A government proposal to change the rules for obtaining search warrants risks making all of us more vulnerable to cyber-attacks.
The FBI wants to be able to infect computers with malware when it doesn't know where exactly they're located. The implications for computer security, and for constitutional limits on the government's search powers, are drastic.
The Department of Justice is asking a judicial committee to amend Rule 41 of the Federal Rules of Criminal Procedure, which generally permits magistrate judges to issue search warrants to the government only for searches within their judicial district. The government wants to lift the geographical limitation to allow it to conduct electronic surveillance of devices whose locations are unknown.
The Advisory Committee on Criminal Rules, which includes mainly judges, is holding a hearing tomorrow to consider the government's proposal. The ACLU will explain at the hearing why the proposed rule could be a game changer in degrading online security and how it could green light systemic constitutional violations.
We know that the FBI – and possibly other law enforcement agencies – have been infecting the devices of criminal investigative targets since at least 2001. But if the proposed amendment is adopted, it will throw the doors wide open to an industry peddling tools to undermine computer security, and make the U.S. government an even bigger player in the surveillance software industry. That's cause for concern when you consider the government's own track record on data security. As we noted in a comment we submitted last week to the committee ahead of tomorrow's hearing, "Agencies struggle with the most basic security practices, such as using good passwords, updating anti-virus software, and encrypting internet traffic on their websites." Federal agencies reported a staggering 25,000 data breaches in 2013, and foreign governments and hackers have repeatedly penetrated federal systems – the White House's network being the latest.
Flaws in surveillance software used by the U.S. government could expose targets' devices not just to American law enforcement agents, but to foreign governments and malicious parties eager to exploit vulnerabilities to collect sensitive information. And the government's record when it comes to assessing the reliability of technology it has purchased doesn't exactly inspire confidence (think Healthcare.gov).
Possibly even more disconcerting, however, is the market for vulnerabilities the amendment would encourage. In order to successfully infect the computers of targets, law enforcement agencies are increasingly seeking to purchase or so-called "zero-day" software exploits. Zero-day exploits take advantage of software vulnerabilities that are unknown to the software's manufacturer. Governments pay big bucks – reportedly into the hundreds of thousands of dollars – to acquire them, resulting in a largely unregulated market for these tools. Since the use of a given zero-day exploit depends on the continued existence of the vulnerability it's exploiting, governments withhold their existence from the manufacturer.
That is, quite simply, frightening. Government officials often say that cyber-attacks are one of the biggest threats faced by this country. Given that assessment, shouldn't government be fixing, not exploiting, insecurities in widely used technologies? Indeed, a panel appointed by the president to review the NSA's surveillance programs wrote that "it is in the national interest to eliminate software vulnerabilities rather than to use them for US intelligence collection." But by codifying law enforcement's ability to use malware to remotely access targets' computers, the proposed amendment to Rule 41 would be a major boost to the zero-day market, further commodifying vulnerabilities and incentivizing the government to stay mum when it discovers them.
The constitutional concerns raised by the amendment are no less serious, and go beyond the kinds of procedural questions generally addressed by the committee. There are strong arguments that zero-day exploits are too intrusive, destructive, or dangerous to be reasonable under the Fourth Amendment, considering they endanger far more computers than those they target. For example, Stuxnet, the exploit launched by the United States and Israel apparently to target facilities in Iran, spread far beyond the targeted computer systems, infecting the networks of major U.S. companies. Similar questions arise for far less dramatic methods for infecting targets' computers.
For example, we learned last week that in 2007 the FBI delivered spyware to a suspect by faking an Associated Press story and sending a link to the suspect's MySpace account. When the suspect clicked on the link, surveillance malware installed itself on his computer and initiated a search. What we don't know is whether the suspect unwittingly forwarded the link to other people or shared it via social media. If he did, the computers of numerous innocent people could easily have been secretly infected with malware and searched. In other investigations, the computers of law-abiding citizens could get easily swept up in an attack simply because they visited the same site as a target. That kind of dragnet search is unacceptable by the Constitution's standards.
The committee demonstrated its thoughtful approach to these questions earlier this year, when the DOJ submitted an even broader proposal that would have allowed remote hacking of computers, as well as remote access to cloud-based services (like Gmail or Dropbox) during a search of a physical computer. The committee recognized the concerns raised by privacy advocates, and scaled back that proposal to ensure the government serve warrants on cloud service providers in order to access that information. When we testify tomorrow, we will urge the committee to reject the remaining parts of the government's proposal.
The proposed amendment would expand the government's power to conduct searches of a particularly invasive nature. If such searches are to be allowed at all, they should be carefully regulated by Congress, which is better suited to weigh the constitutional and policy concerns that the proposal raises. We hope the committee recognizes that, and rejects the proposed amendment to Rule 41.
The amendment, if passed, would have enormous implications for the security of each and every one of us. That's a decision our elected representatives – and each of us – should be weighing in on.