disrupt criminal networks and terrorist plots. Justice could even be subverted if they can compel most forms of evidence of wrongdoing, with encrypted evidence being the exception to the rule.
The agencies are also concerned that bulk surveillance is becoming less and less effective in the fight against serious crime, as this form of surveillance cannot access encrypted data, and more and more criminals are using encryption. These changes in criminal communication habits are leading to what the agencies call the “going dark” problem, where communication of interest becomes less and less visible to them.
Therefore, the agencies argue, they need more innovative and agile technological capabilities. They claim that hacking provides them with an important capability to detect and disrupt possible criminal attacks, including cyber-attacks.
They also argue that hacking is a middle path between not accessing encrypted data at all (which they would not accept) and compelling communication service providers to hand over the decryption keys (which is not an option anyway when there is end-to-end encryption), or compelling them to build back-doors or vulnerabilities into their services. Another option of creating a key escrow system – where a designated government authority or third party stores the encryption keys – has been roundly rejected as too risky.
At face value, these would appear to be compelling operational arguments. However, the reality is that the internet has opened up whole new alternative sources of data and evidence for the spy agencies, and these can be used to supplement data sources lost to encryption.
South African agencies have shown that they rely far more on metadata (or data about a person’s communications, such as who they called or what their cellphone location was) for investigations than they do on communication content. This metadata may not be encrypted, although some of it can be hidden from view through anonymising security services.
Former Rica judge Yvonne Mokgoro complained in one of her annual reports that the growing use of encryption was placing more communications beyond the reach of intelligence agencies. Yet she provided no statistical information about the number of investigations that were defeated by encryption.
In the US, intelligence agencies have vastly overstated the threat of encryption to their investigations, to justify more expansive powers. So, it is important not to take the spy agencies’ “going dark” argument, and their subsequent justifications for hacking, at face value.
Privacy and security concerns around hacking
In addition to the privacy risks, hacking threatens the security of the internet, which can affect many more people than a criminal suspect or two. An entire device is compromised during the hack, which is much more dangerous than simply listening in to a phone call.
Legalised government hacking means that the agencies have a vested interest in promoting an insecure internet to make hacking easier, which creates a host of new security threats, some of which can even be life-threatening if they compromise critical infrastructure.
Hacking creates perverse incentives for governments to keep the internet vulnerable so that they can exploit these vulnerabilities. This is leading to a huge trade in zero-day vulnerabilities, where governments buy the vulnerabilities to stockpile them for future exploitation in hacking activities.
Rightfully, governments should be fixing or patching security problems instead of creating them or contributing to them through exploiting them. The problem with promoting an insecure internet is that these insecurities can be used by governments and criminals alike: something that should concern South Africans, given our extremely high levels of cybercrime.
The Cybercrimes Bill forbids unlawful hacking. The government could argue that this leaves the door open to using lawful hacking. But the problem is that Rica is silent on hacking, although it is a form of interception of communications.
Furthermore, former Rica judge Mokgoro and the Joint Standing Committee on Intelligence have both argued that the surveillance technologies used should not be taken into account when deciding whether to grant an interception direction (or a warrant). In other words, once the judge has issued a direction, then the spy agency concerned should be allowed to use whatever spying tool it sees fit.
This approach of technology neutrality is problematic as some surveillance tools are more invasive than others. As hacking can circumvent encryption and threatens cybersecurity too, it needs to be regulated as a discrete form of surveillance with even more stringent controls than other forms of surveillance.
Legislating for hacking
While many countries continue to use hacking under the legal radar, some have publicly avowed their uses of hacking. France, Germany, Poland and the UK have adopted specific legislative measures around hacking and some other countries are in the process of doing so.
However, too many countries take advantage of the “law lag” – the lag between technological innovations and the laws that regulate these innovations – to implement hacking. They may rely on “grey area” provisions in existing laws, in spite of the fact that the United Nations Special Rapporteur on Freedom of Expression has called for clear, narrowly framed laws limiting encryption and those mandating hacking.
Hacking triggers unique and specific privacy, security and evidentiary concerns that general surveillance laws cannot address adequately. For instance, according to Rica, intercept information – or information that is derived from communication intercepts – is admissible in court.
