The pen may be mightier than the sword, but hacking is becoming mightier than the pen. Are you really okay with that?
The news is increasingly peppered with hacking stories in which the most likely perpetrator is a government or someone acting on behalf of a government. I don’t know about you, but I find it greatly concerning when nation-states and secret agencies play out their ulterior motives through hacking. Worse, they’re doing it in the dark, and with zero human rights protections or recourse for the people targeted and harmed. Governments across the globe have gone rogue with hacking. We need to put legal limits in place to protect people, or we’ll see the damage continue to escalate.
Consider the recent interference in the U.S. political system. The Democratic National Committee (DNC) was hacked and internal emails were published hours before the start of the Democratic convention — a crucially sensitive time for former U.S. Secretary of State Hillary Clinton’s campaign. The Democratic Congressional Campaign Committee (DCCC) was also hacked and donor information taken. Donald Trump utilized his usual brand of farcical parody and called on Russia to further hack his Democratic opponents to find Hillary Clinton’s “missing” emails. There has since been another hack, of at least two U.S. state election boards, potentially by a foreign power. Nation states have conducted cyber espionage for some time, but these incidents go way beyond discovery of secret information to manipulate the electoral outcome of the world’s most powerful nation.
But you don’t have to be a nation-state to be a target of government hacking. Consider the case of Ahmed Mansoor, a citizen of the United Arab Emirates (UAE), an internationally acclaimed human rights defender, and an advisory board member of Human Rights Watch. He has been repeatedly targeted with sophisticated malware used by the autocratic UAE government to hack the devices of their critics. Ahmed’s case is far from isolated. It is a scenario we at Access Now repeatedly see through the work of our Digital Security Helpline. Bloggers, journalists, human rights lawyers, members of the LGBT community, environmentalists, activists, and other at-risk users are all targeted by nation states.
If you think you are safe from government hacking because you live in the West, think again. The U.S. National Security Agency used a hack of Google’s data centers to spy on the Gmail messages of peaceful pro-democracy activists in New Zealand who were campaigning against the military regime of the island nation of Fiji.
There are common threads throughout these cases. No matter which country is doing the hacking, it is doing it without transparency, without oversight, without legal justification, and without explanation or justification. Their hacking is bound only by the technical limits of what is possible, and they conduct it with impunity. Regardless of what national constitutions and bills of rights say about protecting the basic freedoms of citizens, for all practical purposes there are currently no limits on governments wreaking havoc with people’s digital lives. It has to stop.
This behavior has become so commonplace that a Virginia judge recently ruled that the U.S. Federal Bureau of Investigation should be able to hack computers without a warrant because computer users get hacked all the time, and therefore we should have no expectation that anything connected to the internet is safe from intruders. The judge further stated that while certain types of hacking are illegal in the United States, computers connected to the internet are global and those types of hacking could be legal in other countries. This implies that legal constraints are futile in the global context, yet I don’t see this judge calling for a no-holds-barred space in other areas with global context, such as international waters. Why single out the internet as a free-for-all government playground?
The mind boggles at this wanton disregard for moral behavior. We are meant to look up to law enforcement as an example of how to behave. Yet governments around the world are communicating that not only is hacking okay, but hacking rules. Hackers are now at the top of the food chain; if you want to be effective and powerful, learn to hack. And for everyone who doesn’t, we are teaching them that resistance is futile (as Star Trek’s “Borg” might inform us).
Even though governments are already hacking with impunity, in a post-Snowden world they have been frantically scrambling to legitimize their actions. From the U.K.’s Investigatory Powers Bill, to the U.S. changes to Rule 41 of the Federal Rules of Criminal Procedure, to Australia’s 2014 amendments to the Intelligence Organization laws, governments are trying to make hacking legal, but without any of the necessary safeguards to protect human rights. Access Now and other digital rights organizations are fighting each new piece of legislation as it is introduced, but we also need a preventative approach, such as introducing new laws to affirmatively protect the rights of citizens when governments hack.
Technology has the potential to empower us as individuals, but it also has the potential to enslave us. Even as the internet allows individuals to exercise our fundamental rights and freedoms, it creates an infinite space of exploitable vulnerability for each of us. Let’s not leave the technical capability of government hackers as the sole limit to the exploitation of human rights. As the Internet of Things moves us into an even more device-connected world, the potential harm and control of citizens via government hacking will increase — unless we take a stand. We cannot let those with the most hacking expertise and resources dictate and dominate our lives. It’s time for a thorough discussion about when government hacking cannot be justified, and to develop guidelines to strictly limit such hacking and its effect on our rights and freedoms. To ensure our freedoms, we need a way to control offensive capability in the digital realm just as we do when we authorize police to use physical force.
To this end, Access Now released a report this week examining the human rights implications of government hacking, with the consultation of experts in the field. In this report, we examine government hacking in times of peace. Rather than provide a treatise on the current crop of technical tools governments are using, we look instead at the intent of the hacking, and examine whether the activity is consistent with human rights.
Government hacking doesn’t just target other governments. And it’s not just targeting the “bad guys.” It’s being used to undermine the human rights that serve as the bedrock of democratic society globally. The fact is, Ahmed Mansoor’s story could easily be your story, too. Unless we get more information about when and how governments hack us, and unless government bodies across the world — the congresses of the U.S. and Brazil, the British parliament, China’s State Council, and others — have an honest conversation about meaningful limits to government hacking, the status quo remains. Our judiciaries need to understand the consequences of authorizing hacking, and our executives must reconsider the practice of stockpiling and exploiting vulnerabilities. Otherwise our governments will continue to hack away at our human rights without restraint.