The FBI’s assistant executive director for science and technology has stated that the FBI does indeed exploit zero-day vulnerabilities in software and use stingrays to catch suspects.
Amy Hess, who heads up the agency’s Operational Technology Division and the use of technology in investigations, made the admission in a profile published today by the Washington Post.
A zero-day is vulnerability in software that has yet to be exploited and the software’s maker may not even be aware of it yet. It potentially provides a unique opportunity to infiltrate a piece of software and its users.
Hess said that hacking computers is not the FBI’s preferred method, as tech companies generally patch zero-days rather quickly once they are made aware of them. “It clearly is not reliable,” she explained.
On the matter of stingrays, which mimic cell towers for intercepting phone communications, Hess said the FBI has not shied away from using the technology but has challenged the disclosure of how the technology, or “engineering schematics,” works.
The bureau has long been suspected of using these techniques and cases surrounding the use of stingrays have been well-documented but Hess’ admission lends a little more credence to many privacy and security concerns. Other agencies like the IRS have been embroiled in stingray controversies in the past, too.
In its profile of Hess, the Washington Post also spoke with Christopher Soghoian, principal technologist at the American Civil Liberties Union (ACLU), and frequent critic of stingrays and surveillance technology.
“All of the most interesting and troubling stuff that the FBI does happens under Amy Hess,” he said, adding that her division carries out operations with or without warrants.
Organizations like the ACLU have been strong proponents of greater transparency in the use of stingrays and the need for warrants to justify them.
In October, the Department of Homeland Security announced that agents will need warrants moving forward to use the devices. Meanwhile, one DHS agent admitted during a hearing that the Secret Service had used stingrays as well.
The stricter rules from DHS, which now compel agents to obtain warrants, have generally been welcomed by the ACLU, but are still considered far from ideal.
“The biggest problem is that it doesn’t always require the government to get a warrant, or delete the data of innocent bystanders swept up in the electronic dragnet,” said Neema Singh Guliani, an ACLU attorney at the time.