SO … NOW THE GOVERNMENT WANTS TO HACK CYBERCRIME VICTIMS
THREE NEW CHANGES in federal court rules have vastly expanded law enforcement’s ability to hack into computers around the world.
The changes, to a federal court procedure known as Rule 41, were announced last week by the Supreme Court. They would let magistrate judges routinely issue search warrants to hack into computers outside their jurisdiction. The changes would also let magistrates issue a single search warrant for numerous computers in multiple jurisdictions, saving law enforcement the burden of having to obtain a separate warrant for each computer. This means a judge in Virginia could issue a single warrant for computers in California, Florida, Illinois and even overseas.
The government says the changes are minor but necessary to keep pace with cross-border internet crime and anonymizing software like Tor that hides the real IP address and location of computers. But civil liberties groups say the amendments let authorities conduct expansive hacking operations with little oversight, potentially threatening the security and privacy of innocent parties. They’re also alarmed that the changes suggest the government aims to hack the computers of crime victims—not just perpetrators.
One senator, Ron Wyden (D—Oregon), has already promised to introduce legislation that would halt the changes to Rule 41, but he only has seven months to get it passed.
Here’s a breakdown of the three changes and why they’re so controversial.
What Are the Proposed Changes to Rule 41?
Rule 41 governs how search warrants are requested and executed in federal cases, including the authority magistrates have to issue them. The Justice Department can request changes to the rules, which the US Supreme Court can approve or reject.
There are effectively three changes(.pdf) the Justice Department has requested.
The first would let magistrate judges issue search warrants to remotely search—essentially hack—computers outside their jurisdiction if the location of the computer has been intentionally concealed through technical means. Currently magistrates can only issue warrants to search and seize property within their court’s jurisdiction, with exceptions (for example, property that might move out of the district before a search can be executed or property located in a US territory or embassy overseas). The proposed change would mean that when a hacker or child pornographer uses Tor or some other proxy to conceal their real IP address and location, law enforcement would not be required to determine the location of the computer to get permission to hack it.
The government cited two sample cases to explain why it needed this amendment. The first involved a case in which someone had used an anonymizing service to email bomb threats to a high school. The second was a child porn case, which may be the Freedom Hosting case in 2013, which occurred a few months before the government requested the Rule 41 changes. Freedom Hosting providing hosting to a number of child porn web sites, and visitors to the site used Tor to access it, thus obscuring their real IP addresses. Investigators wanted a search warrant giving them authority to embed surveillance software on the Freedom Hosting servers so that anyone who visited one of the child porn sites would be infected by malware that would identify their real IP address. Without knowing beforehand where the machines of suspects were located, however, they weren’t able to obtain a warrant in the jurisdictions where those machines resided, hence the request for the rule change.
The dilemma is not theoretical. A recent ruling in another child porn case highlights why the government is seeking this amendment to Rule 41. In this case, the FBI and law enforcement partners hacked some 4,000 computersbelonging to members of the child porn site Playpen, whose IP addresses were obscured. A magistrate in Virginia issued a warrant allowing the FBI to infect the computers of anyone who visited Playpen. But last month, a Massachusetts judge ruled the warrant was invalid outside the Virginia court’s district, marking the first time a judge threw out evidence over Rule 41 jurisdictional issues.
The second Rule 41 amendment the government is seeking is more complicated.
One Warrant for Multiple Searches, Including Victims
The second amendment would let magistrates issue a warrant outside their jurisdiction when the computers to be searched are part of a cybercrime investigation—as defined by the Computer Fraud and Abuse Act—have been “damaged without authorization” and “are located in five or more districts.” The rules committee says the amendment is intended to “eliminate the burden of attempting to secure multiple warrants in numerous districts” and allow a single judge to oversee an investigation. But the description of the computers to be searched has nothing to do with criminal suspects, critics point out, and instead refers to victims’ computers.
As an example of the kind of case this would pertain to, the Justice Department cited an investigation of a botnet, which are networks of thousands or even millions of computers that attackers infect with malware and then control with remote commands to commit other crimes. A multi-computer search warrant in this case, the Justice Department says, would let law enforcement seize information to gather “evidence about the scope of the botnet and how the botnet might be dismantled.”
But critics like computer scientist Steve Bellovin say searching victims’ computers isn’t necessary. “[T]the computer security community has had great success studying botnets and locating their ‘command and control’ nodes without hacking into other victim computers,” Bellovin wrote in comments that he and two other computer scientists (.pdf) sent to the committee evaluating the changes. In the case of known botnet malware, they can consult computer security firms to get samples of the malware and learn how it works. These firms can even point the FBI to the command servers that control the botnet to help dismantle it.
Aside from the fact that letting the FBI search unlimited victim machines would violate the particularity rule—which requires search warrant applications identify the specific computers or devices to be searched—a wide swath of people would potentially be affected by such searches. Botnet victims, Amie Stepanovich, US policy manager at Access Now points out, can include journalists, dissidents, whistleblowers, military personnel, lawmakers, and corporate executives.
“[T]he proposed change would subject any number of these users to state access to their personal data on the ruling of any district magistrate,” she wrote to the rules committee.
The Center for Democracy and Technology also points in its comments to the rules committee that although the government used a botnet infection as an example of a case where it might seek to search the computers of victims, the actual amendment refers to any machine damaged in the commission of a crime as defined by the Computer Fraud and Abuse Act. This would conceivably apply to any computer infected with a virus or other malware.
