Judge Says FBI Can Hack Computers Without A Warrant Because Computer Users Get Hacked All The Time
from the broken-blinds-policing dept
The FBI's use of a Network Investigative Technique (NIT) to obtain info from the computers of visitors to a seized child porn site has run into all sorts of problems. The biggest problem in most of the cases is that the use of a single warrant issued in Virginia to perform searches of computers all over the nation violated the jurisdictional limits set down by Rule 41(b). Not coincidentally, the FBI is hoping the changes to Rule 41 the DOJ submitted last year will be codified by the end of 2016, in large part because it removes the stipulation that limits searches to the area overseen by the magistrate judge signing the warrant.
For defendant Edward Matish, the limits of Rule 41 don't apply. He resides in the jurisdiction where the warrant was signed. He had challenged the veracity of the data obtained by the NIT, pushing the theory that the FBI's unexamined NIT was insecure (data obtained from targets was sent back to the FBI in unencrypted form) and info could have been altered in transit.
It's not much of a legal theory as any person performing these alterations would have had to know someone was performing long-distance acquisitions of identifying computer information and the IP addresses normally hidden by the use of Tor.
But that questionable legal theory is nothing compared to those handed down in Judge Henry Coke Morgan Jr.'s denial [pdf] of several motions by Matish. As the judge sees it, the FBI really didn't even need a warrant. Morgan Jr. says there's no expectation of privacy in an IP address, even if Tor is used to obscure it, which follows other judges' conclusions on the same matter. However, Morgan Jr. goes much further.
Morgan Jr. hints at the Third Party Doctrine but refuses to consider the fact that this information was not obtained from third parties, but rather directly from the user's computer via the FBI's hacking tool.
The Court recognizes that the NIT used in this case poses questions unique from the conduct at issue in Farrell. In Farrell, the Government never accessed the suspect's computer in order to discover his IP address, whereas here, the Government deployed a set of computer code to Defendant's computer, which in turn instructed Defendant's computer to reveal certain identifying information. The Court, however, disagrees with the magistrate judge in Arterburv. who focused on this distinction, see No. 15-cr-182, ECF No. 42. As the Court understands it, Defendant's IP address was not located on his computer; indeed, it appears that computers can have various IP addresses depending on the networks to which they connect. Rather, Defendant's IP address was revealed in transit when the NIT instructed his computer to send other information to the FBI. The fact that the Government needed to deploy the NIT to a computer does not change the fact that Defendant has no reasonable expectation of privacy in his IP address.
This reading of the Third Party Doctrine closely aligns with how the DOJ prefers it to be read. If someone knowingly or unknowingly turns over identifying info to a third party, it now belongs to the government -- even if the government obtains it directly through a search/seizure, rather than approaching third parties.
But more disturbing than this is Judge Morgan Jr.'s declaration that no expectation of security is the same thing as no expectation of privacy -- first highlighted by Joseph Cox of Motherboard.
“It seems unreasonable to think that a computer connected to the Web is immune from invasion,” Morgan, Jr. adds. “Indeed, the opposite holds true: in today's digital world, it appears to be a virtual certainty that computers accessing the Internet can—and eventually will—be hacked,” he writes, and then points to a series of media reports on high profile hacks. He posits that users of Tor cannot expect to be safe from hackers.
If hackers can break into computers and extract information, then law enforcement can do the same thing without fear of reprisal or suppression of evidence. Morgan Jr. equates it to "broken blinds" on a house window, where previous rulings have said it's perfectly fine for passing police officers to peer into windows that don't completely obscure the house's interior.
[I]n Minnesota v. Carter, the Supreme Court considered whether a police officer who peered through a gap in a home's closed blinds conducted a search in violation of the Fourth Amendment. 525 U.S. 83, 85 (1998). Although the Court did not reach this question, id at 91, Justice Breyer in concurrence determined that the officer's observation did not violate the respondents' Fourth Amendment rights. Id at 103 (Breyer, J., concurring). Justice Breyer noted that the "precautions that the apartment's dwellers took to maintain their privacy would have failed in respect to an ordinary passerby standing" where the police officer stood.
