Proposal will allow FBI to hack and install malware on VPN user’s computers

A new proposal by the United States Justice Department to amend Rule 41 of the Federal Rules of Criminal Procedure has got security experts and privacy advocates very worried. The danger was flagged up last week on the JustSecurity website, when Professor Ahmed Ghappour (who is also director of the Liberty, Security and Technology Clinic) observed that it presents,

Possibly the broadest expansion of extraterritorial surveillance power since the FBI’s inception.

The draft proposal involves changing the FBI’s search and seizure rules, allowing them to seize targets whose location is “concealed through technological means” (e.g. using VPN, Tor, PGP, or other similar privacy technologies):

Authority to Issue a Warrant. At the request of a federal law enforcement officer or an attorney for the government: (6) a magistrate judge with authority in any district where activities related to a crime may have occurred has authority to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information located within or outside that district if: (A) the district where the media or information is located has been concealed through technological means; or (B) in an investigation of a violation of 18 U.S.C. § 1030(a)(5), the media are protected computers that have been damaged without authorization and are located in five or more districts.

The game-changing point here is that a warrant can be issued where the “district where the media or information is located has been concealed through technological means”. As the location of the data is not known, this means courts could authorize the FBI to perform searches in foreign countries. Ghappour explains the implications:

The DOJ proposal will result in significant departures from the FBI’s customary practice abroad: overseas cyber operations will be unilateral and invasive; they will not be limited to matters of national security; nor will they be executed with the consent of the host country, or any meaningful coordination with the Department of State or other relevant agency.

Under the DOJ’s proposal, unilateral state action will be the rule, not the exception, in the event an anonymous target “prove[s] to be outside the United States.” The reason is simple: without knowing the target location before the fact, there is no way to provide notice (or obtain consent from) a host country until after its sovereignty has been encroached.

Without advanced knowledge of the host country, law enforcement will not be able to adequately avail itself to protocols currently in place to facilitate foreign relations. For example, the FBI will not be able to coordinate with the Department of State before launching a Network Investigative Technique. This puts the U.S. in a position where a law enforcement entity encroaches on the territorial sovereignty of foreign states without coordination with the agency in charge of its foreign relations.”

In other words, the proposals will set the FBI up for a diplomatic nightmare, as well as putting them on a collision course with the NSA.

“Uncoordinated unilateral ‘cyber’ ops by FBI may interfere with US foreign affairs (or covert ops),” Ghappour told The Register, a view supported by assistant research professor lecturing in computer science and cryptography at Johns Hopkins University, Matthew Green, who Tweeted that ‘malware from the FBI to, say, Syria could very well trigger congressional investigations.”

A further problem with the DOJ proposal is that few safeguards are in place to “insure that Network Investigative Techniques [read hacking, infecting machines with malware etc.] are used sparingly and only when necessary” and that there is no limit to “the range of hacking capabilities it authorizes,”

The Rule should not authorize drive-by-downloads that infect every computer that associates with a particular webpage, the use of weaponized software exploits in order to establish “remote access” of a target computer, or deployment methods that risk indiscriminately infecting computer systems along the way to the target. Nor should the Rule authorize a “search” method that requires taking control of peripheral devices (such as a camera or microphone).

While Ghappour’s suggested limits on the powers the proposal would authorise seem to us sensible and proportionate, the DOJ does not have history of limiting its own authority.

As it stands, the proposed amendment allows the FBI to use a wide array of invasive (and potentially destructive) hacking techniques where it may not be necessary to do so, against a broad pool of potential targets that could be located virtually anywhere.

The proposal would allow the FBI to target just about anyone who uses VPN or Tor (etc.), purely on the basis that they are protecting their privacy using encryption, and no matter where they are in the world…

About Dan Johnson

Dan has been involved with computers in the early 1990s with a 2400 baud dialup modem. Since then, he has been working on various internet projects for over a decade and makes a conscience effort to inform others about staying safe on the internet. Currently he works with IronSocket and some other online side projects, when not hiking through the pine forests around his house.