LAWFUL HACKING – TECHNICAL ISSUES IN LAW

Authors

  • Milana Mirko Pisaric University of Novi Sad

Keywords:

digital evidence, digital investigation, police hacking, lawful hacking

Abstract

Purpose

Since legislators in several countries have introduced in recent years necessary amendments in criminal procedure rules, the purpose of the paper is to consider regulatory framework for lawful hacking as a new digital investigative measure, i.e. the power of LEA to secretly and remotely access computer device or network in order to gather digital evidence.

Design/Methods/Approach

Because police hacking powers vary considerably by jurisdiction, with various functionalities and scopes, but also with the way the law regulated important technical issues, the author analyzes normative framework, using comparative legal method. Based on the legislative provisions, the author discusses how technical means and techniques used by law enforcement agencies are represented in the legislation.

Findings

The integrity of the digital evidence, extracted from the target’s device/network after hacking, may be maintained only if several technical issues are properly addressed in law: which exploits are to be used as necessary and preferable, should LEA be obliged to disclose vulnerabilities; should LEA purchase or develop in-house hacking tools; in which manner the hacking tools need to be secured, and in line with which state-of-the-art guidelines; should automatized hacking operations, such as drive-by-downloads or water-holing, be allowed, etc.

Originality/Value

After using comparative and normative method, the author suggests policies by which any potential damage for data security and privacy could be limited, when regulating and enforcing norms for lawful hacking.  In this sense the author gives concrete de lege ferenda proposals.

 

