The Supreme Court, last week, gave the FBI permission to hack into any computer anywhere in the world with the stroke of a single pen.
Ignoring, for the moment, whether other countries are going to think this gives them permission to hack into any computer in the U.S., this could be problematic.
What is at stake here is the current rule for a warrant which says that the warrant requestor has to know where the computer is that they want to hack into and get the warrant from a judge in that jurisdiction. Currently, if the FBI is investigating a case in New York and thinks that a computer in Texas is of interest, they have to go to a judge in, say, Dallas, to hack into that computer.
Under the proposed rule change to Rule 41 of the Federal Rules of Criminal Procedure, the FBI would still need a warrant. And the rule changes do not make it any easier to get that warrant. It just means that one warrant could ask for permission to hack into thousands of computers anywhere in the world.
Those computers may belong to one or more hackers, victims or businesses that are only incidentally involved in the situation. Since the parties to be hacked will not be served notice of the proposed warrant, they likely will never know that they have been hacked. And, if there is some side effect to the hack such as loss of data or leaving a security vulnerability behind, the owner of the computer will never know about that either. And, I do not see anything in the proposed rule change making the hacker responsible for damage that they do during the hack.
Oh, and the FBI doesn’t call it hacking. Hacking has a bad name. They call it Network Investigative Techniques. Maybe the bad guys should use that euphemism – we weren’t hacking, we were just conducting a network investigation.
The FBI claims that they want to use this in cases where the user is using TOR and they are bouncing their traffic all over the globe. This can be a hard nut to crack because many TOR nodes are hardened – but certainly not all – to avoid being susceptible to techniques like the ones the FBI uses. Still, crooks make stupid errors.
The proposed rule change does have some limitations, but the permission certainly covers a very wide range of situations and is clearly not limited to TOR users.
Network Investigative Techniques could include things like uploading all of the photos or emails from a computer under investigation to an FBI controlled computer or turning on the microphone and camera on a target computer as happened to Miss Teen USA Cassidy Wolf. In her case, the FBI was not the perpetrator, but it points to what can happen to someone when their computer is taken over. In Cassidy’s case, the FBi did, eventually, find the extortionist (he was demanding even more nude pictures of her than he already had), but that certainly did not reduce the stress and embarrassment that this young woman suffered. These are just a couple of examples of what the FBI could do.
The computer that I am writing this blog on does not have a microphone or camera, so it would be extremely difficult for a government approved or non approved hacker to turn them on, but most devices today do have cameras and microphones. You occasionally do see people with tape or post-it notes over their cameras. That is why.
What we have seen with the FBI’s requests in the past for Stingray warrants (A Stingray is a cell phone hacking tool) was opacity on the part of law enforcement agencies when telling judges what they were going to do and who might be affected. Judges, for the most part, are not the most technically savvy people on the planet and it would be easy to fool at least some judges. This means that extra diligence on the part of all parties is required when these type of warrants are approved.
The rules process allows Congress to intervene – in fact overturn – this change, but they would have to do that by December 1, 2016. If they do not, then the rule will go into effect. Given Congress’ history in privacy matters, I would not expect them to do so, although Sen. Ron Wyden has indicated his desire to do so.
In the FBI’s defense, it is getting harder and harder to figure out where computers are. I am less concerned about the location of the computer than the issues associated with authorizing law enforcement agencies to surreptitiously hack into my computer – by definition, without me knowing about it – on some unknown basis. The odds of this being cleaned up perfectly after the hack are almost zero.
If you assume that most law enforcement organizations try to do a good job and are honest – and I do assume that even though other people may not – that permission is a pretty scary thing to grant.
The other thing that people are concerned about is that this change was done by some judges with no oversight by the legislative branch, no public discussion and no external review. Only as a result of the media discovering this change, has any public attention at all been created. Otherwise, it would have silently happened and that is the root of the problem.
Maybe this is a good change, maybe it is not. Secrecy and lack of an informed debate, however, is not good.
Information for this post came from The Intercept and Just Security.