Will Court Move Clear the Way to Mass Government Hacking?

Flickr user Matt Churchill

Featured eBooks
The IT Modernization Mission
Read Now

Ransomware Threat

Read Now

What's Next For Government Cloud

Read Now

Federal Agencies Exploring Computing at the Edge

Read Now
Aliya Sternstein By Aliya Sternstein,
Senior Correspondent

By Aliya Sternstein

|

A single warrant could authorize federal officials to inject malware into hundreds of suspects’ -- and victims’ -- computers.

U.S. courts are moving forward with a plan federal agencies say is needed to track down potential terrorists hiding out on the Internet but privacy advocates say would give the FBI wide latitude to hack into people's computers.

The U.S. Courts Committee on Rules of Practice and Procedure has published a draft of search and seizure changes the Justice Department asked for last fall. Two adjustments would expand the scope of the government's offensive cyber techniques. 

The public has until Feb. 17, 2015, to weigh in. 

"With the rise of techniques that make it easy for criminals without any technical skill to hide their true locations, lawfully authorized remote access has become increasingly important to protect people from predators and solve serious crimes," Justice Department spokesman Peter Carr said in an email. "Our rule change will ensure that courts can be asked to review warrant applications for probable cause in situations where is it currently unclear what judge has authority to review a warrant application."

Officials: Cybercrime Defies Geography

One proposal would let a judge in the district where a crime has occurred issue a warrant for sending "surveillance software" through the Internet anywhere where the suspect's computers might be located. The goal would be to unmask a suspect's IP address or the whereabouts of the device.  

A related change permits investigators to secretly probe hundreds of infected computers in a "botnet" by obtaining a single warrant. Right now, authorities must obtain a warrant for each jurisdiction in which they plan to target computers. 

Government officials say the draft rules, which were released Aug. 14, enlarge the area of investigation to account for cybercrime's lack of geographic boundaries.

But critics say the move opens the door -- without proper deliberation -- for heightened use of so-called zero-day exploits and other antivirus-proof spyware. Zero-day exploits abuse software vulnerabilities before anyone has had time to detect or fix them.

Federal agents argue it is hard to identify the physical location of criminals because they do their dirty work -- be it distributing child pornography or laundering money -- behind "proxy" services that hide their real addresses.

The desire to loosen the rules on hacking computers was first reported by Bloomberg in May, after the U.S. Courts Advisory Committee on Criminal Rules recommended changes be published for public comment.   

Privacy Groups: Where are the Protections?

Civil liberties groups say the revamp could allow zero-day exploits and other malicious software to escape into the wild. 

"What kind of protections are in place to make sure that any malware the government uses doesn’t start spreading around the Internet or get intercepted by bad actors,” said Nathan Wessler, attorney for the Speech, Privacy, and Technology Project at the American Civil Liberties Union. “All of that is totally unanswered and unaddressed by this proposal.  . .There should be a debate now about what the appropriate limits should be."

And agents, once inside a computer, might inadvertently grab other data besides an IP address.

They might "trigger the computer to upload everything that’s on there: The contents of files, the metadata from the email inbox, the name of the person who edited every file is potentially accessible," Wessler said.

With botnet searches, there is a concern about the government injecting code into innocent citizens' computers without their knowledge. 

The proposal authorizes “the government to surreptitiously remotely install software on thousands of innocent people’s computers simultaneously” to investigate the botnet or try to disinfect the machines, Wessler said. “There’s an understandable public health analog going on there,” he added. “But people have legitimate concerns about the government surreptitiously installing code on their computers without their knowledge or consent."

Draft Rules Far from Final

In one previous case, the government wrote the wrong email address for a suspect on a warrant, Wessler noted. Some typos created a different email address. "So then you have the threat of government malware being directed at some hapless person who happens to have an email address that is two characters different than the suspect’s," Wessler said. "It’s a good example of why we should be careful about this stuff."

The draft rules have to go through several rounds of vetting before they become final, so it could be a year before they take effect. 

Specifically, the stipulations state a judge in a district where a crime might have occurred can issue a warrant "to use remote access to search electronic storage media and to seize or copy electronically stored information located within or outside that district," if the criminal has a concealed IP address or if multiple computers have been compromised. 

The ACLU is considering how it will respond to the proposal.

Authorities Now Struggle to Obtain Proper Search Warrants

Without clear guidance on hacking computers, authorities have struggled to obtain the proper search warrants during the past couple of years. 

In April 2013, the Wall Street Journal reported a judge denied an FBI request for a warrant to remotely hack a computer as part of an investigation into bank fraud and identity theft. The government was seeking, among other things, permission to take photographs for 30 days using the computer's built-in camera. 

However, during a 2012 case involving a likely foreign-based terrorist causing disruption on American soil, a judge approved government hacking. A man who called himself “Mo” was threatening to detonate bombs at universities and airports nationwide. He communicated by ­email, video chat and Web-based phone to hide his identity. The FBI designed malware that would be delivered when Mo signed on to his Yahoo email account from any computer anywhere in the world, The Washington Post reported last year. The software was programmed to gather various data, including sites Mo had visited, that would allow investigators to find him and link him to the threats.  

Carr, the DOJ spokesman, said the new proposal “relates solely to venue for a warrant application," and would not permit any searches or remote access that aren't already legal. The government is "bound by the search warrant’s terms" on what is seized, he added. "Civil liberties are fully protected by the court’s review of the warrant."  

Debate Headed to the Supreme Court?

Some law enforcement specialists say the debate likely will wind up in the Supreme Court, with justices laying down the limits of government hacking. And by the time that happens, criminals will have moved on to new methods of evasion. 

"Both sides of this issue have extremely valid points,” said Jim Bueermann, president of the Police Foundation, a nonpartisan research and training organization. He also served the Redlands Police Department for more than three decades.

“Police can go too far or they can go not far enough in trying to make us safer," he said.  

But as with devices such as drones, “innovation and the rate at which the technology advances far outstrips the courts’ ability to keep pace," Bueermann, said. "While we are deliberating on what we should or shouldn’t do, the people that aim to harm us are busy at work and they don’t wait until the Supreme Court or Congress weighs in."

(Image via lolloj/Shutterstock.com)

NEXT STORY: Longtime Nurse Pries into Medical Issues of Colleague’s Family

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.