Privacy and technology groups are sounding the alarm on an obscure government rule with major implications for law enforcement hacking.
Hiding behind the nondescript title “Proposed Amendment to Rule 41″ of the Federal Rules of Criminal Procedure is a dangerous increase in authority for federal investigators to use invasive hacking techniques to spy on computers and access data, according to testimony submitted by the American Civil Liberties Union, the Electronic Frontier Foundation, the Electronic Privacy Information Center and others to a regulatory panel in Washington, D.C., yesterday.
The rule change would allow law enforcement agents to get warrants to search and seize electronic materials from any jurisdiction, “if the district where the media or information is located has been concealed through technological means” or in the case where a network of infected computers spreads across multiple districts.
“The likely effect would be for far more remote searches of far more machines,” said Joe Hall of the Center for Democracy and Technology. The ACLU described it as “a game changer in degrading online security [that] could green light systemic constitutional violations.”
A Justice Department spokesman said that the proposed rule change won’t expand search techniques beyond what’s already authorized under current law. The Department’s position is that in many cases it is difficult for investigators to go to federal judges in each district to get the permission they need for computer searches. Anonymous browsers like Tor obscure users’ true location when they connect to the Internet. Botnets, when malware is used to create an army of zombie computers for spamming or denial of service attacks, can encompass millions of computers across the country.
But those testifying against the rule change said it uses vague language that could be construed in ways that sweep up innocent computer users and permit surreptitious hacking techniques that could violate the Fourth Amendment’s search and seizure protections.
For example, the rule says the geographically undefined warrant could apply to any computer user that hid their location through “technological means.” The dark web is the most obvious target of that language, but it could be applied to companies that use proxy networks for security reasons, or to Apple’s new location-scrambling iPhones meant to protect their owners from being tracked by retailers, or conceivably even someone who lies about what city they live in on Facebook.
The concern with the proposed rule’s approach to botnets, according to testimony submitted by Amie Stepanovich for the EFF and Access, is that since the rule “targets victim computers and not the devices of bad actors,” innocent users whose machines have unknowingly been compromised by a virus could be targeted for surveillance.
It also allows investigators to target overseas computers, according to Ahmed Ghappour, a law professor at University of California Hastings. He called the proposal “possibly the broadest expansion of extraterritorial surveillance power since the FBI’s inception.”
The Justice Department has been secretive about its policies regarding the use of malware as an investigative tool, frequently keeping documentation of such techniques out of the public court record and conspicuously avoiding the use of the word “hacking”—the preferred term is “remote access.”
But hack it does. Just last week, the Seattle Times reported that in 2007, the FBI created a link to a fake AP story in order to install malware on a suspects’ computer. Earlier this year, Wired reported on the bureau’s use of malware “as a driftnet, not a fishing line,” by deploying bugs that infect every visitor to a particular website. In the case that was exposed, the website involved child pornography websites, but the ACLU and others have raised concerns that such tactics might be used on say, extremist websites. The Intercept has also detailed the powers of off-the-shelf spyware being marketed, if not already sold, to smaller law enforcement agencies.
The committee that decides on these rules, composed mostly of judges, will be considering public comments on the proposal until February. The privacy groups urged the Justice Department to work with Congress instead to write laws authorizing hacking in a more narrowly tailored manner.
Photo: Manuel Balce Ceneta/AP