Big Brother Is Getting More Tech-Savvy — Here’s How to Fight Its Next Hack

In 2017, Apple received 8,929 demands for user information from the government. Google received 32,877. These are just a fraction of the demands made public and may not include one potential government surveillance tool: forcing software developers to install malicious software updates on individual users’ devices to potentially bypass passcodes and encryption, turn on cameras and microphones, or track someone’s location.

Whether you know it or not, you are almost certainly updating software regularly on your computer or mobile phone. Seamless software updates are one of the most important successes in improving cybersecurity in recent years. Updates fix vulnerabilities and make individual systems more secure, and therefore strengthen the entire digital ecosystem, which is only as strong as its weakest link. But they only work if users install them.

If users lose trust in software updates due to fears that the government is using them to break into devices, vulnerabilities won’t be patched. This will endanger entire networks and leave them vulnerable to cyber attacks.

Software developers are users’ first line of defense against unlawful government encroachment into their devices. It’s a challenging responsibility, but one that is critical to the integrity of the digital ecosystem and the privacy of users within it. That’s why, as law students in the NYU Technology Law & Policy Clinic, we have worked with the ACLU to put together a guide for software developers on how to make informed decisions about protecting the integrity of software update channels, both legally and technically.

Our Full Guide For Software Makers is Here

One way to conceptualize the software update system is by thinking of them like immunizations. Like immunizations, people need to trust updates to get updates. But when the CIA organized a fake vaccination drive in Pakistan to collect DNA samples to help its search for Osama Bin Laden, the operation compromised many Pakistanis’ trust in public health workers. A crackdown followed, with global health organizations under suspicion, some medical workers murdered, and cases of polio surging. The lack of trust resulted in the spread of preventable diseases, just like a lack of faith in software updates will spread computer viruses. (The CIA appears to have learned its lesson, saying that it will not use vaccination drives for covert operations again.)

The chances of tech companies receiving a government order to build malicious software updates are very real, and they are likely growing. Many of the government’s surveillance demands come with a non-disclosure requirement, meaning that companies are forbidden from revealing the mere existence of the demands — and even if they could, they may not get the national attention that Apple’s refusal to comply with a government order received following the San Bernardino shooting.

While there has been little public documentation that this method being used, it is technically feasible for most applications and programs, and it is in line with government’s practice of seeking third-party assistance in other surveillance contexts. Also, in light of companies closing technological loopholes through improved security, law enforcement continues to search for alternate vulnerabilities to exploit. As other backdoors in encrypted devices are closed, the software update system will be an increasingly appealing option to law enforcement. This presents many dangers, including serious privacy and cybersecurity concerns.

While the government may justify these tactics by citing national security and overblown fears that improved encryption will lock law enforcement out of electronic devices, these concerns are often overstated. Despite the technology industry’s best efforts to maintain information privacy and security, law enforcement has access to more information about us as our social interactions have become increasingly mediated by technology. Text messages, online chats, social media posts, and more can all be accessed by law enforcement during an investigation.

Software makers should not wait to receive this type of novel software update in order to think about how to respond, and our new guide for tech companies and software developers includes detailed tips on how to prepare. One way is to implement privacy-minded technical designs that limit the possibilities of what can be done — even with a government order. Another is to plan for what to do if something like this happens, and to talk to an attorney about options for fighting back.

Technology has given the government more surveillance power than ever before. It's imperative that we not let law enforcement further compromise our privacy and security by letting it misuse a feature as critical as the software update system.

View comments (10)
Read the Terms of Use

Dr. Timothy Leary

Give up America, the age of electronic enslavement is here. Someday soon the government will control you like a marionette.

Dr. Jacob Taylor

No need to troll. If you feel hopeless, you're at the right site to get involved, whether with your time or money.
If that's not enough for you, then there's no need to be a detractor -- go to another site to be a Negative-Nancy.

Dr. Timothy Leary

Dr. Taylor, "You can't handle the truth": Col. Nathan R. Jessop.

Col. Nathan R. ...

Dr. Leary, we live in a world that has phones, and those phones have to be guarded by regular updates. Who's gonna do it? You? You, Dr. Taylor? Technology companies have a greater responsibility than you can possibly fathom. You weep that you have to press update button, and you curse the companies. You have that luxury. You have the luxury of not knowing what I know -- that the update prompts, while annoying, probably saved people’s data; and the update prompt’s existence, while grotesque and incomprehensible to you, saves peoples data.

Eds

Your truth is not necessarily THE truth. c.f., Kellyanne Conway and “ alternate facts”

Anonymous

thanks

FBI agents comm...

Solution: More lawsuits, more Supreme Court rulings, and Congress getting their head out of their *** would be a good place to start. Most Americans do not support corrupt Executive Branch officials running around doing whatever they want. Contrary to law enforcement's belief, there is not a criminal hiding in everyone's closet. Perhaps they should look in the mirror.

Anonymous

I found the article very interesting and our privacy needs to be protected. Excellent.

Steve Knox

I am the victim poster boy for all of this...netstat on my machine brings up every one of their sorry not willing to admit mistakes addresses.

Mark Robinson

The technology is being advanced day by day and the use of it is also on the rise and the effect of this can be seen by us that hoe the things have been changed.
Google support is also concerned thinks that every big organization which is dealing with technology has to be responsible and have to maintain the dignity which does not harm the normal users.

Stay Informed