In a move that solidifies concerns that President Trump is intent on undermining women’s and LGBT rights around the globe, Trump has selected Penny Nance to be his Ambassador-at-Large for Global Women's Issues. This is a State Department job meant to ensure that U.S. foreign policy incorporates and promotes women’s rights, but Nance has a long record of vocally promoting anti-woman and anti-LGBT policies — a record that senators must assess and scrutinize when considering her nomination.

The Global Women’s Issues Ambassador role is supposed to represent and advance women’s rights, issues, and interests worldwide. Nance’s record shows that instead, she could use the position to advance her own ideological agenda, which seeks to abolish reproductive freedoms and undermine the rights of queer and trans women.

While the ACLU neither supports nor opposes executive branch nominees like Nance, we can and do raise concerns about a nominee’s background. In Nance’s case, there is significant reason for concern. Senators must vigorously question her about her extreme hostility to women’s rights, reproductive freedom, and LGBT equality.

Nance currently heads Concerned Women for America, a group notorious for its attacks on feminism and LGBT equality, and she has been a vocal supporter of Trump’s agenda. In fact, Nance stood behind the president as he signed H.J. Res 43, which made it more difficult for women to access health care providers like Planned Parenthood.

She’s also a vocal opponent of abortion rights. Nance has suggested that legal abortion in America is worse than the Holocaust and has said that rape survivors must carry their pregnancy to term.

Unsurprisingly, Nance has denounced Planned Parenthood, comparing the women’s care provider to the mafia, and called for Trump’s Justice Department to target it for investigation. In the recent struggle to secure Jane Doe’s right to obtain an abortion, she called on the Trump administration to continue to block Jane Doe from exercising that right and falsely claimed that taxpayers would be covering her abortion.

She has also strongly criticized the Violence Against Women Act, the Affordable Care Act’s contraception coverage rule, the elimination of the ban on women serving in combat arms units as well as a policy change that expanded access to Plan B.

Nance’s record on LGBT issues is equally troubling. Nance has spoken out against legal protections for transgender youth, attacked the Girl Scouts for accepting trans members and the Boy Scouts for accepting gay members, and decried attempts by the “homosexual lobby” to repeal Don’t Ask Don’t Tell.

In her fight against marriage equality, Nance compared same-sex marriages to “counterfeit money.” She warned that equal treatment for same-sex couples would eviscerate religious freedom, and “in losing religious freedom, we lose America.” Nance has even said that homeless shelters that receive federal taxpayer dollars should be allowed to refuse shelter to LGBT people.

In 2015, Nance signed and sent a letter denouncing “the promotion of homosexuality” and urged parents to keep their children home from school if other students are participating in “The Day of Silence,” a youth campaign to oppose anti-LGBT bullying. Nance said that the Day of Silence is an effort by “LGBTQ activists” to “infiltrate schools” and “get to your children.”

Nance’s nomination raises deep concerns about the Trump administration’s continued hostility to women’s and LGBT equality in America and abroad. When weighing Nance’s confirmation, senators must think long and hard about whether such an outspoken opponent of women’s and LGBT rights could really be qualified to further those rights in U.S. foreign policy.

In September, the board of supervisors in Dane County, Wisconsin, passed a resolution to protect immigrants from the Trump administration’s mass deportation agenda.

The board, which represents the half a million people who live in Dane County, endorsed the ACLU’s Freedom Cities campaign and its nine model policies, which shield immigrants from discrimination, unjust government targeting, and attacks on their privacy.

This didn’t just happen on its own. The victory was the culmination of months of persistent activism from the local People Power group that I have been involved with since March. And this is just the beginning of our work.

I got involved in People Power earlier this year, and as a new activist, I was excited that the ACLU created a concrete blueprint that gave us clear, step-by-step guidance on how to advocate for the Freedom Cities agenda.

With the ACLU’s support, we began organizing in our communities, holding monthly People Power meetings and regular talks with local law enforcement and elected officials, and reaching out to local partners and allies.

As part of our immigrant rights work, we spoke with six different law enforcement agencies and built personal relationships with the sheriff and key members of the county board who have experience working on immigration-related legislation.

Before these meetings, some officials were under the wrong impression that they had to work with ICE, but we were able to turn many of them into allies, urging them to take steps to make sure that immigrants don’t get ensnared in Trump’s deportation machine.

