Cybersecurity

Is Cyber Privacy and Security a Human Right? Should It Be?

Group lists safeguards governments should follow before hacking citizens.

|

Big Brother
Alain Lacroix / Dreamstime.com

"The Feds Will Soon Be Able to Legally Hack Anyone" warns the headline at Wired in a commentary written partly by Democratic Oregon Sen. Ron Wyden. The piece is warning about coming changes to "Rule 41," a reference familiar to everybody in any field remotely connected to cybersecurity and privacy and mostly unknown to anybody else.

Right now the Department of Justice is working to expand its hacking and surveillance authorities under the Federal Rules of Criminal Procedure. It's already legal, under this Rule 41, for the FBI to get authorization from a judge to attempt to install malware to hack into computers that are believed to be connected to crimes. But Rule 41 has limits—judges can only authorize intrusions into computers within their own jurisdictions. This update would lift that limit and would authorize the feds to turn to a judge to get permission to "hack a million computers or more with a single warrant."

Wyden has teamed up with other tech privacy-minded legislators (like Republican Sen. Rand Paul) to try to stop this amendment to Rule 41. They have until December to block it.

In the middle of this debate over how much hacking authority the government should have, one activist organization is analyzing whether such authority fundamentally endangers human rights, at least in its current use. Access Now, an advocacy and policy group devoted to protecting and advancing the rights of users of digital and technological tools, released a lengthy report about how government hacking can threaten our liberties.

Access Now notes how little public debate there has been on the "scope, impact, or human rights safeguards for government hacking." The massive release of secret government surveillance documents by Edward Snowden did prompt significant discussions about digital snooping in the United States and some European countries, and there have been some very modest reforms in the states. Others, though, like the United Kingdom, are actually considering formalizing a system that expands authorized government snooping on private digital data.

Access Now carefully analyzed how governments engage in hacking, separating their behaviors into three categories: Message control (in censoring and manipulating digital information), deliberate damage (malware that harms systems and data), and surveillance and information-gathering.

Access Now determined that government hacking causes significant harms to human rights. Here's a brief sample of how they describe the impact of hacking that installs malware or otherwise damages a person's systems:

Government hacking that falls under this umbrella is often designed specifically to deprive a person of their property in some way. This implicates due process protections, which require a fair trial overseen by a competent judicial authority, qualified legal representation, and the ability to appeal. It also directly conflicts with the right recognized in most countries for individuals to own private property. When the damage a government seeks to carry out also implicates human life or wellbeing, the threat to human rights is exceptionally grave. Government hacking to do damage also implicates other human rights, such as freedom of expression and association, since these rights are frequently exercised using devices that such hacking could render inoperable.

Access Now ultimately concludes that "there should be a presumptive prohibition on all government hacking," based on international human rights law. In order to justify hacking, Access Now recommends 10 specific safeguards, such as requiring very specific, tailored laws that describe when hacking is permitted in the narrowest terms possible. That's pretty much the opposite of what the Rule 41 expansion is attempting to accomplish.

Access Now's report coincides with a high-profile government hacking story, but it didn't get much traction in the U.S. amid all the election coverage. In August, Apple iPhone and iPad users were sent a security update over a vulnerability that was uncovered by a human rights advocate in the United Arab Emirates (UAE). Ahmed Mansoor was sent a link from an unknown source that would have installed surveillance malware on his phone had he clicked on it. Investigation determined that it was likely somebody within the government of UAE who attempted the hack.

In response to emailed questions, Drew Mitnick, policy counsel for Access Now, said that Mansoor's discovery highlighted how government-sponsored hacking has significantly increased over the last decade, but it's still not an area where there's nearly enough discussion.

"Disappointingly, it's up to third parties to talk about government hacking," Mitnick says. "Few within government are willing to talk about it openly. Our report both articulates a standard of how government hacking of individuals is almost always impermissible under human rights law, and pushes governments to be more open about how and when they hack."

