Law Enforcement Using and Disclosing Technology Vulnerabilities Page: 4 of 18
The following text was automatically extracted from the image on this page using optical character recognition software:
Law Enforcement Using and Disclosing Technology Vulnerabilities
There has been increased discussion about law enforcement legally "hacking" and accessing
certain information on or about devices or servers. Officials conduct this hacking as part of
criminal investigations and takedowns of websites that host illicit content or facilitate
illegal activity. There have been reports of such hacking for more than a decade.'
Over the years, law enforcement has explored various avenues to discover and exploit
vulnerabilities in technology so it may attempt to uncover information relevant to a case that
might otherwise be inaccessible. For instance, as people have adopted tools to conceal their
physical locations and anonymize their online activities, law enforcement reports that it has
become more difficult to locate bad actors and attribute certain malicious activity to specific
persons. As a result, officials have debated the best route to access information that may be
beneficial to the administration of justice. Exploiting vulnerabilities is one such tool.
In exploiting vulnerabilities, law enforcement Relevant Terms
may take one of two broad paths to gain access
to devices and information. It may rely upon Defining several terms may help facilitate the current
discussion surrounding law enforcement's use and
known vulnerabilities that have not yet been disclosure of vulnerabilities in technology:
patched, or it may develop tools to detect and Encryption: a process to secure information by
use previously unknown and undisclosed converting it from a state that can be read to that which
vulnerabilities (or otherwise acquire exploits cannot be read without a "key."2
for these zero-day vulnerabilities) that it can Exploit: software, malware, or commands that can be
then leverage.6 used to take advantage of vulnerabilities in technology.3
Malware: "malicious software" such as a worm, virus,
Law enforcement's use of previously unknown trojan, or spyware designed to take advantage of
vulnerabilities has become the subject of some technology vulnerabilities or make changes to the
debate. Policymakers have questioned law normal operation of a device without the owner's
enforcement practices for maintaining versus knowledge.
disclosing these vulnerabilities. They have also Network investigative technique (NIT): law
questioned how maintaining or disclosing enforcement's term for a specially designed exploit or
malware engineered to take advantage of a specific
vulnerabilities may impact security- technology vulnerability.4
information security, public safety, and Vulnerability: a security hole or weakness in hardware,
homeland security alike. This has opened a software, or firmware that can leave it open to
broader debate about whether law enforcement becoming compromised.
should disclose vulnerabilities and whether Zero-day vulnerability: a vulnerability "that is yet
there should be rules for law enforcement unknown to the software maker or to antivirus vendors.
behavior in this arena. This means the vulnerability is also not yet publicly
known.... The term 'zero-day' refers to the number of
This report provides background on law days that the software vendor has known about the
enforcement's use of technology hole."5
vulnerabilities in criminal investigations. It
1 Kevin Poulsen, "FBI Admits It Controlled Tor Servers Behind Mass Malware Attack," Wired.com, September 13,
2 For a technical explanation of encryption, see CRS Report R44642, Encryption: Frequently Asked Questions.
3 For more information about exploits and vulnerabilities, see Internet Corporation for Assigned Names and Numbers,
Threats, Vulnerabilities, and Exploits - Oh My!, August 10, 2015.
4 Kevin Poulsen, "Visit The Wrong Website and The FBI Could End Up In Your Computer," Wired, August 5, 2014.
5 Kim Zetter, "Hacker Lexicon: What is a Zero Day?," Wired, November 11, 2014.
6 Ahmed Ghappour, "Is the FBI Using Zero-Days in Criminal Investigations?," Just Security, November 17, 2015.
Congressional Research Service
Here’s what’s next.
This report can be searched. Note: Results may vary based on the legibility of text within the document.
Tools / Downloads
Get a copy of this page or view the extracted text.
Citing and Sharing
Basic information for referencing this web page. We also provide extended guidance on usage rights, references, copying or embedding.
Reference the current page of this Report.
Finklea, Kristin. Law Enforcement Using and Disclosing Technology Vulnerabilities, report, April 26, 2017; Washington D.C.. (https://digital.library.unt.edu/ark:/67531/metadc1042551/m1/4/: accessed May 27, 2019), University of North Texas Libraries, Digital Library, https://digital.library.unt.edu; crediting UNT Libraries Government Documents Department.