Thursday, September 18, 2014

Zero Days

Zero day hacks are software bugs the software vendor is not aware of, and which therefore have no patch available. The "valuable" (for a particular definition of valuable...) ones are bugs that can be leveraged to give the exploiter privileged access on a computer, which can be used to install keyloggers, etc. Zero day exploits the exploits are often sold and there is debate about whether the government does or can use them in counterterrorism surveillance. If we ignore the "does the government use them?" question and focus on the "can they?" aspect, one statute that might offer the answer is the Computer Fraud and Abuse Act, 18 USC §1030(f). This section offers the government immunity from hacking when used to go after criminals. It states, "This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States." That's pretty wide ranging- "any lawfully authorized" covers a lot of ground. Is exploiting zero days lawfully authorized? I think that no matter what steps the actual exploit takes, the government might argue that it should be covered under "lawfully authorized activity" if it's part of an ongoing investigation. Is keeping knowledge of a zero day from the software vendor, so that a government agency can continue exploiting it, allowed? Is there a duty to disclose the issue so that others don't also exploit it? And is the purchase of zero day exploits covered under "lawfully authorized activity"? There's a law review article, 50 A.F. L. Rev. 135, Defensive Information Operations and Domestic Law: Limitations on Government Investigative Techniques, from 2001, which addresses 1030(f) in the context of government operations.