We’re Suing the Government to Learn Its Rules for When It Hacks Into People’s Devices

Hacking by the government raises grave privacy concerns, creating surveillance possibilities that were previously the stuff of science fiction. It also poses a security risk, because hacking takes advantage of unpatched vulnerabilities in our devices and software.

By hacking into a phone, laptop, or other device, federal agents can obtain all kinds of sensitive, confidential information. They can even activate a device’s camera and microphone, log keystrokes, or otherwise hijack a device’s functions. Often, users are completely unaware that they are being surveilled.

Given the serious issues at stake, the public has a right to know the nature and extent of the government’s hacking activities and, importantly, the rules that govern these powerful surveillance tools. But so far, most of what we know is based on scattered news accounts.

That’s why on Friday, the ACLU, Privacy International, and the University at Buffalo Law School’s Civil Liberties & Transparency Clinic filed a Freedom of Information Act lawsuit demanding disclosure of basic information about government hacking. We’re suing seven federal criminal and immigration enforcement agencies, including the FBI, Immigration and Customs Enforcement, and the Drug Enforcement Administration.

The lawsuit demands that the agencies disclose which hacking tools and methods they use, how often they use them, the legal basis for employing these methods, and any internal rules that govern them. We are also seeking any internal audits or investigations related to their use.

The little that we do know about government hacking is very troubling. In one case, the government commandeered an internet hosting service in order to set up a “watering hole” attack that may have spread malware to many innocent people who visited websites on the server. In another case, an FBI agent investigating fake bomb threats impersonated an Associated Press reporter in order to deploy malware on a suspect’s computer. The agent, posing as a reporter, created a fake story and sent a link to the story to a high school student. When the student visited the website, it implanted malware on his computer in order to report back identifying information to the FBI.

Recent news stories suggest that the FBI is deploying these techniques for investigating increasingly ordinary crimes. Motherboard reported last month that the bureau impersonated FedEx and created malware-laden Word documents and images in order to investigate an internet scammer, likely the one who allegedly defrauded the Wegmans supermarket chain on seafood orders.

We also know that the federal government has spent big sums on hacking tools and services. The DEA has reportedly spent almost $1 million on remote hacking technology sold by Hacking Team, an Italian surveillance technology company.

Without an understanding of what the government is doing — and what rules it follows — it is impossible for the public to meaningfully determine whether and when the government should engage in hacking, whether the government is collecting excessive information about the people it surveils, and how investigators handle innocent bystanders’ information. It is also impossible to determine how the government’s hacking impacts cybersecurity for everyone using the internet.

Our lawsuit is meant to shine a light on these activities and to hold government accountable, allowing meaningful public deliberations about activities that profoundly affect people’s rights and liberties.

Sign up for the ACLU’s Best Reads and get our finest content from the week delivered to your inbox every Saturday.

View comments (7)
Read the Terms of Use

Ms. Gloria Anasyrma

I thought all of this government hacking was a thing of the past since that darling Mr. Snowden made his disclosures.


The technology is so advanced, there is absolutely no reason for not obtaining a "judicial warrant" via the internet. Many courthouses have cutting edge technology also. Judicial Warrants don't interfere with legitimate constitutionally legal investigations. Judicial Warrants may actually result in decreasing crime, since police and investigstors are focusing more on evidence-based cases. Maybe the most important part of a Judicial Warrant is that the police officer or prosecutor has a healthy "risk" of legal penalty for lying or embellishing the truth when asking permission from the magistrate judge.


If the U.S. Supreme Court doesn't provide sufficient Judicial Review over Executive Branch agencies and private networks like Facebook, there is a high likelihood that it could adversely affect the private technology companies - like Apple or Amazon. For privacy and security reasons, consumers may prefer to carry multiple devices instead of all-in-one devices. Consumers may want a cell phone without a computer and carry a separate GPS device or a separate weather radio. Three separate devices would be safer than an all-in-one device, where a hacker could do less harm. Consumers pay a high price when the U.S. Supreme Court won't protect them.


In the late 1990's there was a movie titled "Enemy of The State" starring Gene Hackman and Will Smith. The movie essentially warned that a small-scale coup (with blood) between co-equal branches of the federal government (if the U.S. Supreme Court and Congress didn't provide strong checks & balances on Executive Branch agencies. The one honest U.S. Senator that resisted was assassinated by his co-equal branch of government. At the time this movie seemed like high science fiction. In 2018 we know the danger of this type of small-scale coup - grabbing power through extrajudicial means - is not only possible but likely.


What is really bad, as I understand it, the use of anonymizing technology, such as TOR, is considered by the FBI to be cause enough for the user to be hacked and surveilled. Even worse, a court allowed them to do it.


I am against the use of TOR in our airports big time. I’m currently striped if both my citizenship statuses i’ve become highly anxious about all borders airports are terrifying for those of us that know what immigrant status being stripped from them means Having no been an American for thirty years and today if i was made to leave this country i wouldn’t be eligible to return here. I wouldn’t be allowed to live there . Being a person who brought a large amount of income into both countries in my life and being a month the many white english speaking people given incentive programs to become USA citizen in the 1980s i’ve been humiliated asked about my citizenship status three times last week by certain friends i now will not let through my gate. I now no that like the Japanese Americans in detention through WW 11 here than many friendships are no longer existent when someone who considers themselves a “ Resl American”. can denigrate a loving history due to misinformed biases. There is evil consequences and no need to promote any technology that can degrade as and demean is any more than we are demeaned by our fellow in thursday’s white american towns that are basically run by mobs from Churches designed in antiquity. Today I couldn’t leave my home for fear as i live by a State organization and in both countries a person like me white with a dialect I need to just open my mouth in the wrong way and the local sheriffs can tear me dow put me in a cell with no rights no attorney and no visits allowed. tonlesve my country USA and return to my home land i’d bel allianz status in both of my homelands. Where will privacy be? We are a population of immigrants. Not one of my friends could understand why i just stayed home. Furloughed.


Is there a followup on this lawsuit?

Stay Informed