Law Enforcement Using and Disclosing Technology Vulnerabilities Page: 2 of 18
The following text was automatically extracted from the image on this page using optical character recognition software:
Law Enforcement Using and Disclosing Technology Vulnerabilities
There has been increased discussion about law enforcement legally "hacking" and accessing
certain information about or on devices or servers. Law enforcement has explored various
avenues to discover and exploit vulnerabilities in technology so it may attempt to uncover
information relevant to a case that might otherwise be inaccessible. For instance, as people have
adopted tools to conceal their physical locations and anonymize their online activities, law
enforcement reports that it has become more difficult to locate bad actors and attribute certain
malicious activity to specific persons. As a result, officials have debated the best means to obtain
information that may be beneficial to the administration of justice. Exploiting vulnerabilities is
one such tool.
Law enforcement's use of tools that take advantage of technology vulnerabilities has evolved
over the years. The first reported instances of law enforcement hacking involved authorities using
keylogging programs to obtain encryption keys and subsequent access to devices. More recently,
law enforcement has been relying on specially designed exploits, or network investigative
techniques (NITs), to bypass anonymity protections of certain software. In addition, investigators
have leveraged vulnerabilities discovered in software designed to encrypt or otherwise secure
data and limit access to information.
In exploiting vulnerabilities, law enforcement may leverage previously known vulnerabilities that
have not yet been patched. Alternatively, it may develop tools to detect and take advantage of
previously unknown and undisclosed vulnerabilities. It is law enforcement's use and disclosure of
these previously unknown vulnerabilities that has become the subject of some debate.
The Obama Administration established a process, known as the Vulnerabilities Equities Process
(VEP), to help decide whether or not to disclose information about newly discovered
vulnerabilities. The VEP is triggered whenever a federal government entity, including law
enforcement, discovers or obtains a new hardware or software vulnerability. The discussion on
whether the government, and law enforcement, should generally retain or disclose discovered
vulnerabilities lacks a number of data points that may help inform the conversation. For example,
in what number or proportion of cases does law enforcement leverage technology vulnerabilities
to obtain evidence? Are there tools other than vulnerability exploits or NITs that law enforcement
can use to obtain the same evidence, and how often are those tools utilized?
Congress may examine a range of policy issues related to law enforcement using and disclosing
vulnerabilities. For example, how does law enforcement's ability to lawfully hack, or exploit
vulnerabilities, influence the current debate surrounding whether law enforcement is "going
dark," or being outpaced by technology? In addition, how does law enforcement acquire the
knowledge of vulnerabilities and associated exploits? Might law enforcement consider
establishing its own (or supporting others') reward programs in order to gain knowledge of
vulnerabilities or exploits? Given the current VEP framework, is it the most effective method for
law enforcement to use in determining whether to share vulnerability information with the
technology industry, and how might law enforcement share such information with their
multilateral law enforcement partners?
Congressional Research Service
Here’s what’s next.
This report can be searched. Note: Results may vary based on the legibility of text within the document.
Tools / Downloads
Get a copy of this page or view the extracted text.
Citing and Sharing
Basic information for referencing this web page. We also provide extended guidance on usage rights, references, copying or embedding.
Reference the current page of this Report.
Finklea, Kristin. Law Enforcement Using and Disclosing Technology Vulnerabilities, report, April 26, 2017; Washington D.C.. (https://digital.library.unt.edu/ark:/67531/metadc1042551/m1/2/: accessed May 26, 2019), University of North Texas Libraries, Digital Library, https://digital.library.unt.edu; crediting UNT Libraries Government Documents Department.