Yet, information derived from hacking exploits can be polluted by the manner of interception, as hacking alters the device that is hacked. Therefore, as a general rule, intercept information obtained from hacking should not be admitted as evidence in court. Alternatively, a forensic expert should be brought in to verify that the integrity of the hacked information has not been compromised. If intercept information is presented in court, then the attack method should be disclosed in court so that the defence can respond appropriately.
There are some key conditions that need to be met before governments are authorised to hack, and these limit the uses of hacking. Hacking should be prescribed explicitly in law, and the spy agencies seeking to use hacking should seek a warrant from a judge beforehand. The hacking should also be appropriately targetted, and only the device of the suspect should be hacked to limit the potential impacts on cyber-security. Non-essential data should be deleted.
Bulk hacking, along the lines of what the UK has written into law recently, should not be allowed as it opens the door to the government hacking thousands of devices at a time on an indiscriminate basis, and in ways that threaten cybersecurity massively. There should be no place in a democracy for untargeted bulk hacking, and, quite rightly, the UK is being challenged on this at the moment.
Key pieces of information should be stipulated in the application for the warrant. The application should provide sufficient information enabling the judge to assess the potential risks and damages to the security of the targeted device, and how these risks can be mitigated.
The duration for hacking should also be limited, preferably to a month: the three-month duration for interception directions in Rica is too long. The warrant should mention all the applications, data and sensors that will be targeted, the software and hardware to be used, and what information may or may not be collected.
Serious consideration should also be given to having separate authorisation processes for different functionalities of a hacking tool. Italy does that, which limits (potentially) overuse of hacking’s extensive capabilities. The Netherlands spells out in its law what functionalities and techniques are permissible for use by law enforcement agencies.
The grounds for issuing a hacking warrant should be even more stringent than those applying to more passive forms of surveillance, and the judge should be empowered to consult with a technical expert to assess the application before granting it.
There should also be provisions in the law to prevent the agencies from altering, deleting or adding data to the targeted device, and in addition to notifying the surveillance subject as soon as it is possible to do so, the hardware and software manufacturers should be informed too.
As part of its contribution to non-proliferation of weapons of cyber-warfare, the government should not be allowed to stockpile zero-day vulnerabilities for possible exploitation. Undoubtedly, this will create problems where a legitimate target is using a new, and most likely patched, operating system, but the government will be failing to prevent criminal activity by not disclosing a vulnerability when it becomes aware of it. However, reporting vulnerabilities does not preclude them from being exploited, at least until they are patched.
Private contractors should be disallowed from operating the hacking tools, as this could lead to security risks, and may reduce transparency, as disclosing the tools used, even to a judge, may be limited by vendor secrecy agreements. Third parties (such as internet service providers) should not be compelled to assist with hacking, either.
The spy agency undertaking the hacking must keep an audit trail to record the hacking trail, the method, extent and duration, and any alterations or deletions. Independent experts should also be brought in to audit the entire operation.
Information should also be published on the number of hacking operations each year, and whether they have been used extra-territorially. Extra-territorial hacking is a serious matter, as it could be considered an act of aggression, even war. If it is found during the course of a hack that the device being hacked is located out of the country, then the agencies should be required to abandon the hack, and seek the required information through a mutual assistance agreement with the other country, if one exists.
Trusting our devices
Under-regulated surveillance is creating a world where we can no longer trust our devices, and nothing destroys trust more than hacking. Of course, ethical hacking can be a public good as it encourages manufacturers to develop more robust systems. However, if we are to communicate openly and securely then the spaces for abuse need to be closed. The High Court judgment on Rica has been a huge step forward in ensuring more accountable state spying; but when it comes to hacking, South Africa is wide open for abuse. Future revisions of Rica need to take this reality into account. DM
Jane Duncan is a professor in the Department of Journalism, Film and Television, School of Communication, Faculty of Humanities, University of Johannesburg. She is author of Stopping the Spies: Constructing and Resisting the Surveillance State in South Africa, published by Wits University Press in 2018. She tweets at @duncanjane.
Daily Maverick © All rights reserved