But that flies directly in the face of his previous determination that there's no expectation of privacy in IP addresses, even if a person takes steps to obscure that identifying info. Tor may be imperfect and can be compromised, but applying Morgan Jr.'s analogy to this situation means it's OK for the FBI to not only peer into the interior of a house, but to break the blinds in order to look inside.
The world Judge Morgan Jr. prefers is clear: that law enforcement should not be bound by the constraints of legal activity and, in fact, should be allowed to deploy hacking tools simply because computers get hacked every day. It's a judicial shrug that says the good guys should be able to do everything criminals do because the ends justify the means. Morgan Jr. explicitly states that "the balance weighs heavily in favor of surveillance" in cases like these (child pornography prosecutions) because of the criminal activity involved.
The ends will justify the means in cases like these, if Morgan Jr. is overseeing them. Even if you are sympathetic to the judge's belief that certain crimes call for more drastic law enforcement responses, the fact is that if given this judicial pass, law enforcement will not confine its use of jurisdiction-less warrants and invasive tech tools to only the worst of the worst. We need look no further than the deployment of a Stingray device to track down someone who stole $57 worth of fast food to see how this will play out in real life. The decision -- if it stands -- opens citizens up to a host of invasive, warrantless searches, just because security breaches are common and the pursuit of criminal suspects is more important than protecting citizens from government overreach.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 4th amendment, fbi, hacking, nit, privacy, rights
Reader Comments
Subscribe: RSS
View by: Time | Thread
Judge says that I can shoot anyone I want because people get shot all the time.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
sound about right!
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
It's the double standard that I was pointing out and everyone seemed to miss the point.
[ link to this | view in chronology ]
Re: Re:
Put simpler and slightly more serious, it's because we have a two-tier legal(not justice) system, and those in the higher tier don't have to follow the laws that those of us peons in the lower tier do.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
In other words:
It would not be necessary to stipulate the Fourth Amendment if there weren't tools and ways for invading privacy, and since there are tools and ways for invading privacy, there is no privacy and there is nothing for the Fourth Amendment to protect.
Now this kind of "the Constitution does not know what it is talking about" verdict will not likely survive competent review, but competent review in the U.S. is hard to come by and expensive.
[ link to this | view in chronology ]
Re: In other words:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
So the police can break into a house without a warrant?
The judge is also wrong on the facts. It's not inevitable that a computer will be hacked.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
If crimes are outlawed, only criminals will be able to commit crimes.
[ link to this | view in chronology ]
Re: Re:
PSA: Hey are you sick of SWAT teams breaking your door unannounced at 4AM? Than this is for you! Call 511-NO-PRIVACY and we'll install a Telescreen in your home free of charge.
This we're sure you're an upstanding and productive citizen without having to check up on you from time to time. Because we'll do it ALL THE TIME.
[ link to this | view in chronology ]
Re: Re: Re:
You have been watching too many Hollywood flicks. The FBI is not allowed to break the law. Some laws may have explicit exceptions for law enforcement written into them. And sometimes the FBI can get permission to act in violation of laws. Such permissions are granted by judges on request, and the name for such a request/permission is "warrant".
In the case we are discussing, the FBI expected to be allowed to violate laws without permission, considering themselves not constrained by either law or judge, and use the results of such violation for the sake of making the job they are paid to do easier.
But this is not the Wild West and the FBI is not in the position to create their own laws for convenience and put them into effect.
[ link to this | view in chronology ]
Re: Re: Re: Re:
This has nothing to do with Hollywood flicks. More and more FBI busts look like they're toe tipping the line ever so slightly towards illegal and entrapment.
These guys they arrested are scum no doubt. But going over the law and not getting the warrants means criminals could (and some will) walk free because the evidence might be compromised.
This is even worse than "parallel reconstruction" where they could at least potentially get some useful evidence.
Sure this judge was sympathetic, but all the evidence could be thrown out because all of it was gotten through hacking.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
You still swallowed the Hollywood Koolaid. The problem with the FBI breaking the law is not that "the bad guys get away". The problem is that we are not in Hollywood where good guys and bad guys are distinguished by sneering and kicking puppies, but where people get arrested and prosecuted not because of being bad persons but because of breaking the law.
Once the FBI goes around breaking the law without bothering to follow the procedures availing it of judicially controlled exceptions, the whole idea of a legal system falls apart.