But the debate over government hacking—to the extent that such a debate is publicly occurring—seems to revolve around government officials declaring that it's all used to keep us safe from terrorists, drug traffickers, and child pornographers. There is little acknowledgment of abuses of government hacking authority or the potential harmful consequences. Mitnick notes that the presumption should be that the government must prove it actually needs a particular hacking authority in order to successfully fight these crimes. Right now there's a lot of assertion without evidence to back it up.

"In the case of hacking, the government has failed to make its case that other methods are unavailable," Mitnick says.

Cybersecurity issues, though, have only been brought up briefly and vaguely in the presidential race. Mitnick notes that pushes to scale back federal hacking authority seem to be dependent so far on vocal responses by lawmakers like Wyden.

"At one point, he was the only one speaking about the risks, but now Senators [Jon] Tester [D-Montana], Steve Daines [R-Montana], and members from both sides of the aisle and chambers are supporting legislation to stop the Rule 41 changes that would increase the FBI's use of hacking. The Clinton campaign has also recently adopted secure technologies to keep hackers out. It is clear that Washington is starting to pay attention."

Read Access Now's full report on the human rights violations that come from government-sponsored hacking here.

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

29 responses to “Is Cyber Privacy and Security a Human Right? Should It Be?

  1. But the debate over government hacking?to the extent that such a debate is publicly occurring?seems to revolve around government officials declaring that it’s all used to keep us safe from terrorists, drug traffickers, and child pornographers

    And we all know there’s an exception for terrorists, drug traffickers, and child pornographers right there in the Constitution for all to see.

  2. Is Cyber Privacy and Security a Human Right? Should It Be?
    Group lists safeguards governments should follow before hacking citizens.

    Well, privacy is arguably a human right. If we’re going to call out subgroups and various substrate and declare each permutation having a special, dedicated and enumerated right, the we’re missing the point.

    By the way, I believe the whole installation of malware has been going on for a long time. Wasn’t the CIA or the NSA setting up shell companies which had innocuous looking ‘adware’ that would install tracking cookies and what not?

    1. “Well, privacy is arguably a human right. If we’re going to call out subgroups and various substrate and declare each permutation having a special, dedicated and enumerated right, the we’re missing the point.”

      This.
      I have an innate, unalienable right to keep private that which I choose and take actions to keep it that way.
      If we’re to say ‘so and so has that right, but the other guy doesn’t, we’ve now accepted that the gov’t grants those rights.
      No thanks.

      1. If we’re to say ‘so and so has that right, but the other guy doesn’t, we’ve now accepted that the gov’t grants those rights.

        The issue isn’t that ‘so and so has that right, but the other guy doesn’t’, the issue is that I have a right to privacy does that right extend to keeping you ignorant?

        It should be clear that, in any case, the government shouldn’t have them or should have them the least.

        As Ken Schultz points out below, the law won’t save us from our fellow countrymen.

    2. Wasn’t the CIA or the NSA setting up shell companies which had innocuous looking ‘adware’ that would install tracking cookies and what not?

      It wouldn’t surprise me in the least. Nothing these fuckers do surprises me anymore.

  3. I certainly hope we elect the civil libertarian of the two candidates for president to reverse this trend.

    1. Well one of them has consistently voted to violate peoples’ privacy under a rapidly spreading blanket of flimsy crime and terrorism-prevention pretexts.

      The other one, when asked about privacy versus security said “Those people, you know, you never know what they’re doing. They work on their computers and want to kill people, and you have to open their computers and look inside to see. But you can’t just do that, right? You can’t just go on the computers. I talked to Bill Gates, who said. Bill said I was really wonderful about computers. He said ‘Mr. Trump, we need to be able to turn off the internet when the bad guys are hurting people.’ Can you imagine that? He said we need to go in and turn them off so the bad guys can’t hurt America.”

      So I think the choice is pretty clear.

      1. I think the choice is pretty clear

        Whiskey?

          1. I gotta make some mead again. It’s the one thing really worth making, because you can’t buy dry mead anywhere.

      2. I think the choice is pretty clear.

        Paint the walls with your brain?

