DoJ wants to make it easier for the FBI to legally hack innocent Americans
The precarious balance between law enforcement and personal privacy is highlighted by a new proposal from the Department of Justice — it wants greater leeway in its ability to place malware on multiple computers.
It can do this already, but not easily — it requires a judicial warrant that is only valid in the judge’s home district. Those warrants are not always automatic. In April 2013 magistrate judge Stephen Smith rejected such an application in Houston:
The Government has applied for a Rule 41 search and seizure warrant targeting a computer allegedly used to violate federal bank fraud, identity theft, and computer security laws. Unknown persons are said to have committed these crimes using a particular email account via an unknown computer at an unknown location. The search would be accomplished by surreptitiously installing software designed not only to extract certain stored electronic records but also to generate user photographs and location information over a 30 day period. In other words, the Government seeks a warrant to hack a computer suspected of criminal use. For various reasons explained below, the application is denied.
But even if it had been allowed, the warrant would only have been valid for the named computer within the judge’s district — the Southern District of Texas, Houston Division.
The FBI is now seeking a change in judicial rules to allow multiple searches on a single warrant, and for a single warrant to be valid for all 94 judicial districts. Its arguments are reasonable. Firstly, it may know the IP of a suspect computer, but not the precise geographic location. Secondly, modern organized crime can use hundreds if not thousands of computers in a crime — a botnet delivering a DDoS attack to disguise financial fraud for example. Obtaining individual warrants in all possible districts is difficult, time-consuming and expensive.
But there are huge privacy and security issues here. Firstly, the use of 0-day exploits by law enforcement will weaken the security of the internet itself. Secondly, placing spyware on the computer of an innocent person who ‘might’ be unknowingly harboring a bot (and thereby providing access to every intimate and confidential piece of data on that computer) is a dangerous attack on liberty and privacy.
But even more worrying, it is an attempt by the DoJ to make its surveillance desires easier to accomplish. The FBI could and would cherry pick its districts. Ninety-three of the districts might reject an application for a warrant as over broad and in conflict with the Fourth Amendment — but if there was just one sympathetic judge, the warrant would apply to the whole United States.
The FBI already cherry picks where it thinks it might get away with it. In the prosecution of Andrew Auernheimer it chose to prosecute in a district entirely unrelated to the case, but in which it could levy further charges and gain a longer sentence.
Now consider if the FBI had access to the NSA’s TAO catalogue of hacking tools (which it probably already has): no computer would ultimately be safe from the FBI, and the FBI would be acting entirely legally. We have seen over the last year that law enforcement and intelligence agencies have the attitude, if we can do it, we must do it. If the DoJ gets its way on this, the process will escalate until it is able to hack any computer, any time, on any whim.