When the FBI uncovered a scammer targeting Wegmans two years ago, agents hacked into the suspect’s computer in an effort to learn his identity.
The hacking, approved by a judge, involved an email and attachment that, when opened, connected the suspect’s computer to an FBI server.
A new lawsuit in Buffalo federal court says the Wegmans case is just one example of how the government is now using hacking in ordinary, day-to-day investigations, and not just in national security and foreign intelligence probes.
And they’re doing it at the peril of individual privacy and security, the suit claims.
Brought by the ACLU, Privacy International, a London-based organization that defends privacy issues across the world, and a University at Buffalo law school clinic, the suit seeks evidence of what the groups call a “remarkable expansion of the government’s surveillance powers.”
This new tool, they argue in court papers, is so powerful and intrusive that it carries with it great risk to the privacy and security of both the individuals being investigated and the people around them.
“It’s never before been the case that the government can accumulate so much important and sensitive personal information by accessing just one device,” said Jonathan Manes, director of the UB Law School’s Civil Liberties and Transparency Clinic.
The court case stems from a Freedom of Information request to 11 federal agencies that went largely unanswered, the groups claim in their complaint.
Ultimately, they want information on how often and under what circumstances hacking is used by the FBI and others.
They also want to know if the agencies have internal rules on the use of hacking and what consideration was given to its legality.
“We’re asking the government to disclose the hacking tools and technology they use and how often they use it,” said Colton Kells, one of three University at Buffalo Law School students involved in the suit.
Investigators and prosecutors object to the word hacking and insist what they do is legal. In the Wegmans case, for example, the FBI sought a court-authorized search warrant.
The U.S. Attorney’s Office declined to comment on the suit and FBI spokeswoman Maureen Dempsey said, “the FBI does not comment on matters pending before the court.”
The government’s use of hacking as an investigative tool dates back more than two decades and was documented in a 2016 story in Wired titled “Everything we know about how the FBI hacks people.” The story took readers from 1998, when the FBI used a computer surveillance tool called “Carnivore,” to 2013 when it used a watering hole technique to target a suspected child porn site.
A second story on hacking, this one in Motherload, details the 2017 attack on Wegmans by a scammer posing as a Chilean seafood broker and how the FBI responded by hacking into his computer.
Wegmans ultimately sued its real food broker in state court and, citing a $900,000 loss to the scammer, accused the company of subpar cybersecurity and asked for damages.
“So far, we’ve likely only seen the tip of the iceberg when it comes to the government’s use of hacking in criminal and immigration investigations,” Jennifer Granick, the ACLU’s surveillance and cybersecurity counsel, said in a statement after the suit was filed.
In their court papers, the three groups say the government’s use of hacking is on the increase and claim both the FBI and ICE spent $2 million on hacking equipment and technology from Cellebrite, an Israeli surveillance company.
The suit describes the government’s use of hacking as a “unique threat to individual privacy” and notes that volumes of personal information about an individual can now be obtained by federal investigators.
The information, they note in court papers, can range from personal financial and health records to intimate details of private communications. And sometimes, the people at risk are not the people under investigation.
“Innocent people can be swept up in these investigation and have their personal information compromised,” said Alex Betschen, one of the law school students involved in the case.
The suit refers to various hacking technologies, including a “watering hole” technique that involves taking control of an entire website or internet service in order to infiltrate any device visiting that site.
In one case, according to the suit, the government targeted an internet service suspected of hosting illicit activity, only to discover that it also hosted legal activity.
The suit also mentions a hacking technology that allows for real time surveillance by activating a device’s microphone or camera without the user’s knowledge.
In their court papers, the civil liberties groups make it clear individual security, not just privacy, is also at risk.
When an investigator hacks into a phone or laptop, he is exploiting vulnerabilities in the device and, according to the suit, leaving a “virtual door open” for identity thieves and other criminals.
“If the FBI can get into our phones and laptops, so can scammers or foreign adversaries,” Scarlet Kim, legal officer at Privacy International, said in a statement.
The federal court suit filed in U.S. District Court here will be heard by U.S. District Judge Lawrence J. Vilardo.