These meetings also helped us learn about the right actions to take to shepherd our resolution through the legislative process.

Now that the board has passed the Freedom Cities resolution, we have a new tool to hold our local law enforcement agencies accountable to make sure that they aren’t complying with unconstitutional policies and the anti-immigrant agenda coming out of the Trump administration.

Join a People Power Event Near You

Sometimes it is hard to know the best way to go about making an impact where you live, but the Freedom Cities guide was an excellent on-ramp to activism, providing us with straightforward guidelines on exactly how to go about our advocacy work. We have continued to work on immigration issues with the county sheriff’s office and have also started lobbying our representatives in Congress to support the Dream Act.

We also know that we must support other organizations doing critical work in Wisconsin. Our People Power group is working with a local interfaith partnership and has helped raise money to allow Voces de la Frontera, a Wisconsin-based immigrant rights group, to hire a community organizer in Madison. It is with these groups and others that we are fighting back against a new attempt in the state legislature to punish local municipalities which limit their cooperation with ICE.

As we continue to advocate for immigrant rights and start our Let People Vote initiative, People Power members in Dane County are excited to continue the fight to make sure the Constitution works for everyone.

The FBI is making increasing use of an investigative technique that puts the public’s internet security at risk. This month, the ACLU filed amicus briefs in two cases to challenge the FBI’s use of this technique, which has significant cybersecurity implications for everyone.

The technique — government hacking — involves sending malware over the Internet to search computers remotely, often for information that is transmitted by or stored on anonymous targets’ computers. The malware can give investigators total control over a computer system. Absent extraordinary circumstances, courts should not grant this kind of power to law enforcement — much less with just a run-of-the-mill search warrant.

Malware — software designed to covertly damage a computer, take control of a system, or steal data — is not new to the federal government. The FBI has been deploying tools to search anonymous users’ computers since at least 2002. More recently, however, the FBI has expanded its use of this technique. Rather than deploying tailored malware against individual targets, the agency is now conducting “watering hole” operations that deliver malware to everyone who visits a particular webpage or pages. This can result in hundreds or thousands of computers being compromised, as well as the uncontrolled distribution of malware around the globe.

What the FBI didn’t disclose in court

This month, the ACLU filed briefs in the two cases pending before the Ninth Circuit Court of Appeals that involve the most recent publicly known malware investigation, aimed at users of the Playpen website. Playpen was a site primarily dedicated to disseminating child pornography, though it also hosted some lawful activities like chat and fiction forums. The FBI learned of Playpen, seized the server, and then actually ran the site out of its Virginia offices for two weeks. During that time, the federal government reportedly became one of the largest purveyors in the world of child pornography.  

The FBI took this step in an effort to identify people who visited the site, since visitors were using a privacy-protective web browser called Tor to mask their IP addresses, and thus their identities. (Playpen was designed so that only people using Tor could visit it. The U.S. government originally funded Tor, which serves as an essential tool for activism and free speech across the world. Journalists, bloggers, whistleblowers, human rights workers, and other activists have relied on the Tor network to avoid surveillance by potentially repressive regimes.) 

To obtain permission to deploy the malware —  to which the government gave the anodyne name “Network Investigative Technique,” or “NIT” — the government sought a warrant from a magistrate in the Eastern District of Virginia. The warrant granted the FBI permission to send computer instructions from Playpen to anyone who logged in with a user name and password. These instructions, the magistrate was told, would gather identifying information from the activating computers and send it to the FBI.

In Playpen, the FBI sought to search as many as 158,000 computers around the world with this malware. As a result, there are now approximately 140 Playpen prosecutions for possession of child pornography wending their way through the federal courts. The ACLU has filed several other amicus briefs with the Electronic Frontier Foundation challenging Playpen searches on the grounds that a single warrant cannot lawfully authorize a search of more than 100,000 people, and that the searches unconstitutionally violated Federal Rule of Criminal Procedure 41, which at the time limited magistrates’ ability to authorize searches to the district in which they operate — whereas the Playpen searches were global in scope. (Rule 41 has since been modified and now removes that procedural obstacle for the government to hack remotely.)

