nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

FYI: The FBI is being awfully evasive about its fresh cyber-spy powers

Agents want to hack suspected Tor, VPN users at will – no big deal

By Iain Thomson, 23 Nov 2016

Senior US senators have expressed concern that the FBI is not being clear about how it intends to use its enhanced powers to spy on American citizens.

Those are the spying powers granted by Congressional inaction over an update to Rule 41 of the Federal Rules of Criminal Procedure. These changes will kick in on December 1 unless they are somehow stopped, and it's highly unlikely they will be challenged as we slide into the Thanksgiving weekend.

The rule tweak, which was cleared by the Supreme Court in April, will allow g-men to apply for a warrant to a nearby US judge to hack any suspect that's using Tor, a VPN, or some other anonymizing software to hide their whereabouts, in order to find the target's true location.

Normally, if agents want to hack a PC, they have to ask a judge for a warrant in the jurisdiction where the machine is located. This is tricky if the location is obscured by technology. With the changes to Rule 41 in place, investigators can get a warrant from any handy judge to deploy malware to find out where the suspect is based – which could be anywhere in America or the world.

Also, when agents are investigating a crime that spans five or more different judicial districts in the US, the new Rule 41 will allow them to go to just one judge for a warrant, rather than all the courts in all the involved jurisdictions. And it allows the Feds, with a search warrant, to poke around in people's malware-infected computers.

Here's how assistant attorney general Leslie Caldwell summed up the changes:

The amendments would apply in two narrow circumstances:

First, where a suspect has hidden the location of his or her computer using technological means, the changes to Rule 41 would ensure that federal agents know which judge to go to in order to apply for a warrant. For example, if agents are investigating criminals who are sexually exploiting children and uploading videos of that exploitation for others to see—but concealing their locations through anonymizing technology—agents will be able to apply for a search warrant to discover where they are located. A recent investigation that utilized this type of search warrant identified dozens of children who suffered sexual abuse at the hands of the offenders. While some federal courts hearing cases arising from this investigation have upheld the warrant as lawful, others have ordered the suppression of evidence based solely on the lack of clear venue in the current version of the rule.

And second, where the crime involves criminals hacking computers located in five or more different judicial districts, the changes to Rule 41 would ensure that federal agents may identify one judge to review an application for a search warrant rather than be required to submit separate warrant applications in each district—up to 94—where a computer is affected. For example, agents may seek a search warrant to assist in the investigation of a ransomware scheme facilitated by a botnet that enables criminals abroad to extort thousands of Americans. Absent the amendments, the requirement to obtain up to 94 simultaneous search warrants may prevent investigators from taking needed action to liberate computers infected with malware. This change would not permit indiscriminate surveillance of thousands of victim computers—that is against the law now and it would continue to be prohibited if the amendment goes into effect.

The rule change, which has never been voted on by Congress, has raised serious privacy concerns. The Stopping Mass Hacking Act is under consideration to change the rule back, and a Review the Rule Act has also been filed to extend the December 1 deadline.

Last month, 23 lawmakers asked the US Department of Justice for clarification about how the new powers will be used, but the answer didn’t exactly inspire confidence.

“While I am pleased that the Department of Justice responded to our October letter concerning the proposed amendments to Rule 41 of the Federal Rules of Criminal Procedure, many questions remain unanswered,” said Senator Chris Coons (D-DE) in a statement.

“That is why I continue to believe Congress should have a substantive debate surrounding any changes before they go into effect on December 1, 2016. Congress should pass my Review the Rule Act (S.3475) and ensure we have adequate time to do our job and consider and debate these changes.”

Specifically, the DoJ refused to clarify if the Feds will consider a computer that’s part of a botnet as hackable under the new rules. If so, how they can be assured they won’t cause more damage? Additionally, will the FBI indulge in “forum shopping,” whereby they can get a single warrant to hack thousands or millions of devices?

“The American people deserve answers to these very basic questions about how our government intends to hack thousands or millions of personal devices with a single warrant,” said Senator Ron Wyden (D-OR).

“The Justice Department’s failure to answer these questions should be a big blinking warning sign about whether the government can be trusted to carry out these hacks without harming the security and privacy of innocent Americans’ phones, computers and other devices.”

Torpedo Tor pedos

Caldwell maintains that the rule change was vital for snaring pedophiles, drug dealers, organized crime, and online fraudsters. The assistant attorney general cited the Playpen case, in which the FBI ran a Tor-connected server that shared images of child sex abuse to hundreds of thousands of sickos. The Playpen machine was shut down after about two weeks of operation by the FBI – agents had seized the system from its original owners and kept it going for 12 days to catch as many perverts as possible before pulling the plug. It's possible the Feds were running as many as 23 hidden sites related to kiddie porn to snare pedophiles.

That Fed-controlled Playpen machine deployed a “network investigative technique,” most likely custom malware, that infected pedophiles' browsers and revealed their true public IP addresses to investigators. Those IP addresses allowed agents to trace Playpen visitors to their home addresses via their ISPs.

The Playpen was said to be the world's largest child porn exchange website. So far, about 100 people have been hauled into court accused of using the Playpen hidden service.

However, several judges are throwing out prosecutions because the FBI had technically broken the rules by only getting one search warrant in one jurisdiction to cover all the suspects they hacked into across America, and the agents wouldn't reveal how they uncovered Tor users' public IP addresses.

“Despite being prepared to comply fully with the Fourth Amendment’s warrant requirements – including persuading a federal judge that a lawful basis for a warrant exists – investigators are being told that, because criminals have successfully used technology to hide their location, there is no court available to hear their warrant application,” said Caldwell.

“Unless that nonsensical outcome is addressed, cases such as Playpen fail, meaning that pedophiles – including hands-on abusers – will be free to continue their crimes.”

Very few people would argue that protecting child abusers and their supporters is a good thing, which is why Playpen is such a good case for the FBI to hang their argument on. But the rule change means that the agency would be able to get a similar warrant on any Tor user, simply because they are using the software.

This guilt-by-association concept is particularly worrying for Tor users who just like to anonymize their internet use because they don’t feel like handing over their online viewing data to advertisers, or because they might fear persecution. The US government partially funded Tor for this latter group.

The chances of getting any legislation to amend the rules are now looking pretty faint. Congress will be meeting in lame duck sessions before the handover to the new administration, but controversial legislation is unlikely to get passed. So after December 1 Tor users should remember they have a target on their backs. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing