The feds need a search warrant before installing a Remote Access Trojan (RAT) on computers suspected of being used in crimes, but the government can keep the remote access operation a secret from their target for 30 days and sometimes even longer if a judge approves an extension. But the remote search and seizure warrant is limited to the geographical district where the judge issued it. The DOJ, which includes the FBI, the DEA and ATF, says it needs one warrant to work over many districts so it can better hunt down potential terrorists and criminals on the Internet. The Committee on Rules of Practice and Procedure (pdf) has now backed the Justice Department’s proposed search and seizure changes that would give the FBI “wide latitude” to hack into people’s computers with surveillance software.
What type of information might the government be seeking after hacking into a PC? Last year, a FBI warrant sought permission to access the computer’s built-in webcam in order to take photos for 30 days, to grab search terms, email contents, documents and chat logs. The investigation was into bank fraud and the warrant was based on “the attempted transfer of money from a Texas bank account to a foreign bank, using an email address similar to that of the account owner's.” A Texas judge denied the FBI’s request for a Trojan horse warrant.
In the case of botnets, the proposal would allow the feds to use one warrant to send a RAT into thousands of computers without Americans’ consent or knowledge. The EFF previously warned the DOJ’s proposal “would dramatically expand the reach of federal prosecutors and investigators.”
One of the Committee’s changes deals with the authority to issue a warrant to use remote access even if the district where the media or information is unknown due to the use of anonymizing software and other similar tech. Rule 41 about “search and seizure” starts on page 338 (pdf); the red text, italicized here, indicates the proposed changes.
At the request of a federal law enforcement officer or an attorney for the government:
(6) a magistrate judge with authority in any district where activities related to a crime may have occurred has authority to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information located within or outside that district if:
(A) the district where the media or information is located has been concealed through technological means; or
(B) in an investigation of a violation of U.S.C. § 1030(a)(5), the media are protected computers that have been damaged without authorization and are located in five or more districts.
An example to describe 6B might be botnets; the changes would allow the feds to target multiple PCs in various geographical locations and districts with just one warrant. “In investigations of this nature, the amendment would eliminate the burden of attempting to secure multiple warrants in numerous districts, and allow a single judge to oversee the investigation,” the proposal states. In other words, during such a botnet investigation, the feds could use one warrant to justify remotely installing software on thousands of innocent citizens’ computers at the same time and without their knowledge.
When it comes to serving a copy of the warrant, proposed changes include:
For a warrant to use remote access to search electronic storage media and seize or copy electronically stored information, the officer must make reasonable efforts to serve a copy of the warrant on the person whose property was searched or whose information was seized or copied. Service may be accomplished by any means, including electronic means, reasonably calculated to reach that person.
If the government uses zero-days to break into and search a computer, some civil liberties groups say such exploits might escape into the wild. Another potential problem is in limiting what the feds might snatch after hacking into a PC to grab an IP address.
Nathan Wessler, an ACLU attorney for the Speech, Privacy, and Technology Project, told Nextgov, "What kind of protections are in place to make sure that any malware the government uses doesn’t start spreading around the Internet or get intercepted by bad actors? All of that is totally unanswered and unaddressed by this proposal. . .There should be a debate now about what the appropriate limits should be."
The FBI might claim it is after an IP address, but an agent, might "trigger the computer to upload everything that’s on there: The contents of files, the metadata from the email inbox, the name of the person who edited every file is potentially accessible," Wessler said.
Granted, the proposal is just a draft at this point, but Wessler said the feds made a typo in an email address on a previous warrant. "So then you have the threat of government malware being directed at some hapless person who happens to have an email address that is two characters different than the suspect’s," Wessler said. "It’s a good example of why we should be careful about this stuff."
Cryptome has a copy of just the remote search and seizure portion (pdf) of the proposal. According to the Committee’s proposal:
The amendment does not address constitutional questions, such as the specificity of description that the Fourth Amendment may require in a warrant for remotely searching electronic storage media or seizing or copying electronically stored information, leaving the application of this and other constitutional standards to ongoing case law development.
It seems like any change in any proposal that would allow the government to easily hack into PCs should consider the Fourth Amendment. We’ve previously looked at the future of the Fourth Amendment if the feds lawfully use virtual force to remotely search computers and how the government could deploy malware for the purpose of investigating potential criminal activity. It's a future that doesn't look exceptionally bright if you care about civil liberties.
The public has until Feb. 17, 2015, to comment upon the preliminary draft of Proposed Amendments to the Federal Rules of Appellate, Bankruptcy, Civil, and Criminal Procedure (pdf). If you care about privacy, you should at least check it out and hopefully comment upon the draft.