It's no secret that the FBI uses computer exploits and vulnerabilities in its investigations, but the agency has not exactly been forthcoming with detailing its techniques.
That makes sense—the FBI wants to ensure its techniques continue to work against bad guys—but there is another reason the FBI doesn't want to reveal its techniques in court that isn't so obvious: The agency wants to avoid pissing off both its partners who provide the techniques, and other government agencies that might want to use those techniques for themselves.
The FBI relies on outside parties, such as private contractors, to help it take advantage of software bugs and other vulnerabilities.
"What's clear is that the FBI does not have the in-house capability to develop exploits," Christopher Soghoian, principal technologist at the American Civil Liberties Union (ACLU), told Motherboard in an encrypted phone call.
If the FBI knows about a software vulnerability that affects users, and the developer is unaware of it, should it be expected to reveal that information at some point?
Those techniques may also be used by other agencies, who probably don't want a shiny vulnerability being publicly disclosed and then patched. If the FBI were to then reveal the hacking technique used in court, it could tarnish those relationships.
The agency admitted as much in a recent filing.
In February 2015, the FBI took control of the dark web child pornography site Playpen and ran it from their own servers for 13 days. During this brief period, the FBI deployed a network investigative technique (NIT)—the agency's euphemism for a hacking tool—to identify users who visited specific threads of the site.
Since September, defense lawyers in an impacted case have been trying to get access to the NIT code as discovery, and have been partly successful. Buried in a recently unsealed document from that case, Kate Vaughan, an Assistant United States Attorney, writes that disclosure of the NIT code could, amongst other things, "discourage cooperation from third parties and other governmental agencies who rely on these techniques in critical situations."
It's not clear how the FBI obtained the exploit used to hack Playpen users—it could have been a private contractor, another part of the US government, or maybe it was already public. But, "If the NSA loaned the FBI an exploit for this case, the DoJ is saying that other parts of the government won't help […] in the future if doing so leads to exploits being burned," Soghoian added. That, or the FBI doesn't want to annoy other agencies that wish to take advantage of the same vulnerability for their own investigations.
The Playpen case is just one example of a time the FBI used a hacking technique and decided to keep it secret. Last week, FBI head James Comey made it clear that the agency wasn't going to reveal how it accessed the iPhone 5C of a San Bernardino shooter, nor who provided the successful technique.
Of course, vulnerabilities aren't just exploited by the government in service of lawful investigations—they are also used by hackers and criminals. If a popular piece of software has a bug that the FBI can use to spy on a user, that means a hacker could potentially take advantage of it, too.
This secrecy raises the question: If the FBI knows about a software vulnerability that affects users, and the developer is unaware of it, should it be expected to reveal that information at some point?
The White House has a system for disclosing vulnerabilities to software vendors called the Vulnerabilities Equities Process. "Unless there is a clear national security or law enforcement need, this process is biased toward responsibility disclosing such vulnerabilities," a 2014 statement from the National Security Council reads.
It's been over a year since the FBI used its NIT in the Playpen case. Whether that malware code has been run through the equities process since then is "important policy question that should be answered," Nicholas Weaver, senior researcher at the International Computer Science Institute, UC Berkeley told Motherboard in a Twitter message. The FBI did not respond to a request for comment.
As the FBI continues to use sophisticated techniques in a law enforcement capacity, and presumably continues to source its exploits from external parties that it is afraid of antagonizing, this secrecy around vulnerabilities is sure to continue. And with that, plenty of innocent technology users are going to continue using software and other products with unfixed issues.
Update: This story was updated to reflect that Motherboard spoke with Christopher Soghoian in an encrypted phone call, not an unencrypted phone call.