“Approximately 30 percent of all computers worldwide, as well as in the United States, are estimated to be infected with some type of malware,” the group wrote. “The number of computers that may therefore be subject to multidistrict searches under the proposed Rule 41 amendment is massive.”
It should be pointed out that the child porn cases cited above would also benefit from a rule change that would allow the government to obtain one warrant to infect multiple computers, but the particular amendment that addresses the one warrant/multiple computers issue only pertains to cybercrime cases. The government would need a hybrid of these two amendments to allow one judge to issue a single search warrant for multiple computers outside of that judge’s jurisdiction.
Notice of Search
The third Rule 41 change is even more tricky. Law enforcement has to find a way to tell people when a search of their property has occurred. With in-person searches, this is easy to do. They either hand notice “to the person from whom, or from whose premises, the property was taken” or leave a notice “at the place where the officer took the property.” But this is challenging with remote searches when the computer’s “place” and computer owner are unknown. Under the amendment, law enforcement “must make reasonable efforts” to serve a copy of the warrant on the person whose property was searched, which “may be accomplished by any means, including electronic means.”
This concerns civil liberties groups, since an email notification or pop-up message from law enforcement could easily look like a phishing attack to a botnet victim and be ignored. Enterprising hackers would also adopt this as a tactic to trick users into clicking on malicious links or attachments.
The wording of all of these changes is sufficiently vague that, as with most controversial issues, the devil is in the details and how law enforcement would interpret and implement these authorities in practice.
What Are the Big Concerns?
Critics of the proposed Rule 41 changes have essentially four concerns.
“Remote search” is too vague. The government doesn’t say what it means by “remote search” in its proposed amendments, raising concern that it could encompass a wide variety of hacking techniques—from simply collecting an IP address to something more invasive like activating a computer’s microphone or webcam. In a 2013 case, the FBI sought a warrant to install surveillance software on an anonymous hacker’s computer that would not only identify his IP address but also activate his webcam to take pictures of whoever used the machine during the 30 days the warrant was active. The magistrate rejected the request (.pdf) based on Rule 41 jurisdictional issues—the location of the computer was unknown—and also pointed out that activating the webcam constituted video surveillance, which carried extra burdens of probable cause that the government hadn’t met.
Fewer judges and warrants mean less oversight. Orin Kerr, a former federal cybercrimes prosecutor who is on the judicial rules committee that evaluated the proposed amendments, has expressed concern that letting a single magistrate issue one warrant for multiple searches would facilitate “forum shopping”—where prosecutors seek warrants only from magistrates known to be sympathetic to the government. When investigators are forced to obtain separate warrants for computers in different jurisdictions, this provides opportunity for better oversight, since different judges will have different concerns. The Justice Department has argued that there is a benefit to having a single judge familiar with an investigation oversee all warrants in a case.
Surveillance software can harm computers. Surveillance software installed on computers carries potential consequences that are difficult to estimate and don’t really exist with traditional, physical searches.
“[I]n the physical world, agents of law enforcement can be reasonably confident that breaking and entering into premises won’t cause the entire building to fall down,” the Center for Democracy and Technology wrote in comments objecting to the amendments. “In cyberspace we cannot be so confident.”
Bellovin and his two colleagues noted that given the stealth characteristics that remote search software must have—it must run with the highest administrative privileges on a machine in order to hide itself and examine hidden parts of a machine—“it is more likely to cause unanticipated problems….[and] if it is used on enough machines, [for example] when doing a large-scale search of bots, there almost certainly will be problems on some of them.”
Magistrates don’t understand how the technology works well enough to provide proper oversight. All of these other problems are exacerbated, critics say, by the fact that courts and magistrates don’t have the expertise needed to understand the capabilities of government hacking tools.
“We know nothing about how these things operate,” Joseph Lorenzo Hall, chief technologist for CDT, told WIRED. “Are [these things] engineered to be minimally risky to the targets and potential victims? We have no idea, and judges don’t know to ask that, and they don’t have the expertise to examine even if they did have.”
Due to all of these concerns, critics want Congress to weigh in on the rule changes, instead of leaving them up to the courts.
What Comes Next?
The proposed changes were submitted by the Justice Department to a judicial review committee in 2013 and, after a three-year review process, passed to the Supreme Court this year for approval, which the Court gave last week. Now lawmakers have 180 days to reject or amend them, as Wyden hopes to do, before the changes go into effect December 1.
By law, the federal courts are not allowed to make rule changes that are more than merely procedural—only Congress can do that. Critics hope that lawmakers agree that these amendments amount to substantive changes with clear Fourth Amendment implications. They’re calling on Congress to weigh in with a specific statute that would single out how government hacking technologies should be used, in the same way that similar statutes addressed wiretapping and other technologies as they emerged over the years.
“The accessing of thousands of computers by the government. . . should be the subject of a statute passed by Congress—not a short simple procedural rule, but a complex multi-provisioned statute that says who is allowed to do this, when they are allowed to do it, what justifies doing it, to whom it can be done and the procedures for doing it,” says Peter Goldberger with the National Association of Criminal Defense Lawyers.
There is one major distraction, however, that might prevent Congress from acting within the 180-day window it has to reject the amendments—the upcoming elections in November. Lawmakers seldom do anything substantial during lame-duck sessions.
Goldberger notes, however, that if they don’t have time to properly address the issue this year, they could also just pass a law suspending the 180-day deadline so they can take it up next year.
Correction 19:09 5/4/16: A previous version of this story said the DOJ cited a child porn case in support of the second change to Rule 41. Instead, they cited the case in support of the first change to Rule 41.