A single warrant could authorize federal officials to inject malware into hundreds of suspects’ -- and victims’ -- computers.
U.S. courts are moving forward with a plan federal agencies say is needed to track down potential terrorists hiding out on the Internet but privacy advocates say would give the FBI wide latitude to hack into people's computers.
The U.S. Courts Committee on Rules of Practice and Procedure has published a draft of search and seizure changes the Justice Department asked for last fall. Two adjustments would expand the scope of the government's offensive cyber techniques.
The public has until Feb. 17, 2015, to weigh in.
"With the rise of techniques that make it easy for criminals without any technical skill to hide their true locations, lawfully authorized remote access has become increasingly important to protect people from predators and solve serious crimes," Justice Department spokesman Peter Carr said in an email. "Our rule change will ensure that courts can be asked to review warrant applications for probable cause in situations where is it currently unclear what judge has authority to review a warrant application."
Officials: Cybercrime Defies Geography
One proposal would let a judge in the district where a crime has occurred issue a warrant for sending "surveillance software" through the Internet anywhere where the suspect's computers might be located. The goal would be to unmask a suspect's IP address or the whereabouts of the device.
A related change permits investigators to secretly probe hundreds of infected computers in a "botnet" by obtaining a single warrant. Right now, authorities must obtain a warrant for each jurisdiction in which they plan to target computers.
Government officials say the draft rules, which were released Aug. 14, enlarge the area of investigation to account for cybercrime's lack of geographic boundaries.
But critics say the move opens the door -- without proper deliberation -- for heightened use of so-called zero-day exploits and other antivirus-proof spyware. Zero-day exploits abuse software vulnerabilities before anyone has had time to detect or fix them.
Federal agents argue it is hard to identify the physical location of criminals because they do their dirty work -- be it distributing child pornography or laundering money -- behind "proxy" services that hide their real addresses.
The desire to loosen the rules on hacking computers was first reported by Bloomberg in May, after the U.S. Courts Advisory Committee on Criminal Rules recommended changes be published for public comment.
Privacy Groups: Where are the Protections?
Civil liberties groups say the revamp could allow zero-day exploits and other malicious software to escape into the wild.
"What kind of protections are in place to make sure that any malware the government uses doesn’t start spreading around the Internet or get intercepted by bad actors,” said Nathan Wessler, attorney for the Speech, Privacy, and Technology Project at the American Civil Liberties Union. “All of that is totally unanswered and unaddressed by this proposal. . .There should be a debate now about what the appropriate limits should be."
And agents, once inside a computer, might inadvertently grab other data besides an IP address.
They might "trigger the computer to upload everything that’s on there: The contents of files, the metadata from the email inbox, the name of the person who edited every file is potentially accessible," Wessler said.
With botnet searches, there is a concern about the government injecting code into innocent citizens' computers without their knowledge.
The proposal authorizes “the government to surreptitiously remotely install software on thousands of innocent people’s computers simultaneously” to investigate the botnet or try to disinfect the machines, Wessler said. “There’s an understandable public health analog going on there,” he added. “But people have legitimate concerns about the government surreptitiously installing code on their computers without their knowledge or consent."
Draft Rules Far from Final
In one previous case, the government wrote the wrong email address for a suspect on a warrant, Wessler noted. Some typos created a different email address. "So then you have the threat of government malware being directed at some hapless person who happens to have an email address that is two characters different than the suspect’s," Wessler said. "It’s a good example of why we should be careful about this stuff."
The draft rules have to go through several rounds of vetting before they become final, so it could be a year before they take effect.
Specifically, the stipulations state a judge in a district where a crime might have occurred can issue a warrant "to use remote access to search electronic storage media and to seize or copy electronically stored information located within or outside that district," if the criminal has a concealed IP address or if multiple computers have been compromised.
The ACLU is considering how it will respond to the proposal.
Authorities Now Struggle to Obtain Proper Search Warrants
Without clear guidance on hacking computers, authorities have struggled to obtain the proper search warrants during the past couple of years.
In April 2013, the Wall Street Journal reported a judge denied an FBI request for a warrant to remotely hack a computer as part of an investigation into bank fraud and identity theft. The government was seeking, among other things, permission to take photographs for 30 days using the computer's built-in camera.
However, during a 2012 case involving a likely foreign-based terrorist causing disruption on American soil, a judge approved government hacking. A man who called himself “Mo” was threatening to detonate bombs at universities and airports nationwide. He communicated by email, video chat and Web-based phone to hide his identity. The FBI designed malware that would be delivered when Mo signed on to his Yahoo email account from any computer anywhere in the world, The Washington Post reported last year. The software was programmed to gather various data, including sites Mo had visited, that would allow investigators to find him and link him to the threats.
Carr, the DOJ spokesman, said the new proposal “relates solely to venue for a warrant application," and would not permit any searches or remote access that aren't already legal. The government is "bound by the search warrant’s terms" on what is seized, he added. "Civil liberties are fully protected by the court’s review of the warrant."
Debate Headed to the Supreme Court?
Some law enforcement specialists say the debate likely will wind up in the Supreme Court, with justices laying down the limits of government hacking. And by the time that happens, criminals will have moved on to new methods of evasion.
"Both sides of this issue have extremely valid points,” said Jim Bueermann, president of the Police Foundation, a nonpartisan research and training organization. He also served the Redlands Police Department for more than three decades.
“Police can go too far or they can go not far enough in trying to make us safer," he said.
But as with devices such as drones, “innovation and the rate at which the technology advances far outstrips the courts’ ability to keep pace," Bueermann, said. "While we are deliberating on what we should or shouldn’t do, the people that aim to harm us are busy at work and they don’t wait until the Supreme Court or Congress weighs in."