December 20, 2022

Wyden Calls for Transparency on Government Hacking of Americans’ Devices

Wyden Requests FBI Policies, Legal Justifications for Use of Malware Made by NSO and Other Foreign Hacking Tools, Statistics on How Many Devices and People Are Hacked Annually

Washington, D.C.U.S. Sen. Ron Wyden, D-Ore., requested basic transparency about the frequency of government hacking and legal justifications for use of hacking methods, including the possible use of foreign malware, in a letter to FBI Director Chris Wray. 

Earlier this year, the New York Times reported that the FBI seriously considered using a controversial hacking tool made by the foreign spyware firm NSO Group, and revealed that fact months after it claimed it only reviewed NSO’s tool for defensive purposes. However, the FBI continues to refuse to tell the public why it declined to use NSO’s hacking tool, or whether there are any legal barriers to using it in the future. Even today, the FBI has not made public any agency policy governing its hacking of Americans, using other tools. The FBI does not publish statistics detailing how frequently the agency hacks Americans’ phones and computers, even though similar statistics for wiretaps and other surveillance techniques are made available to Congress, the press, and the American public.

“The American people have a right to know the scale of the FBI’s hacking activities and the rules that govern the use of this controversial surveillance technique,” Wyden wrote. “Judges must have the information they need to carefully review the FBI’s remote search applications, particularly in cases where the FBI intends to engage in bulk remote searches against hundreds, or thousands of targets at a time.”

In particular, Wyden asked whether the FBI warned the State Department about NSO’s software. NSO’s Pegasus tool was later reportedly used to hack the phones of State Department employees overseas. 

As a senior member of the Senate Intelligence Committee, Wyden has long fought against “secret law,” the notion that the government can hide legal justifications for surveillance - as opposed to sources and methods - from the American people. 

Wyden asked for responses to the following questions by January 27, 2023:  

1. In each of the last three years, in how many operations has the FBI used Network Investigative Techniques, how many were court-authorized, and how many individuals, devices, and accounts were searched remotely by the FBI? 

2. After acquiring software from the NSO Group, did the FBI submit to the Vulnerabilities Equities Process the specific software exploits used by the NSO Group’s software? If not, please explain why.

3. According to media reports, the NSO Group’s software was discovered on devices used by State Department employees working overseas. Has the FBI ever alerted other U.S. government agencies about the specific vulnerabilities that the NSO Group’s software exploits or provided those agencies with malware signatures for the NSO Group’s software, so those agencies could defend their personnel from foreign government hacking? If not, please explain why.

4. Why did the FBI decide not to use the NSO Group’s software to support its investigations? 

5. Was a legal determination made that would preclude the FBI’s future use of NSO or similar tools?

6. If the FBI determined that the NSO Group’s software posed a national security threat, please explain how the FBI will assess other surveillance technology vendors to determine if they pose the same threat.

7. To date, has the FBI ever delivered Network Investigative Techniques to or otherwise conducted a remote search of the wrong person, account or device? If yes, what corrective action did the FBI take, including notifying the court that originally authorized the remote search operation?

8. The DOJ OIG’s 2016 report on the FBI’s impersonation of the Associated Press included three recommendations, and the FBI told the OIG it concurred with these recommendations. Please identify the specific outcomes of the FBI’s implementation of these recommendations, including any changes the FBI made to its written policies.

9. The OIG’s 2016 report stated that the FBI in June 2016 adopted an interim policy that provides guidance to FBI employees regarding their impersonation of members of the news media during undercover operations. Is this interim policy still in effect or has the FBI updated and finalized this policy? Please provide me with a copy of the policy currently in effect.

10. When the FBI conducts hacking operations against targets whose locations are then unknown and could possibly be located overseas, does the FBI coordinate its activities with the Department of State? If not, please explain why. Please also explain the steps the FBI takes to ensure that such operations are conducted in a manner consistent with international law and, in particular, that the FBI is not unintentionally hacking computers that are used by organizations responsible for critical infrastructure.

The text of the full letter is here.

###

Press Contact

Keith Chu