DOJ Proposal Would Let FBI Hack Into Computers Overseas With Little Oversight
from the freedom?-what-freedom? dept
Ahmed Ghappour, over at JustSecurity, alerts us to a rather frightening proposal from the Justice Department that would enable law enforcement to hack into the computers of people who are trying to be anonymous online. At issue is that current rules basically would extend the powers granted for terrorism investigations to everyday criminal investigations, concerning specifically the DOJ/FBI's ability to hack into computers. In the past, judges could issue warrants for such computer hacking if the target was known to be located in the same district. But the proposed change would wipe out that limitation, and basically give the DOJ/FBI the power to get approval for hacking into a much broader range of computers. Without the geographical limitation, there's concern about just how broadly this new power would be (ab)used:The DOJ proposal will result in significant departures from the FBI’s customary practice abroad: overseas cyber operations will be unilateral and invasive; they will not be limited to matters of national security; nor will they be executed with the consent of the host country, or any meaningful coordination with the Department of State or other relevant agency.In short, every new criminal investigation by the FBI will open up the possibility of a diplomatic nightmare and embarrassment. But, really, who cares when there are criminals to go after, right?
Under the DOJ’s proposal, unilateral state action will be the rule, not the exception, in the event an anonymous target “prove[s] to be outside the United States.” The reason is simple: without knowing the target location before the fact, there is no way to provide notice (or obtain consent from) a host country until after its sovereignty has been encroached.
Without advanced knowledge of the host country, law enforcement will not be able to adequately avail itself to protocols currently in place to facilitate foreign relations. For example, the FBI will not be able to coordinate with the Department of State before launching a Network Investigative Technique. This puts the U.S. in a position where a law enforcement entity encroaches on the territorial sovereignty of foreign states without coordination with the agency in charge of its foreign relations.
When a state’s sovereignty is encroached upon, its response depends on the nature and intensity of the encroachment. In the context of cyberspace, states (including the United States) have asserted sovereignty over their cyber infrastructure, despite the fact that cyberspace as a whole, much like the high seas or outer space, is considered a “global common” under international law.The Chelyabinsk incident refers to involved Russia filing criminal hacking charges against the FBI for the FBI logging into a Russian server, seeking evidence against some Russian hackers.
[....] Given the public nature of the U.S. criminal justice system, it is hard to see how the FBI will avoid risk of prosecution (similar to that in the Chelyabinsk incident) if the DOJ proposal is approved.
And, of course, there are other issues with the proposal as well -- as you'd expect any time you see law enforcement seek to move anti-terrorism tools over to standard crime-fighting. For example, the current proposal could authorize questionable hacking techniques by the FBI. Ghappour suggests that if the DOJ really wishes to push forward with such a proposal, it needs to clearly limit the techniques that are allowed:
Of course, why would the DOJ ever limit itself when it has the chance to get access to an even more powerful tool for hacking into anyone's computers?The Rule should not authorize drive-by-downloads that infect every computer that associates with a particular webpage, the use of weaponized software exploits in order to establish “remote access” of a target computer, or deployment methods that risk indiscriminately infecting computer systems along the way to the target. Nor should the Rule authorize a “search” method that requires taking control of peripheral devices (such as a camera or microphone).
There are other suggestions, of course. As it stands, the proposed amendment allows the FBI to use a wide array of invasive (and potentially destructive) hacking techniques where it may not be necessary to do so, against a broad pool of potential targets that could be located virtually anywhere.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: anonymity, cooperation, diplomacy, doj, fbi, hacking, overseas, tor
Reader Comments
Subscribe: RSS
View by: Time | Thread
Yet another government agency making America less safe
Unfortunately, I'm guessing that even if they have realized this, they just don't care, because the hacked/infected/compromised computers aren't likely to be their computers, so why should they worry, they'll just use US computers getting hacked as 'evidence' that they need more power to 'fight the increasing threat of cyber attacks!'
[ link to this | view in chronology ]
Re: Yet another government agency making America less safe
Just so. Foreign investigators would have little trouble justifying investigations into American public officials related to more than 100 "extraordinary renditions" from EU soil alone, plus many more around the world. They would have little trouble justifying investigations into the many US companies now linked to NSA spying and hacking. Or banks and investment firms tied to the 2008 collapse. And there are the usual mundane anti-trust, environmental violations, kick-backs and other crimes.
As always, turn-about is fair play.
[ link to this | view in chronology ]
this is the jungle
Yep, and along the NSA mischiefs the chinese and russian hackers can't be blamed anymore. Try to cover all your holes, this is the jungle.
