Although we’ve long suspected it to be the case, Amy Hess, the executive assistant director of the FBI’s Science and Technology Branch, confirmed this week that the FBI occasionally uses “zero-day” exploits it discovers in software in order to track individuals who might pose a threat to society.
In an extensive profile of Hess published by The Washington Post on Tuesday, the assistant director shed light on several areas of the organization that have previously been kept under wraps.
The idea of the FBI taking advantage of exploits has been a constant worry among those fighting for privacy and security online. With all the significant hacks on retailers, technology companies and hardware developers in recent months, the FBI could be putting users at risk by using these exploits and not reporting them.
Hess is aware of the contradictory nature of the practice, but the FBI has to balance public safety with security concerns, and the security concerns often come in second place:
Hess acknowledged that the bureau uses zero-days — the first time an official has done so. She said the trade-off is one the bureau wrestles with. “What is the greater good — to be able to identify a person who is threatening public safety?” Or to alert software makers to bugs that, if unpatched, could leave consumers vulnerable?
“How do we balance that?” she said. “That is a constant challenge for us.”
She added that hacking computers is not a favored FBI technique. “It’s frail,” she said. As soon as a tech firm updates its software, the tool vanishes. “It clearly is not reliable” in the way a traditional wiretap is, she said.
Whether or not you agree with Hess’s evaluation of the situation, it’s at least a step in the right direction for the bureau to be more open with the American public about its practices.