• United States



Fourth Amendment’s Future if Gov’t Uses Virtual Force and Trojan Horse Warrants?

Nov 08, 20117 mins
CybercrimeData and Information SecurityEnterprise Applications

An interesting paper discussed the future of the Fourth Amendment in the cyber world. Can the government legally deploy malware for eavesdropping and remote searches, in order to investigate and control potential criminal activity? This is part one of looking at Susan Brenner's paper, Fourth Amendment Future: Remote Computer Searches and the Use of Virtual Force.

It’s a huge day on the privacy front, where technology, privacy and the Constitution had a head-on collision, and now the Supreme Court is hearing arguments about and “seeing shades of 1984” in warrantless GPS tracking. The future of the Fourth Amendment looks a bit bleak in this digital age, so I hope SCOTUS does the right thing for the USA. Along those lines of surveillance without a warrant, I read an interesting paper about the Fourth Amendment in the cyber world and the government deploying malware for eavesdropping in order to investigate and control potential criminal activity. It provoked some deep, unpleasant, and yet realistic thoughts about how much virtual force is done now via stealthy spying Trojans which are launched by law enforcement for remote computer searches.

Susan W. Brenner, of the University of Dayton School of Law, wrote: Fourth Amendment Future: Remote Computer Searches and the Use of Virtual Force. She divided her focus into two main topics. The abstract states, “The first is the use of certain types of software, most notably Trojan horse programs, to conduct surreptitious, remote searches of computers and computer media. The other tactic is the use of ‘virtual force,’ e.g., using Distributed Denial of Service and other attacks to shut down or otherwise disable websites that host offending content and/or activities.”

This is a deep subject, so after pondering it, I decided to break it into two articles and inject my thoughts on law enforcement injecting malicious software for remote ‘search and seizures’ and perhaps a bit on virtual force such as when the government launches DDoS attacks on sites distributing information it does not like being released to the general public (think WikiLeaks). I’m not going to focus on if you are doing something for which you should be running from the cybergun firing dangerous packets your way . . . it’s “reasonable” from a legal perspective that peeps in this category would instantly destroy any proof on their box if they thought the feds were flexing virtual force for an online house search, to remotely access and gather incriminating evidence. It’s no contest for law enforcement to prove probable cause for a warrant in such cases.

Keyloggers are not all detectable and only an idiot would do any serious cyber surfing to financial sites or other important accounts from a cyber cafe computer, since hopeful cybercriminals have loaded most cafe computers with malicious software to log keystrokes. But what about on your own machine, whether at home, at work, or on the move via a mobile device — does the Fourth Amendment protect you if you’ve snagged the wrong attention and started bleeping on the radar of an intelligence agency? Trojan horse warrants to conduct surveillance and remote searches of computers might come in a flavor similar to the FBI’s Magic Lantern software, which replaced Carnivore, to record keystrokes of folks who are “savvy enough to encrypt their data.” Or it might include software strategies such as CIPAV; Computer and Internet Protocol Address Verifier was designed by the FBI to allegedly keep from ‘going dark’.

Malware may evade detection in some Windows antivirus software and this is in no way hypothetical. Besides the fact that Microsoft is big-time buddies with spying Johnny Law Officer, handing over access to stored-in-the-cloud data and the goods on its customers for free, look at what happened in Germany when the government was impressed by an FBI Trojan for snooping, decided to write their own, and then got caught spying on its people. While it would seem probable that antivirus software would detect and quarantine spyware, the Chaos Club showed that antivirus scanners failed to detect the German Trojan. Then researchers discovered a “second, more powerful version of the Federal Trojan spyware” meant to run on 64-bit Window machines and conduct surveillance on 15 applications including Internet Explorer.

White hats sell weaponized exploits to intelligence agencies all the time. After the last Pwn2Own, when VUPEN stole Chrome’s security crown with a 0-day, instead of releasing the details to Google or to the public, the security firm chose to share the Chrome exploit “exclusively” with government customers of its vulnerability research services. “VUPEN sells weaponized exploits to intelligence agencies and law enforcement for covert operations or for surveillance, as well as to help these agencies pen test and then protect critical infrastructure from the vulnerabilities before they are exploited by the public.” I’m not picking on VUPEN as plenty of security firms make big bucks in the shadows and areas shaded grey.

While keeping cyberthugs on the run is a good thing, the potential indicators of domestic terrorism, ridiculous you-might-be-a-terrorist-if lists and massive databases of secret watchlists continue to grow; but not everyone who dislikes privacy invasion is a cybercriminal, porn addict or threat to America. Expect the lists for alleged suspicious behavior to increase cause there are plenty of real threats in the digital realm. According to the National Counterintelligence Executive Report to Congress [PDF], China and Russia are, unsurprisingly, still busy in the espionage business; foreign spies are stealing U.S. economic secrets in cyberspace. If push comes to shove and we ever stop playing cyberwar with them, there would be mutually assured destruction (MAD). So in a world gone cyber MAD [PDF], what is the future of the Fourth Amendment and a “reasonable expectation of privacy” for Americans’ digital devices in regard to remote searches?

You realize that “officers who remotely access the computer will not knock and announce their intention to ‘enter’ it to conduct” virtual force searches — not that knocking is necessarily required in real life search-your-house situations. You have the background info now, so next time we’ll assume this snooping software is designed so the malware goes undetected by antivirus. We will focus on how Brenner theorizes remote searches, with or without a warrant, could be justified as not completely trampling the Fourth Amendment. And in some cases, perhaps paving the way in the name of combating cybercrime and botnets, it is not considered to be “spyware.” The Justice Department and FBI successfully launched a campaign to take down the massive Coreflood botnet by sending remote ‘stop’ commands to infected machines.

Meanwhile, SCOTUS is deciding the fate of a “reasonable expectation of privacy” and the Fourth Amendment in regard to GPS tracking without a warrant.

Here’s the second part 4th Amendment vs Virtual Force by Feds, Trojan Horse Warrants for Remote Searches?

Like this? Here’s more posts:

  • Facebook Wants to Issue Your IRL Offline ID & Internet Driver’s License
  • Skype Exploits: I know where you are, what you are sharing, and how to best stalk you
  • FBI rolling out nationwide face search and recognition system
  • Alabama Sheriff Demands Go Daddy Kill AntiSec Hackers’ Websites for Data Dumps
  • Privacy Nightmare: Data Mine & Analyze all College Students’ Online Activities
  • Double Security Whammy, No Patches: Killer SSL DDoS Attack, XML Encryption Broken
  • Not Without a Warrant: Privacy Upgrade and Digital Liberty from Surveillance
  • Duqu Malware Exploits Windows Zero-Day Kernel Bug, Attacks Via Microsoft Word Document
  • PROTECT-IP or control freaks? Monster Cable blacklists Sears, Facebook as rogue sites
  • By the time you blink once, Facebook has locked out 2 potentially hacked accounts
  • 4Chan Founder Moot Cherishes Choices: ‘Facebook and Google Do Identity Wrong’
  • Visa, MasterCard may take offline buying history and drag it online for targeted ads

Follow me on Twitter @PrivacyFanatic

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.