In 2017, Apple received 8,929 demands for user information from the government. Google received 32,877. These are just a fraction of the demands made public and may not include one potential government surveillance tool: forcing software developers to install malicious software updates on individual users’ devices to potentially bypass passcodes and encryption, turn on cameras and microphones, or track someone’s location.
Whether you know it or not, you are almost certainly updating software regularly on your computer or mobile phone. Seamless software updates are one of the most important successes in improving cybersecurity in recent years. Updates fix vulnerabilities and make individual systems more secure, and therefore strengthen the entire digital ecosystem, which is only as strong as its weakest link. But they only work if users install them.
If users lose trust in software updates due to fears that the government is using them to break into devices, vulnerabilities won’t be patched. This will endanger entire networks and leave them vulnerable to cyber attacks.
Software developers are users’ first line of defense against unlawful government encroachment into their devices. It’s a challenging responsibility, but one that is critical to the integrity of the digital ecosystem and the privacy of users within it. That’s why, as law students in the NYU Technology Law & Policy Clinic, we have worked with the ACLU to put together a guide for software developers on how to make informed decisions about protecting the integrity of software update channels, both legally and technically.
One way to conceptualize the software update system is by thinking of them like immunizations. Like immunizations, people need to trust updates to get updates. But when the CIA organized a fake vaccination drive in Pakistan to collect DNA samples to help its search for Osama Bin Laden, the operation compromised many Pakistanis’ trust in public health workers. A crackdown followed, with global health organizations under suspicion, some medical workers murdered, and cases of polio surging. The lack of trust resulted in the spread of preventable diseases, just like a lack of faith in software updates will spread computer viruses. (The CIA appears to have learned its lesson, saying that it will not use vaccination drives for covert operations again.)
The chances of tech companies receiving a government order to build malicious software updates are very real, and they are likely growing. Many of the government’s surveillance demands come with a non-disclosure requirement, meaning that companies are forbidden from revealing the mere existence of the demands — and even if they could, they may not get the national attention that Apple’s refusal to comply with a government order received following the San Bernardino shooting.
While there has been little public documentation that this method being used, it is technically feasible for most applications and programs, and it is in line with government’s practice of seeking third-party assistance in other surveillance contexts. Also, in light of companies closing technological loopholes through improved security, law enforcement continues to search for alternate vulnerabilities to exploit. As other backdoors in encrypted devices are closed, the software update system will be an increasingly appealing option to law enforcement. This presents many dangers, including serious privacy and cybersecurity concerns.
While the government may justify these tactics by citing national security and overblown fears that improved encryption will lock law enforcement out of electronic devices, these concerns are often overstated. Despite the technology industry’s best efforts to maintain information privacy and security, law enforcement has access to more information about us as our social interactions have become increasingly mediated by technology. Text messages, online chats, social media posts, and more can all be accessed by law enforcement during an investigation.
Software makers should not wait to receive this type of novel software update in order to think about how to respond, and our new guide for tech companies and software developers includes detailed tips on how to prepare. One way is to implement privacy-minded technical designs that limit the possibilities of what can be done — even with a government order. Another is to plan for what to do if something like this happens, and to talk to an attorney about options for fighting back.
Technology has given the government more surveillance power than ever before. It’s imperative that we not let law enforcement further compromise our privacy and security by letting it misuse a feature as critical as the software update system.