How NOT to do remote PC searches: Experts explain tech dangers of Rule 41 changes

Among the Judicial Conference Advisory Committees on Appellate, Bankruptcy, Civil, and Criminal Rules proposed amendments are changes to Criminal Rule 41. We already looked at one expert’s opinion back in September after the DOJ proposed changes to Rule 41 that would allow the FBI to hack into and remotely control PCs located anywhere in the world if the user is using anonymizing tech such as Tor or a VPN that “deliberately” disguises the location of the PC. Law professor Ahmed Ghappour explained constitutional and Fourth Amendment issues as well as how it would apply investigative powers normally associated with terrorism to investigating “general crimes.”

While there is an impressive lineup of witnesses to give testimony on the Rule 41 proposed amendments, let’s turn our attention toward comments submitted by a trio of experts who understand it’s likely that “surreptitious remote computer searchers will become an increasingly prevalent law enforcement technique in the future” and addressed some of the dangers of the proposed changes to search rules.

The changes to Rule 41 have not been properly vetted by technical minds and the technical side of remotely hacking into PCs is problematic. The entire document is worth a read as it spells out “how not to do remote computer searches.” These comments (pdf) were submitted by Columbia University computer science professor Steve Bellovin, University of Pennsylvania computer science professor and cryptology expert Matt Blaze, and Worcester Polytechnic Institute professor of cybersecurity policy and former senior staff privacy analyst at Google Susan Landau.

The draft of proposed changes points out that botnets “may range in size from hundreds to millions of compromised computers.” Because botnets can take over a very large number of victims’ computers, law enforcement wants a one-size-fits-all warrant. “But this approach must be avoided,” the team of technical experts wrote. “It is legally and technically dangerous to use a ‘common scheme to infect the victim computers with malware’.” From a technical standpoint, that common scheme could “easily go out of control,” and “from a legal standpoint, the lack of specificity is highly problematic.” They urged the committee to “reject the multiple-victims-one-search-warrant approach.”

The people behind those infected machines are already victims, and “allowing broader seizures of information from millions of machines simply because they were the victims of computer crime seems wrong,” the draft said. Planting malware could cause more damage to their PCs, or the malware could spread from the victims’ computers to other machines. Look at what happened with Stuxnet. They suggested that law enforcement should use honeypots first when trying to get a “clear understanding of exactly how the malware in question works,” rather than hacking into victims’ computers to study a botnet.

The trio explained that, in the future, technically sophisticated criminals could split botnet command-and-control malware in several pieces and plant those files in many different places on victims’ machines. Will law enforcement intrusively root around anywhere on the PC? “Rather than rummaging more broadly through the computer,” they suggested “that language mandating narrow searches, especially of victim machines, be added to the rule”:

An application for a warrant issued pursuant to (b)(6)(B) must include a statement specifying precisely which data is to be seized. The warrant itself must limit the investigation to those specific facts.

To do otherwise would be to turn a phishing attack into a fishing expedition.

Then what about giving the victim notice about a search warrant? Of four feasible mechanisms of notifying a target…“a file left on the computer; a pop-up window; an email message; or a physical letter, all are problematic, especially for mass searches.”

Both location and jurisdiction present problems under the proposed changes to Rule 41. Masking location or identity does not imply some shady motive on a user’s behalf. For example, people use a VPN, “not to conceal location or identity but because public and hotel networks are notoriously insecure; indeed, even some cellular network providers are known to tamper with web traffic.” Tor makes knowing the location “extremely difficult or impossible” and could mean the FBI ends up hacking into computers in another country…and that could potentially break the laws of that country and start a cyberwar. “While U.S. law may permit such searches, the law of the host country almost certainly does not.”

Although law enforcement would rather not disclose specific tools and techniques used to compromise and surreptitiously collect evidence from target computers, non-techie judges need to fully understand those highly technical techniques. Does the judge about to approve a one-size-fits-all warrant comprehend the security implications of law enforcement exploiting a “vulnerability (whether due to a software flaw or an explicit ‘backdoor’)” that “has the potential for illicit exploitation by criminals and foreign intelligence services?”

The security implications are staggering. They wrote:

And the computer software, hardware, and devices used by criminals (and from which evidence is collected) are also used by thousands—or millions—of innocent citizens to store, process, and communicate the most important and sensitive details of their lives and businesses. This means that that any flaw used by law enforcement for laudable evidence collection purposes also represents a risk to innocent people.

“It is natural to expect law enforcement to hold information about exploitable flaws closely, to maximize their useful lifetime for investigative use. But other public policy goals must be weighed against this…there is the broader question of reporting the vulnerabilities that law enforcement exploits to vendors so they can be fixed. That is, the use of vulnerabilities for law enforcement must be balanced against the need to protect citizens from criminals who might exploit them themselves.”

The team of experts recommended that any proposal to change Rule 41 should not include “blanket warrants” or one warrant “to conduct multiple simultaneous searches on victims’ computers.” Any remote search warrant issued should “include precise, particularized specifications of the area of the computer that is to be searched.” Due to potential international complications, “except for extremely serious cases, such searches should be done only with the cooperation of the host country.” They also recommended a “two-pronged approach” to giving victims notice of a search.

In closing, they wrote:

There is, to our knowledge, no explicit statutory authority for law enforcement to hack into computers; given the intrusiveness and danger of such activities, there is a need for balance. The legislative process is best suited to address this.

You can read the above remote search comments in full here (pdf). The public can comment on the preliminary draft changes (pdf) until Feb. 17, 2015.