References

­ ACLU Foundation, Electronic Frontier Foundation, National Association of Criminal Defense Lawyers (2017) Challenging government hacking in criminal cases, Downloaded June 16, 2022 https://www.aclu.org/sites/default/files/field_document/malware_guide_3-30-17-v2.pdf;
­ Bell, C. (2018). Surveillance Technology and Graymail in Domestic Criminal Prosecutions, Georgetown Journal of Law & Public Policy, 16(2), 537-558;
­ Bellovin, S.M., Blaze, M., Clark, S. & Landau, S. (2014). Lawful hacking: Using existing vulnerabilities for wiretapping on the Internet, Northwestern Journal of Technology and Intellectual Property, 12(1), 1-64;
­ Besluit van 28 september 2018, houdende regels over de uitoefening van de bevoegdheid tot het binnendringen in een geautomatiseerd werk en het al dan niet met een technisch hulpmiddel onderzoek doen als bedoeld in de artikelen 126nba, eerste lid, 126uba, eerste lid, en 126zpa, eerste lid van het Wetboek van Strafvordering (Besluit onderzoek in een geautomatiseerd werk), Staatsblad 2018, 340, https://zoek.officielebekendmakingen.nl/stb-2018-340.html;
­ Daniel, M. (2014) Heartbleed: Understanding When We Disclose Cyber Vulnerabilities, Downloaded June 1, 2022 https://nsarchive.gwu.edu/document/17627-white-house-heartbleed-understanding-when-we;
­ European Parliament’s Policy Department for Citizens’ Rights and Constitutional Affairs (2017)
­ Gesetz zur Effektiveren und Praxistauglicheren Ausgestaltung des Strafverfahrens vom 17. Avgust 2017, BGBI. I 2017 Nr. 58 23.8.2017, S. 3206, https://www.bgbl.de/xaver/bgbl/start.xav?startbk=Bundesanzeiger_BGBl&start=//*%5B@attr_id=%27bgbl117s3202.pdf%27%5D#__bgbl__%2F%2F*%5B%40attr_id%3D%27bgbl117s3202.pdf%27%5D__1655289087690;
­ Horsman, G. (2019). Tool testing and reliability issues in the field of digital forensics, Digital Investigation, 28 (4), 163-175
­ Kaleigh E. Aucoin, K. (2018). The Spider’s Parlor: Government Malware on the Dark Web, Hastings Law Journal, 69(5), 1433-1469;
­ Legal Frameworks for Hacking by Law Enforcement: Identification, Evaluation and Comparison of Practices, Downloaded June 16, 2022 https://www.europarl.europa.eu/RegData/etudes/STUD/2017/583137/IPOL_STU(2017)583137_EN.pdf;
­ Ohm P. (2017). The Investigative Dynamics of the Use of Malware by Law Enforcement, William & Mary Bill of Rights Journal, 26(2), 303-335;
­ Pfefferkorn, R. (2018) Security Risks of Government Hacking, Downloaded May 15, 2022 http://cyberlaw.stanford.edu/publications/security-risks-government-hacking;
­ Pisarić, M. (2020a). Encryption as a Challenge for European Law Enforcement Agencies, In: Thematic conference proceedings of international significance/International Scientific Conference "Archibald Reiss Days", Belgrade, 18-19 November 2020, Belgrade, University of Criminal Investigation and Police Studies, 611-619;
­ Pisarić, M. (2020b). Enkripcija kao prepreka otkrivanјu i dokazivanјu krivičnih dela, Zbornik radova Pravnog fakulteta u Novom Sadu, 54 (3), pp. 1079-1100;
­ Pisarić, M. (2021). Enkripcija mobilnog telefona kao prepreka otkrivanјu i dokazivanјu krivičnih dela – osvrt na uporedna rešenјa, Anali Pravnog fakulteta u Beogradu, 69 (2), 415-422;
­ Pisarić M. (2022). Communications encryption as an investigative obstacle, Revija za kriminologiju i krivično pravo, 60 (1), 61-74;
­ Antis, S. (2021). Government procurement law and hacking technology: The role of public contracting in regulating an invisible market, Computer Law & Security Review, 41, 1-16;
­ Quinlan S., Wilson A. (2016) A Brief History of Law Enforcement Hacking in the United States Downloaded May 10, 2022 https://www.newamerica.org/cybersecurity-initiative/policy-papers/brief-history-law-enforcement-hacking-united-states/
­ Standardisierende Leistungsbeschreibung für Software zur Durchführung von Maßnahmen der QuellenTelekommunikationsüberwachung und der OnlineDurchsuchung, 2018, https://www.bka.de/SharedDocs/Downloads/DE/Sonstiges/standardisierendeLeistungsbeschreibungQuellenTKUE.html?nn=51828&cms_dlConfirm=true;
­ Strafprozeßordnung in der Fassung der Bekanntmachung vom 7. April 1987 (BGBl. I S. 1074, 1319), die zuletzt durch Artikel 2 des Gesetzes vom 25. März 2022 (BGBl. I S. 571) geändert worden ist, https://www.gesetze-im-internet.de/stpo/BJNR006290950.html;
­ Wet van 27 juni 2018 tot wijziging van het Wetboek van Strafrecht en het Wetboek van Strafvordering in verband met de verbetering en versterking van de opsporing en vervolging van computercriminaliteit (computercriminaliteit III), Staatsblad 2018, 322, https://zoek.officielebekendmakingen.nl/stb-2018-322.html;
­ Wetboek van Strafvordering, https://wetten.overheid.nl/BWBR0001903/2022-01-01;
­ Bergman, R., Mazzetti, M. (2022, January 28). The Battle for the World’s Most Powerful Cyberweapon. New York Times, Accessed on January 31, 2022 https://www.nytimes.com/2022/01/28/magazine/nso-group-israel-spyware.html;
­ Kaeten, J. (2021, August 12). UN experts call for more rules on countries’ use of spyware. Associated Press. Accessed on January 15, 2022 https://apnews.com/article/technology-united-nations-spyware-e1bfa1f8242f39da856fc0a8bf2793aa;
­ Martyr, K. (2020, October 14). Police carry out raids linked to German spyware firm FinFisher. Deutsche Welle. Accessed on January 15, 2022 https://www.dw.com/en/police-carry-out-raids-linked-to-german-spyware-firm-finfisher/a-55270507;
­ Herpig, S. (2018). A Framework for Government Hacking in Criminal Investigations, Downloaded April 202 https://www.stiftung-nv.de/sites/default/files/framework_for_government_hacking_in_criminal_investigations.pdf

Downloads

Published

2023-04-04

Issue

Vol. 12 No. / (2022): CONFERENCE PROCEEDINGS OF INTERNATIONAL SIGNIFICANCE

Section

Natural and Applied Sciences in Forensics, Cybercrime and Security