A proposed change to the ‘Federal Rules of Criminal Procedure’ issued yesterday by the United States Supreme Court will allow federal judges to allow the FBI to hack multiple computers at once, including machines of people who haven’t been suspected of a crime. It can even hack people the FBI knows to be innocent.
Under the old rules, the FBI had to know the location of the computer they were trying to hack, and thus had to get a warrant from a judge in that jurisdiction in order to deploy what’s ambiguously termed a ‘Network Investigative Tool’ (NIT) or hacking tool. Now, under the new rule issued by the highest court in the land, the FBI can go to a federal judge to hack computers they don’t even know the location of.
“So let’s say [the FBI] is trying to track a botnet or whatever, some type of cybercrime. [The FBI] can get a search warrant to go after let’s say 10 or 20, or 50 computers,” Neema Singh Guliani, ACLU Legislative Counsel told Gizmodo. “This new rule allows one judge to say ‘yeah, here’s a search warrant, go after those 50 computers and those computers can belong to victims [of cybercrime].’”
The new rule would allow the FBI to infect innocent people computer with malware in order to investigate cybercrime—even if their only connection to the crime is that they’re the victims. What could go wrong? Even better, there’s a legitimate fear that the judges who end up authorizing these hacking warrants don’t even fully grasp what they’re authorising.
“I think a significant concern is within that rule there is no requirement that the FBI disclose to a judge exactly what hacking technique they’re using, what the unintended consequences are what the implications are,” Guliani said. “So you may have a situation where a judge is authorizing something without fully understanding what the questions are. And this has come up in other technologies like stingrays where judges say ‘well, I didn’t really know what I was authorizing.’”
This rule has six months to be changed or outright banned by Congress before it automatically goes into law. Senator Ron Wyden is already trying to ring alarm bells about these new powers, saying “These amendments will have significant consequences for Americans’ privacy and the scope of the government’s powers to conduct remote surveillance and searches of electronic devices.”
The FBI, of course, has failed to even pretend to be transparent about how it’s using our tax dollars to hack people. We know virtually noting about what the current hacking procedures are, what protections exist, how often it’s hacking people, and what tools it’s using. “You can pretty much name the question and we probably don’t have an answer,” Guliani said.
There’s another problem with mass FBI hacking. It’s unclear that evidence gathered via malware laden hacking tools will actually end up being admissible in court. In addition, these warrants are sketchy when it comes to fulfilling some basic requirements of the fourth amendment, which bans unreasonable search and seizure.
The FBI learned this the hard way recently when evidence from a massive child porn operation was suppressed in court because the FBI didn’t have the legal authority to hack thousands of computer’s it didn’t know the location of.
“What we’ve seen with the NITs in the Tor hidden services cases is that the government has gotten a single warrant authorizing it to use an exploit and install a NIT on thousands of unknown individuals’ computers,” Andrew Crocker, Staff Attorney at the Electronic Frontier Foundation told Gizmodo. “That warrant doesn’t (and in fact can’t) satisfy the particularity requirement in the warrant clause of the Fourth Amendment, meaning that the evidence derived from the NIT should be suppressed.”
This is yet another confusing and secretive way the FBI is going about solving crimes in the digital age, and it’s only going to get worse.