[ link to this | view in chronology ]
Re: Yet another government agency making America less safe
1. "Where is a computer located?" is a non-trivial question with decidedly non-trivial answers. If I am in country A and I establish a VPN connection to a termination point in country B, then I am, for all functional purposes, on a network in country B and my traffic is indistinguishable from that of hosts which physically connected to that network. (That's kind of the point of VPNs, after all.) So is my computer in country A or country B? And how would a third party know which?
2. Of course even if definitive knowledge to the question posed in (1) is available, that doesn't mean that the answer will remain the same indefinitely: there are these things called "laptops" and "tablets" and "mobile phones" and "portable devices" that may move across multiple national borders in a single day. So while country C might not really care that a citizen of country D had her laptop hacked while on their soil, when she goes home to country D, they might.
3. Distributed operations are reaching the point where it's not really possible to say where a particular (virtual) host actually is or where a particular (virtual) data store is, or for those answers to have persistent meaning. It's entirely possible for a targeted system in country E to actually be in country F by the time the hack is done.
4. There's no such thing as a backdoor that only works for the first person to open it. This actively weakens the security of any targeted system in country G, which by the way includes the enemies of country G, who are occasionally also the enemies of the US. I'm sure those adversaries will be delighted to find that the FBI is making their lives easier.
5. One of my favorite sayings is from Isaac Asimov's character Salvor Hardin, who appears in "Foundation": "It's a poor atom blaster that won't point both ways." If the FBI pursues this course of action, then they should expect to have the favor returned by any country with the resources to do so. At least one of those countries has already shown enormous sophistication in its attacks and also enjoys an arbitrarily large manpower advantage.
6. This clearly eliminates the FBI as an investigative agency for domestic incidents, since it can no longer be established that they weren't the ones responsible. How can anyone trust them to investigate honestly when -- if evidence emerges that the FBI itself is culpable -- they will surely suppress that evidence?
[ link to this | view in chronology ]
Re: Re: Yet another government agency making America less safe
Its not only possible its easy at this point. The only way this is defeated is by using tor, or something like scramblesuit with OpenVPN which is a TOR pluggable transport, it randomizes the traffic fingerprint and inter arrival times of packets. The other way to make yourself safer is to ensure you are using end to end encryption so that when your traffic comes out of the VPN endpoint it is still encrypted, however packets length and arrival times can still be measured.
[ link to this | view in chronology ]
Re: Re: Re: Yet another government agency making America less safe
I use VPNs all the time in situations where neither of those is true: in fact I'm using one right now which terminates on a host which can't reach the Internet.
As to the packet length/timing distinguishing making traffic distinguishable: yep. I tend to think future improvements in VPN technology will make that more difficult, but that might be just wishful thinking on my part.
[ link to this | view in chronology ]
Re: Re: Re: Re: Yet another government agency making America less safe
To avoid size fingerprinting, always pad your data packets to a fixed maximum size.
To avoid timing fingerprinting, use a leaky bucket to pace your packets (so the inter-packet timing is always the same), and send an empty packet (still padded to full size) when you don't have any real data packet to send.
Both measures together turn your VPN channel into a fixed-bandwidth channel, from which no size or timing information can be extracted. The only leak left is an active denial-of-service attack (flood the source endpoint, watch the target endpoint stop sending cleartext traffic), or its accidental version (wait for a fiber cut breaking the VPN channel, see what cleartext traffic stops showing up in the other end).
[ link to this | view in chronology ]
[ link to this | view in chronology ]
And as for the clown who recommeded this in the DoJ, he should be arrested for treason on the basis of these actions, given that they could easily be considered a casus belli for any country that doesn't like this. Because at least the Russians and the Chinese have a degree of plausible deniability.
And when you have less morality than the Chinese Government, you know you have severe and dangerous issues.
[ link to this | view in chronology ]
Not good suggestions
[ link to this | view in chronology ]
drive-by-downloads - Already deployed against Tor users
indiscriminately infecting computer systems along the way to the target - Stuxnet in Iran
taking control of peripheral devices (such as a camera or microphone). - DROPOUTJEEP for iPhone
Looks like the DOJ already has all the boxes checkmarked.
[ link to this | view in chronology ]
Open invite
[ link to this | view in chronology ]
Question
Most of what the NSA and other agencies do is justified after the fact, through secret legal memos and secret court decisions, that go back and retroactively justify what is going on.
Because we now see the DOJ asking permission, isn't it likely that this has been going on for some time, and their just now making it "legal?"
[ link to this | view in chronology ]
Re: Question
Not just possible, but very certainly. The NSA does this.
"Because we now see the DOJ asking permission, isn't it likely that this has been going on for some time, and their just now making it "legal?""
It's already "legal" for the NSA to do this. I think what's happening here is that the FBI wants the same power.