[ link to this | view in chronology ]
Henry Coke Morgan Jr.,
you are a complete moron.
sincerley,
concerned citizen
[ link to this | view in chronology ]
Re:
I looked him up and the guy is 81 years old. No wonder half of the justification reads "because that nice FBI Special Agent said so."
[ link to this | view in chronology ]
it's okay for me, but not okay for you.
Ah no, that is called a Peeping Tom and I'm sure it is highly frowned upon.
[ link to this | view in chronology ]
This decision about FBI hacking you is a ridiculous ruling and I don't believe the federal appellate courts will allow that decision to stand.
[ link to this | view in chronology ]
Re: Drive-by Racism
That is not a "fact" unless you love Stormfront and Fox News. Many crimes committed by whites are not prosecuted so the crime is never a conviction.
A thinking person would realize that law enforcement targeted (poor white and non-white) and visually identifiable communities will produce more arrests & convictions (valid or not) with arrest quotas and as this article demonstrates, a convictions justify illegal means judicial system.
[ link to this | view in chronology ]
It's more than looking through a window
The cop the proceeds to break the window, unlock the door from the inside, walk into the house and do whatever he wants. He could destroy the house. Take the person's personal information. And for some weird reason leaves pornography pinned to all the walls.
He is justified in doing this because anyone could of broken into the house just as easily.
[ link to this | view in chronology ]
Nice logic there, judge. If the US would've used this sort of logic from its inception, it would probably look a lot more like North Korea today.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
No. Just ... No
Distribution of child porn is a felony. By operating a server from which child porn could be retrieved, the government was committing a felony.
Accessing and retrieving information from remote computer systems without authority is a felony. By accessing a remote computer; installing software on it; and using that software to retrieve information without authority to do so, the government was committing a felony.
Accessing a remote computer, whether with or without authority, under the guise of another person or party, is a felony. By using a non-government web site to deliver mal-ware, the government committed a felony.
Forcing a person to commit a crime, or produce evidence that he or she did so is entrapment. By unilaterally retrieving evidence that a person visited a particular (illegal) web site using surreptitious, illegal means, the government was committing entrapment.
The governments actions throughout this entire sorry debacle were utterly indefensible.
And now some judge wants to give the FBI a free pass by saying, 'hey it happens all the time, no big deal'?
I don't think so.
[ link to this | view in chronology ]
Re: No. Just ... No
18 U.S. Code § 2258C(e) is (one of the places) where you find the typical Law Enforcement Exclusion:
Law enforcement is pretty much _always_ excluded from these types of laws.
[ link to this | view in chronology ]
Re: No. Just ... No
Except, if you read the actual laws around it (you don't cite one, so I can't point it out specifically), but lets look at - for example, the CFAA -
more officially known as "18 U.S. Code § 1030 - Fraud and related activity in connection with computers"
18 U.S. Code § 1030(f), reads:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Both ways
Sure some crimes are so heinous that they require more aggressive investigation, but aggressive used to mean greater manpower and resources, not breaking the rules.
[ link to this | view in chronology ]
Re: Both ways
[ link to this | view in chronology ]
Hacked all the time...
[ link to this | view in chronology ]
It's OK because it's a common crime?
[ link to this | view in chronology ]
Quid Pro Quo?
[ link to this | view in chronology ]
Re: Quid Pro Quo?
:)
[ link to this | view in chronology ]
REALLY>>>
The only way I and OTHERS would be HACKED..
Is IF''
Windows is Monitoring us..
Adobe inserted Data probing, to monitor any movie/music we play..
FLASH is monitoring us..
Windows MEDIA is monitoring us..
oh!! WOW,, they are..
And unless you TURN these feature off...THEY WILL..
UNLESS you change to ANOTHER OS...THEY WILL..
AND IM NOT TALKING ABOUT BOT/MALWARE/VIRUS/...
GO out and find the programs to TURN THIS OFF..
[ link to this | view in chronology ]
Interesting
Which means that there can be no "expectation of privacy" in anything, ever, at any time.
Clearly, "expectation of privacy" is now a completely bankrupt notion.
[ link to this | view in chronology ]
Re: Interesting
Yeah, ain't it beautiful?
[ link to this | view in chronology ]
Re: Interesting
The standard of an "expectation of privacy" is also problematic in modern times in that depends of what judges think people should know about the operation of technology.
[ link to this | view in chronology ]
Re: Re: Interesting
Oh but it gets worse, because the using the 'expectation of privacy' as a justification means what can be 'expected' to be private is a category that will always shrink.
Before the general public knew that government agencies scooped up everything they could get their hands on the 'expectation of privacy' might have been higher(though trumped of course by National Security: Be Afraid), but once people learned about it now the 'expectation of privacy' is drastically lesser, because look, everyone knows that the government can and will scoop up everything they can get their hands on, therefore there's no 'expectation' of any privacy to violate, it's already gone.
"It was wrong but still justified before you learned they were doing X, and now that it's general knowledge that they are doing X there's no 'reasonable' expectation that they won't be doing X, because everyone knows that they're doing X, and hence no violation of the law."
[ link to this | view in chronology ]
Re: Re: Interesting
[ link to this | view in chronology ]
I don't see what the problem with what the FBI did
The people that connected to the server did so of their own free will. Their home computers connected to the servers with illegal information on them and requested a download of the images on the server. The fact that it also downloaded the NIT is irrelevant. They deliberately connected to a server that was being used to break the law and requested the server to send them information.
Now, if the FBI was randomly scanning IP addresses and hacking into everyone's home computers then there would be a problem. But in this case, this people being arrested initiated the communication to the server.
The windows blind analogy is incorrect. A better analogy would be if a person called someone else on a telephone asking for illegal pictures and the FBI agent was standing right next to the receiver listening in. Even if the caller tried to disguise their voice the FBI is still allowed to track them down.
Again,the people arrested initiated the contact with the server. There is no illegal search. If they didn't want the NIT downloaded to their computer they shouldn't have been accessing illegal stuff.
[ link to this | view in chronology ]
Re: I don't see what the problem with what the FBI did
[ link to this | view in chronology ]
Re: I don't see what the problem with what the FBI did
A more accurate analogy would be to say that because someone was using a telephone to break the law, that means the cops should be allowed to plant surveillance equipment inside the person's home without a warrant.
[ link to this | view in chronology ]
Peering in through broken window blinds == breaking them???
[ link to this | view in chronology ]
[ link to this | view in chronology ]
So, if a criminal...
[ link to this | view in chronology ]
Change a word...
[ link to this | view in chronology ]
That is not legal.
[ link to this | view in chronology ]
"If criminals without badges can do it so can the government."
Houses get broken into all the time, as such police can break in whenever they want without a warrant.
People are robbed all the time, clearly government agents should be allowed to rob anyone they want with no restraints.
People are assaulted all the time, obviously police and/or government agents should be allowed to beat whoever they want without punishment.
It's really hard to Poe an argument that stupid, because with the kind of 'logic' employed by this judge all of the above makes perfect sense.
So, I take it then that the judge sees absolutely nothing wrong with anyone else hacking a computer or digital device/service? I mean it happens all the time, and if that's all the justification you need to be in the clear then the frequency means it ceases to be a crime, right?
Oh, those rules only apply to those (theoretically) enforcing the laws? Of course, silly me to expect logical and legal consistency from a judge.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Legal "reasoning"
[ link to this | view in chronology ]
Re: Legal "reasoning"
Personally, I don't consider it an unsurmountable burden for them to inform local judges of any planned heists in advance so that they may not get caught on the wrong foot when having to rubberstamp any seizures of persons and properties.
[ link to this | view in chronology ]
Re: Re: Legal "reasoning"
For the police to be "on equal footing with other crime syndicates" in terms of law-breaking?
Like saying it's OK for a priest to go get drunk and visit brothels to catch his flock in the act of sinning.
The purpose of "busts" is to nudge criminals to reveal themselves in the act. What if you happen to be inadvertently caught up in such a bust ? Will it make you feel better that a policeman shot at and shattered one of your bones rather than a thug?
Also, google "roadside cavity searches". Cops have way too much power and too little responsibility. And they're all afraid of Big Bad Black Men with Knives and UZIs.
[ link to this | view in chronology ]
Yet Another Kangaroo Court in the Banana Republic of America
Part Doctrine as pronounced by Constitution shredding, black muumuu wearing court jesters who like to refer to themselves as judges.
[ link to this | view in chronology ]