Federal agents now have even greater scope for spying on computers belonging to regular citizens, thanks to a controversial amendment that passed into law as of Dec. 1, 2016.
The long-standing Rule 41 governs how the FBI can search and seize property thought to be involved with crime. Its most recent amendment expands the search remit to include remote access of computers whose locations have been “concealed through technological means.”
In other words, the FBI can obtain a warrant to hack any device whose IP address is masked. This can include computers using a virtual proxy network (VPN), a common internet tool used to maintain privacy on public Wi-Fi networks, to watch Netflix (and other geo-restricted media) from another country, to improve streaming speeds or simply to remain anonymous online. Similarly vulnerable under the updated rule are computers running the Tor browser, which users use for privacy and security or to browse the Deep Web for reasons including visiting illegal sites and accessing secured communications for political dissidents and whistle-blowers.
The amendment also makes it legal to search computers that have been “damaged without authorization” — that is, subjected to malware such as hijacking into botnets used to launch distributed denial of service (DDoS) attacks. Considering that 16 million American households experienced serious virus problemsin the past two years, that’s a lot of computers that the FBI could legally hack.
“This unprecedented increase in government hacking authority gives the government ability to more easily infiltrate, monitor, copy data from, inject malware into and otherwise damage computers, including victims of a crime, remotely,” said Nate Cardozo, senior staff attorney at the Electronic Frontier Foundation (EFF).
Dragnet for online crime
Until now, the FBI had to specify particular users it wanted a search warrant for. In the case of illegal sites, such as those on the Deep Web where traffic is heavily anonymized, this often proved difficult. Agents could also search computers only in the region where a warrant was granted, often an ineffective tactic because involved computers could be located anywhere in the world.
Under the new Rule 41, any computer with a hidden IP address or location can be included in the scope of a search warrant. Warrants can be granted in any jurisdiction and used to search multiple location-masking computers anywhere.
“This is about the FBI having the power to search any visitors to sites where they know or suspect illegal activity is going on,” says Chester Wisniewski, principal research scientist at cybersecurity firm Sophos.
In theory, the new rule helps the government ferret out faceless perpetrators of massive cybercrimes. Examples of these crimes include child pornography or drug trading rings and the botnet DDoS attack that recently took down Spotify, Twitter and Amazon.
But some of the FBI’s methodology for tracking suspected criminals online could endanger innocent users’ systems.
“Precisely because law enforcement doesn’t know where the computer is, it has to use malware to uncover the real address of the computer they’re looking for,” said Gabe Rottman, deputy director of the Freedom, Security and Technology project at the Center for Democracy and Technology. “In doing so, law enforcement casts a very wide net, accessing computers that have nothing to do with the underlying investigation.”
For example, in 2013, the FBI obtained warrants to hack the dark web TorMail accounts of 300 users allegedly linked to child pornography crimes, but the malware activated before users logged in, suggesting that it infected any computer that visited the login page.
“We should be concerned. This is more invasive than even wiretapping, and it’s inconsistent with the basic American value that the government shouldn’t be looking into your affairs unless it has some evidence you’ve done something wrong,” Rottman said.
What you can do
For those who want to protect themselves and their files from this form of recently legalized hacking, the usual cyber security principles apply, Wisniewski said. Use strong encryption for email and files. Always download updates to your operating system, browsers and apps. Use a password manager or strong passwords, and keep a good antivirus program updated. These measures lower the risk that your system has a vulnerability that misfired criminal-targeting malware could exploit.
“The scary thing is that the malware law enforcement will be using is potentially more powerful because the government has an incentive to hoard the most valuable zero days [unknown vulnerabilities in users’ software to attack],” Rottman said.
Because the new Rule 41 came into effect with no opposition to the proposal made by the Supreme Court earlier this year, it’s possible that Congress can reform or even remove the rule change in the future. “There need to be strong guidelines to keep this new power in check, lest it result in increased privacy intrusions,” said Cardozo.
The CDT has suggested reforms such as limiting the type of information that can be gathered and requiring more detail before warrants are granted.
While civil liberties groups including the EFF and CDT have been vocal about the dangers of the change, members of the public can also make their voices heard through online petitions or directly contacting their local representatives. “Average users can absolutely still engage,” Rottman said. “We haven’t had a national conversation on how to control government hacking to protect privacy and civil liberties.”