[ link to this | view in chronology ]
Re: Re: Question
Shouldn't the local Ferguson PD also be allowed to do international hacking in order to determine what other, additional illegal activities a Ferguson MO citizen is engaging in if they are anonymous? The crime of being anonymous online should be more than probable cause.
[ link to this | view in chronology ]
Re: Re: Re: Question
And I can't seem to see your face in that profile picture, there is a big shadow over it.
Ah, don't worry about it, "DannyB." With this fancy new software the DOJ is asking for permission to use (Which we have been using for the last two years anyway), we can just turn on your webcam and get a well lit photo ourselves. Don't want to inconvenience you at all.
Oh, and just to make sure the laptop isn't stolen (there's your investigation!), we'll just access your internet history and track which router your MAC address accessed the internet from, and cross-reference that with the names of people living on the street. No need to provide your last name - again, we don't want to inconvenience you.
By the way, what ISP do you use? We'd like to streamline the process - wait, I bet it's either Comcast, AT&T, or Verizon. No worries, we'll take it from here.
Any questions, "DannyB?"
[ link to this | view in chronology ]
Re: Re: Re: Re: Question
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Question
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Question
[ link to this | view in chronology ]
Re: Re: Re: Question
"Shouldn't the local Ferguson PD also be allowed to do international hacking in order to determine what other, additional illegal activities a Ferguson MO citizen is engaging in if they are anonymous?"
No.
"The crime of being anonymous online should be more than probable cause."
Being anonymous online is not a crime and it's a pretty huge stretch to call it probable cause of anything. Most people I personally know try to maintain online anonymity, and none of them are breaking laws (that I know of -- at the very least, their desire for anonymity has nothing to do with any such lawbreaking.)
[ link to this | view in chronology ]
DOJ Proposal? DOJ?
[ link to this | view in chronology ]
Re: DOJ Proposal? DOJ?
I should have referred to the FBI.
It is worth noting for many that the NSA is a military organization anyway.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Dreifrontenkrieg all over again
It wasn't any smarter when Hitler did it, but then if the U.S. had bothered to learn from history, it would not be where it is now.
[ link to this | view in chronology ]
Re: Dreifrontenkrieg all over again
and yes I know verboten is used incorrectly.
[ link to this | view in chronology ]
America = Hypocrite
Nothing is really new here guys, this is something that the USA and every other country has been doing all along... the difference is now that the self-righteous USA has decided to acknowledge that they have tossed their hat into the same camp as the rest of the bastard governments the world over.
Truly nothing new under the sun!
[ link to this | view in chronology ]
only covers the US, I'm not sure (and could be wrong) how they could be considered anything but hackers outside of US borders/ territories , If they gain access to a non US Persons computer.
https://en.wikipedia.org/wiki/Federal_government_of_the_United_States
[ link to this | view in chronology ]
What's the problem?
None of us law abiding citizens would be guilty of that.
If you've got nothing to hide, you have no reason to be anonymous.
/s
[ link to this | view in chronology ]
Re: What's the problem?
[ link to this | view in chronology ]
sounds familiar
here is the link if you are interested:
http://youtu.be/h9wXq6oRBnI
[ link to this | view in chronology ]
Does anyone doubt that Stuxnet would have likely started a war if it had been performed against a nation that had a chance of winning a war against the US -- China for example?
But Iran is too weak, so they had to eat this offense.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
so you attack a whole network or isp cos 1 bad person might be using it.
The problem is this leaves back doors in the network which could be used by hackers or other persons to say steal id,s ,credit card info or financial info .
IT seems the usa is ready to go to cyberwar on any country ,or network,
in order to catch 1 suspect.
ITS not as if some us devices and software don,t have backdoors , built in to them already.
This is the software equivalent of bombing a school containing
children to kill 1 enemy .ie total overkill .
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Take one moment to think about how any law is stretched out of bounds to read it is legal and permissible under the present government attitude and you can not help but come to this conclusion.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
smart ideas
now I guess the smart hackers should join the DOJ or FBI
"we don't need any stinking warrants or any of those what do you call them LAWS"
[ link to this | view in chronology ]
they tried this 15 years ago
dont be retards, and start us all weaponizing cause you fucktard americans are only 300 million of 7.1 billion
and yes i have the original mug photo thought about posting it form a personal webserver but why have myself get needlessly targeted by more fucktard americans
i swear your nation will be the death of humanity
SMARTEN THE FUCK UP
[ link to this | view in chronology ]
Re: they tried this 15 years ago
[ link to this | view in chronology ]
Judge Shopping?
Am I misreading this as authorizing the FBI to go magistrate-judge shopping in any districts with connections to the Internet to get warrants for targets that may have committed a crime and have at some time in the past used anonymization software? In other words, everyone?
[ link to this | view in chronology ]