In the  briefs we filed with several of our affiliates located in the Ninth Circuit this month — United States v. Tippens and United States v. Henderson — we argue that the FBI failed in its duty of candor to the magistrate judge, rendering the searches unconstitutional. What the FBI did not tell the magistrate judge, among other things, is that for its NIT to work, it had to force visitors’ computers to do something that Tor and every other web browser is not supposed to do — download, install, and run the code transmitted by a webpage. To get that to happen, the NIT used exploit code — software designed to take advantage of a flaw in the way the Tor browser works. Further, because the Tor browser runs on the Firefox Mozilla code, this exploit likely worked on millions of Firefox users.

In other words, the government became a hacker, sending exploit code around the country and the world, compromising browser security and searching computers for information. And astoundingly, it didn’t tell the court that this was how the NIT worked. It even kept secret from the magistrate the very fact that it was, through its exploit, planning to take advantage of a vulnerability in Tor (and likely Firefox).

While the public doesn’t know what the vulnerability was, it likely gave the government, in Mozilla’s words, “total control” over the users’ computers. The FBI may have chosen to use that power only to collect identifying information, as it represented in the search warrant affidavit. But it could have accessed far more — and more private — information.

Without knowing that the government’s malware contained an exploit, the court was not in a good position to closely supervise the computer searches that the FBI’s computer instructions conducted. The magistrate likely had no idea she should police the search to ensure that the government would not misuse its capabilities to search private data for which it had no probable cause. Where searches are particularly intrusive (and especially when they involve digital media like computers), Fourth Amendment case law recommends heightened standards of proof for issuing warrants, search protocols, destruction of unrelated materials, and more to ensure that legitimate government searches do not metastasize into fishing expeditions. The magistrate couldn’t have known that she might want to impose such safeguards in this case.

How FBI hacking can hurt the public

Beyond just the facts of this case, the government’s development, storage, and use of exploits create computer security risks for the public that cannot be mitigated by the warrant process. The government may lose control of malware if an insider leaks or sells the tools, if the government itself is hacked, or if a malware target identifies and publishes the code. Once a hacking tool has been disclosed outside the government, malicious actors have a window of opportunity to use it for their own nefarious purposes.

We know the risk that the government will lose control of exploits is real, because we’ve seen it happen a number of times:

• In 2013, the FBI deployed malware on multiple websites hosted by a company called Freedom Hosting. This malware similarly took advantage of a Firefox security vulnerability to identify users of Tor. Innocent individuals who visited the targeted Freedom Hosting sites — which included TorMail, an encrypted email service used by all kinds of people all over the world to ensure privacy in their communications — noticed the hidden computer instructions embedded in the sites, and within days, the code was being “circulated and dissected all over the net.” Eventually, the same attack showed up “in the wild”, using essentially the same exploit the government used to compromise Freedom Hosting visitors to hack users of the Tor browser more widely.
   

• The government’s exploits also can be stolen. In 2016, the public learned that an entity calling itself the Shadow Brokers obtained National Security Agency malware from an external NSA “staging server.” Following some initial attempts to sell the exploits, the Shadow Brokers dumped dozens of NSA hacking tools online for free in April 2017. One of the tools the Shadow Brokers released — called EternalBlue — exploited a flaw in Microsoft software. Once released, the tool was repurposed into a virulent piece of ransomware called WannaCry, which infected hundreds of thousands of computer systems worldwide in May 2017.
   

• The very next month, another malware attack began spreading internationally after initially hitting critical infrastructure in Ukraine. Similar to WannaCry, the worm, dubbed NotPetya, made use of EternalBlue as well as another NSA exploit, called EternalRomance, also released by the Shadow Brokers. WannaCry and NotPetya infected such crucial systems as hospitals, power companies, shipping, and banking, endangering human life as well as economic activity.

Courts have said that dangerous tools used to effectuate otherwise lawful searches — tools like flashbang grenades and battering rams — can be unreasonable under the Fourth Amendment. Government malware is another such tool. Some investigative techniques are just too dangerous to use.

Cybersecurity is hard, and we are not doing a very good job of protecting the systems that we rely on. This task gets even harder if the government is an active attacker on the network with a vested interest in keeping computers insecure in case an investigator wants to conduct a search. If we aren’t careful, this powerful tool that the FBI now uses, like other powerful tools, will eventually trickle down to state and local police departments.

The government should be fighting to secure computers — not to hack them or to stockpile exploit codes that can be lost or stolen, and then misused and abused. As we told the Ninth Circuit, the Fourth Amendment needs to protect the public’s privacy and security. Secretive and unregulated government hacking endangers both.