Skip to content

December 3, 2016

2016 claims another victim: Your privacy

by John_A

In a blow to privacy on par with the Patriot Act, changes to the rules around warrants grant the US government unprecedented hacking powers in any jurisdiction, and on as many devices as they want.

The changes to a measure known as Rule 41 were made earlier this year but went into effect Thursday after lots of opposition. Basically they let any judge issue a warrant to remotely access an unlimited number of computers and devices located in any jurisdiction. There was plenty of objection from senators and congresspeople, groups like the Center for Democracy and Technology, and companies such as Google, who said it’s unconstitutional and invades citizens’ rights to privacy.

All that came to a head this week when months of opposition and requests for inquiry and review came to nothing. In Congress, a bipartisan bill called the Review The Rule Act was introduced but that failed in Washington on Wednesday afternoon.

In a last-ditch effort, civil society organizations, trade associations, and companies sent a letter to lawmakers dated November 21 pleading to delay the implementation of Rule 41’s changes and subject them to further review. “The consequences of this rule change are far from clear, and could be deleterious to security as well as to Fourth Amendment privacy rights,” they wrote.

The letter explained the changes “could be abused to obtain a single warrant to search millions of targets” and “would allow a judge to issue a warrant that would permit law enforcement to search the computers of hundreds of entirely innocent crime victims without their consent.” It’s kind of like searching all the houses on your block, without clearing with the owners first, just to find one bad guy.

Also concerned were 22 senators and congresspeople, who wrote the Attorney General at the Department of Justice in October with a lot of specific questions about implementation.

The DoJ responded to the lawmakers in kind, with a letter. It didn’t answer their questions. Instead, the DoJ reminded them that the use of remote searches isn’t new, and that warrants for these searches are already issued under Rule 41, including ones for multiple computers. Warrant applicants will still have to get the proper probable cause ducks in a row for the judge, they assured.

But of course it remains to be seen whether or not the judges will actually understand what it is they’re rubber-stamping approval for. The letter was also pretty light on explaining the part where if someone gets hacked, the FBI gets to poke around in their computers or devices without the user’s consent — or knowledge until after the fact.

By examining the DoJ’s response, it’s easy to tell that this whole messy mix of desires and half-cocked protectionism is slightly personal for the authorities. The main thrust of Rule 41’s changes are about dealing with its ongoing irritation with online anonymity tool, Tor. The main changes to search warrants and jurisdiction, they said, specifically apply to when a suspect is using anonymizing software. They named Tor specifically.

In that letter the DoJ included a long digression about Tor and the FBI’s investigation into a vile darknet child sexual exploitation website called Playpen. The FBI had taken control of the site and exploited vulnerabilities in Tor to unmask visitors, some of whom are currently being prosecuted. They said that despite successes with the Playpen investigation, “Federal courts have ordered the suppression of evidence in some of the prosecutions because of the lack of clear venue in the current version of Rule 41.”

Pedos can die in a million fires; unquestionably this is the kind of fighting we want to see the FBI doing, as long as it’s being done properly. Consider the FBI’s willingness to take over darknet sites and own site visitors, and it shines a fresh light on how things are about to change in the world of underground sites.

With the legal framework to make anything they find stick, it’s safe to say that the golden age of buying illegal stuff on the darknet is over. It also feels increasingly like the use of anonymity tools automatically makes you a suspect, which is already true in repressive regimes around the world who target Tor users.

Your computer is now a “crime scene”

Where Rule 41’s changes get weirder is when it comes to botnet victims. The DoJ made a case in its letter that the warrant changes are needed for investigation when the victims of computer crime (botnet and ransomware) reside in different jurisdictions. In a blog post, U.S. Assistant Attorney General Leslie Caldwell likened the computers of botnet victims to a crime scene — that they need access to.

Unlike a regular warrant for search, where the homeowner is notified by authorities before they enter and search the premises, targets under Rule 41 are only notified after they’ve been hacked and searched.

Imagine the FBI breaks into and enters your house in order to find out who you are, to tell you that your house was burgled. And after, they’re like oh, here’s our paperwork that gave us permission to burgle you in the first place.

On one hand, I get what they’re trying to do here, sort of. They’re attempting to deal with things like the Mirai botnet, which shut down half the internet (and is still a growing threat). To do that, current thinking is to intervene and stop the attacks on the victims’ devices. Which means accessing the computers and DVRs of people who don’t know they’re infected with a botnet.

Except trying to fight botnets by expanding FBI hack and search powers is a quick-and-dirty, but highly problematic way to solve this problem. Not to mention how horribly it could be abused. If there’s anything we learned from the Silk Road bust, it’s that if there’s a chance for abuse, there exists someone within the authorities who consider it a chance worth taking.

Combine the anonymity tool unmasking intentions, and the interest in accessing botnet victims’ devices, and now there’s a whole lot of people who are gonna get legally hacked by their own government. Thinking about what this means under a Trump presidency gives it all a much darker cast.

Our president-elect is unapologetically vindictive, openly advocates hacking his opponents, and has called for expanding the NSA’s domestic spying programs — abuse seems all but unavoidable. International cyberwar incidents also appear highly likely, because no one’s said jack about what happens when one of the computers the FBI hacks, surveils, and gathers evidence from is across a border.

I suppose we’ll find out.

Image: stevanovicigor/Getty (Hooded figure)

Read more from News

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Note: HTML is allowed. Your email address will never be published.

Subscribe to comments

%d bloggers like this: