DOJ wants to give the FBI permission to hack into PCs of Tor and VPN users

When people use anonymizing tech such as Tor or a VPN, then that should not imply they are trying to “hide” because they are up to no good. It does make it challenging for law enforcement to know the location of the person trying to protect his or her anonymity as well as to know what district has legal jurisdiction to issue a warrant. However, the DOJ has proposed changes to Rule 41 that would allow U.S. law enforcement to hack into computers of people using anonymizing services without needing to first know the location of those computers. According to law professor Ahmed Ghappour, the proposed amendment could result in “possibly the broadest expansion of extraterritorial surveillance power since the FBI’s inception.”

While that doesn’t mean the FBI would use malware to infect the PCs of all people using anonymizing services, it could mean the government would legally be allowed to secretly deploy malware for remote searches on PCs. That malware would allow the FBI to go through and covertly upload files, photos, emails, or do anything the computer is capable of doing, such as turning on the webcam and microphone. It also means the location of the PC doesn’t matter, be it domestic or on foreign soil.

The DOJ said (pdf) it is not looking for the power to search electronic storage in foreign countries, as the Fourth Amendment does not apply to non-U.S. persons, but Ghappour argues, “the practical reality of the underlying technology means doing so is almost unavoidable.”

Ghappour is described as “a visiting professor at UC Hastings College of the Law and Director of the Liberty, Security and Technology Clinic where he litigates constitutional issues that arise in espionage, cybersecurity and counterterrorism prosecutions.” The amendment, he warns, would give law enforcement the same power as if it were investigating terrorism, except it would include investigating “general crimes.”

He points toward DOJ proposed changes to Rule 41 (pdf) dealing with the authority to issue a warrant.

At the request of a federal law enforcement officer or an attorney for the government:

(6) a magistrate judge with authority in any district where activities related to a crime may have occurred has authority to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information located within or outside that district if: (A) the district where the media or information is located has been concealed through technological means; or (B) in an investigation of a violation of 18 U.S.C. § 1030(a)(5), the media are protected computers that have been damaged without authorization and are located in five or more districts.

This form of FBI hacking is broadly referred to as “Network Investigative Techniques.” The current wording might give the FBI the power to use virtual force on any PC using anonymizing services. Ghappour seems primarily concerned about the FBI breaking into computers located overseas. Could it accidentally start a cyber war?

He suggests that before amending Rule 41, there should be a “comprehensive deliberation.” Such Network Investigative Techniques should be used sparingly and only if less intrusive methods have failed. The language should be changed “to narrow the class of potential targets, from targets whose location is ‘concealed through technological means’ to those whose location is not ‘reasonably ascertainable’ by less invasive means.” Ghappour also suggests:

The Rule should also limit the range of hacking capabilities it authorizes. “Remote access” should be limited to the use of constitutionally permissible methods of law enforcement trickery and deception that result in target-initiated access (e.g., requiring the target to click a link contained within a deceptive email in order to initiate delivery and installation of malware). “Search” capabilities should be limited to monitoring and duplication of data on the target (e.g., copying a hard drive or monitoring keystrokes).

The Rule should not authorize drive-by-downloads that infect every computer that associates with a particular webpage, the use of weaponized software exploits in order to establish “remote access” of a target computer, or deployment methods that risk indiscriminately infecting computer systems along the way to the target. Nor should the Rule authorize a “search” method that requires taking control of peripheral devices (such as a camera or microphone).

The public can comment on the preliminary draft (pdf) until Feb. 17, 2015.