      3. He wants to make spyware great again.

  4. I’m sure the FBI would not request a warrant to infect the computers of those who are connected to a website which hosted comments that threatened the life of a federal judge.

    1. I’m sure the FBI knows exactly how much porn I watch and of what type. Why my door hasn’t been kicked in is a complete mystery to me.

      1. The Feds are waiting until they get their gross of nitrile gloves and Tyvek suits.

        1. Don’t worry, as soon as they start picking through Paul’s house, those gloves will get gross plenty quick.

  5. Group lists safeguards governments should follow before hacking citizens.

    Hm…

    The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. – 4A, US Constitution.

    Seems to be all inclusive. No search or seizure without at warrant.

    1. Go into any airport in the United States and see how far the 4th Amendment gets you.

      1. Unless you happen to own the Branson airport, technically, you’re getting into the issue of how far does the 4th Am. get *you* in “my” airport.

        1. TSA are all fed gov employees and the searches are covered by federal law. I understand your point but i don’t think it applies here.

  6. Why would you have a problem with the state intruding into every aspect of your life? You don’t have anything to hide, do you? DO YOU?

  7. The only reason the government didn’t do mass surveillance in the past was because it was technologically and financially impossible. Once the technology and cost of storage, processors, etc. made it viable to do mass surveillance at a cheap enough price point, mass surveillance is what they started to do.

    It worked that way with the founding of this country, too. Many of the colonists came here because it was logistically and financially prohibitive for the Crown to micromanage their lives from across the Atlantic. When the British let us go, it wasn’t because of our military might. It was because it was too difficult and expensive to keep us under their thumb.

    Where I’m going with this is where C.S. Lewis’ “The Abolition of Man” and Evgeny Morozov’s The Net Delusion: The Dark Side of Internet Freedom went before me.

    Technology is an amoral tool. The radio could be used by educators to inform or it could be used by fascists to propagandize. Facebook can be used to organize peaceful protests against vicious dictators, or it can be used by vicious dictators to track previously unknown dissidents.

    Technology is no substitute for a people with minds and morals devoted to freedom, and the law isn’t a substitute for people with minds and morals devoted to freedom either.

    1. I’ll support most any law that protects our rights and freedoms from abuse by government, but, ultimately, the law won’t save us from our fellow countrymen if they just don’t give a damn about our rights and freedoms. That’s why I give money to Reason–over the long run, getting to people’s hearts and minds, that’s our only hope.

  8. Is Cyber Privacy and Security a Human Right? Should It Be?

    I think its probably better to stop thinking about “rights” when it comes to one’s online-existence.

    Its pointless. and the implication of doing so is that we need ‘more government’ to secure those rights, which ends up expanding government inadvertently. Now they have a mandate to “protect” people online; well soon we’ll need an “Office of Civil Rights” for Internet Affairs, and i can’t see any harm in that, can you?

    I’m not sure that putting a ‘presumptive prohibition’ on Govt hacking would actually stop them anyway. There’s lots of things that our laws are supposed to prevent govt from doing, and they do it anyway. Most of the reason why is that people come to simply accept that power.

    I’d prefer that Govt just get out of the way of consumer encryption, and allow individuals to choose (and control) how much security they *want*, and allow companies to provide products and services offering ‘more privacy’.

  9. The Clinton campaign has also recently adopted secure technologies to keep hackers out.

    Huh… I wonder why?

    1. At this point what difference does it make?

      /maybe only half-serious

  10. Well in some ways cyber privacy and security are kinda inalienable rights, in that govts always gonna be lagging behind “society”. Maybe the government could make it impractical for casual users (people with nothing to hide anyways) but the really determined bad actors are gonna do what they’re gonna do, and committing crimes has always been and will always be much easier than stopping them (the criminal gets the first move). As I’ve mentioned in other posts too, as the speed of technological progress accelerateas, he gap only gets bigger. But hopefully we can make sure only the smartest, most determined criminals succeed I guess.

  11. So Rule 41 isn’t like Rule 34?

Please to post comments

Comments are closed.