The Federal Bureau of Investigation recently made an unprecedented admission: It uses undisclosed software vulnerabilities when hacking suspects’ computers.
Amy Hess, head of the FBI’s science and technology arm, recently went on the record about the practice with the Washington Post. “Hess acknowledged that the bureau uses zero-days,” the Post reported on Tuesday, using industry-speak for generally unknown computer bugs. The name derives from the way such flaws blind side security pros. By the time attackers have begun taking advantage of these coding flubs, software engineers are left with zero days to fix them.
Never before has an FBI official conceded the point, the Post notes. That’s noteworthy. Although the news itself is not exactly a shocker. It is well known among cybersecurity and privacy circles that the agency has had a zero day policy in place since 2010, thanks to documents obtained by the American Civil Liberties Union and published earlier this year on Wired. And working groups had been assembled at least two years earlier to begin mapping out that policy, as a document obtained by the Electronic Frontier Foundation privacy organization and also published on Wired shows. Now though, Hess, an executive assistant director with the FBI, seems to have confirmed the activity.
(People surmised as much after the FBI was outed as a customer of the Italian spyware firm Hacking Team after hackers stole some of its internal documents and published them online this year, too.)
The agency’s “network investigative techniques,” as these hacking operations are known, originate inside the FBI’s Operational Technology Division in an enclave known as its Remote Operations Unit, according to the Post. They’re rarely discussed publicly, and many privacy advocates have a number of concerns about the system, which they say could potentially be abused or have unsavory consequences.
Law enforcement agencies’ reliance on such exploits poses a Catch-22. On the one hand, hoarding coveted bugs and keeping them secret lets authorities slyly target suspects and collect evidence (with a warrant, of course). On the other hand, alerting tech companies about flaws in their products lets them fix the problems, protecting customers everywhere and securing them against attacks from less well-intentioned hackers and spies. The two incentives are undeniably at odds.
That dilemma grows more complex when another compelling reason for agencies like the FBI to use zero days enters the mix. The hacking method lets investigators sidestep roadblocks posed by strong encryption, a technology that scrambles data and communications and increasingly leaves the Feds in the dark, so to speak, when probing wires and hard drives for incriminating information. Consider the hacking option as the agency’s “plan B,” as the Intercept has detailed.
The tactic isn’t necessarily a bad thing. Indeed, Jonathan Mayer, the Federal Communication Commission’s recently appointed technical lead for investigations who is also a well-known privacy advocate, earlier this year described hacking as a potentially “legitimate and effective law enforcement technique” in an academic paper. Another set of big-name security researchers also recently argued in a paper that targeted hacking campaigns could provide a tolerable alternative to mandating that tech firms add special “backdoor” access to their encrypted products for investigators.
Before the hacking option can be considered a comprehensive solution, many of the details would need to be worked out. Hess admits that the agency regularly grapples with these questions. As Post reporter Ellen Nakashima writes:
[Hess] said the trade-off is one the bureau wrestles with. “What is the greater good — to be able to identify a person who is threatening public safety?” Or to alert software makers to bugs that, if unpatched, could leave consumers vulnerable?
“How do we balance that?” she said. “That is a constant challenge for us.”
She added that hacking computers is not a favored FBI technique. “It’s frail,” she said. As soon as a tech firm updates its software, the tool vanishes. “It clearly is not reliable” in the way a traditional wiretap is, she said.
Perhaps that’s why the agency continues to throw its weight behind legislative proposals that seek “backdoor” access to encrypted products, despite the fact that many technologists oppose such a scenario on the grounds that it would expose people to unacceptable risk. For what it’s worth, the security scholars who wrote one of the papers referenced above recommend that law enforcement agencies adopt a prompt responsible disclosure policy. Per the paper:
“We propose that law enforcement adopt strict guidelines requiring immediate disclosure to the vendor any vulnerabilities as soon they are discovered,” they write. “As we will discuss, such guidelines would allow law enforcement to fully support crime prevention, and—because of the natural lag of the software lifecycle—still allow law enforcement to build a sufficiently rich toolkit to conduct investigations in practice.”
These legal procedures have yet to be thoroughly debated and ironed out but, in the meantime, we can at least put to rest a lingering uncertainty. To the question “is the FBI using zero days in criminal investigations?”—as the subject of a blog post on Just Security recently inquired—one can erase the question mark. The answer is apparently yes.
Follow Robert Hackett on Twitter at @rhhackett. Read his cybersecurity, technology, and business coverage here. And subscribe to Data Sheet, Fortune’s daily newsletter on the business of technology, where he writes a weekly column.
For more about the great encryption debate, watch the video below:
