Botnet Bill Could Give FBI Permission To Take Warrantless Peeks At The Contents Of People's Computers
from the mind-if-we-take-a-look-around,-they-asked-never dept
In a recent ruling in a child porn investigation case, a judge declared that the FBI's Network Investigative Technique (NIT) -- which sent identifying user info from the suspect's computer to the FBI -- was the equivalent of a passing cop peering through broken blinds into a house.
[I]n Minnesota v. Carter, the Supreme Court considered whether a police officer who peered through a gap in a home's closed blinds conducted a search in violation of the Fourth Amendment. 525 U.S. 83, 85 (1998). Although the Court did not reach this question, id at 91, Justice Breyer in concurrence determined that the officer's observation did not violate the respondents' Fourth Amendment rights. Id at 103 (Breyer, J., concurring). Justice Breyer noted that the "precautions that the apartment's dwellers took to maintain their privacy would have failed in respect to an ordinary passerby standing" where the police officer stood.
What would normally be awarded an expectation of privacy under the Fourth Amendment becomes subject to the "plain view" warrant exception. If a passerby could see into the house via the broken blinds, there's nothing to prevent law enforcement from enjoying the same view -- and acting on it with a warrantless search.
Of course, in this analogy, the NIT -- sent from an FBI-controlled server to unsuspecting users' computers -- is the equivalent of a law enforcement officer first entering the house to break the blinds and then claiming he saw something through the busted slats.
The DOJ may be headed into the business of breaking blinds in bulk. Innocuous-sounding legislation that would allow the FBI to shut down botnets contains some serious privacy implications.
Senators Whitehouse (D-RI), Graham (R-SC), and Blumenthal (D-CT) introduced the Botnet Prevention Act in May, which (among other things) amends the portion of federal law (18 U.S.C. § 1345) that authorizes these injunctions. The bill would expand § 1345 by adding violations of a section of the Computer Fraud and Abuse Act (“CFAA”) that covers botnets (and more) to the list of offenses that trigger the DOJ’s ability to get an injunction.
More specifically, it would allow injunctions in all violations or attempted violations of subsection (a)(5) of the CFAA that result or could result in damage to 100 or more computers in a year, including any case involving the “impair[ment of] the availability or integrity of the protected computers without authorization,” or the “install[ation] or maintain[nance of] control over malicious software on the protected computers” that “caused or would cause damage” to the protected computers.
It only sounds like a good idea: the government riding to the rescue of unaware computer users whose devices have been pressed into service by malware purveyors and criminals. But, as Gabe Rottman of CDT points out, there's some vague wording in the existing law that would undercut important Fourth Amendment protections when used in conjunction with the DOJ's botnet-fighting powers.
Buried deep within § 1345(b) is a single phrase that could open up a number of thorny issues when this injunctive authority is applied to botnets. The section not only allows the government to obtain a restraining order that stops someone from doing something nefarious, but also an order that directs someone to “take such other action, as is warranted to prevent a continuing and substantial injury . . . .”'
Rottman points to the FBI's 2011 shutdown of the Coreflood botnet. After obtaining a restraining order under the federal rule, the FBI used its own server to issue commands to infected computers, halting further spread of the malware and shutting down the software on infected host devices. Again, this seems like a good use of the government's resources until you take a closer look at what's actually happening when the FBI does this sort of thing.
The court hearing the Coreflood case accepted the government’s argument that the “community caretaker” doctrine allowed the transmission of the shutdown order, as the action was “totally divorced from the detection, investigation, or acquisition of evidence relating to the violation of a criminal statute.” At the time, the government likened its actions to a police officer who, while responding to a break-in, finds the door to a house open or ajar and then closes it to secure the premises.
The "community caretaker" function is one exception to warrant requirements. Accessing peoples' computers without their permission under these auspices allows the FBI to avail itself of a second warrant exception.
In order to scrub private computers for malware, the government would, by necessity, have to search the computer and its contents for the malware. Once the door is ajar, rather than closing it, the police would actually “walk in” to the computer. And anything they find in “plain view” can be used as evidence of a crime. Nothing in the current version of the bill would prevent such a search or collection, giving the government the potential means to search countless computers of victims of the botnet (not the perpetrators) without a warrant.
While these are both valid exceptions to warrant requirements, they've never been deployed on this sort of scale. Officers can perform community caretaker functions that may result in contraband being discovered in plain view. When the FBI takes on a botnet, however, it will have access to potentially thousands of computers at a time and the legislated permission to not only "enter" these computers, but to take a look around at the contents.
The Fourth Amendment was put into place to end the practice of general warrants. The FBI's botnet-fighting efforts turn court-ordered injunctions into digital general warrants, only without the pesky "warrant" part of the phrase. And, unlike other warrants, the proposed legislation would do away with another Fourth Amendment nicety: notification.
As CDT noted in its comments on the Rule 41 change mentioned above, potentially as many as a third of computers in the United States are infected with some form of malware. And, botnets are extremely hard to clean up, especially when you depend on victims to voluntarily submit their computers for cleaning. Given this reality, unless notice is required by statute, law enforcement would have an incentive to dispense with notice in the much wider array of shutdowns permitted under the Graham-Whitehouse bill.
The bill has only been introduced and there's no forward motion as of yet. It's in need of serious repair before it heads further up the legislative chain. As it's written, there's nothing standing between people's personal files and a host of digital officers wandering through virtual houses in search of malware and searching/seizing anything else that catches their eye.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: botnet, botnet prevention act, congress, fbi, hacking, lindsey graham, richard blumenthal, sheldon whitehouse, warrants
Reader Comments
Subscribe: RSS
View by: Time | Thread
Just wondering...
...
Nah, I'm sure the paragons of virtue in the FBI would never do something like that given the total respect they have for the rights and privacy of the public, such that they would never abuse their power in such a manner. Never mind, I see now it was a silly thought and one completely divorced from reality.
[ link to this | view in chronology ]
Re: Just wondering...
What makes you think they cannot make bloody sure the system was infected? An attack vector for a secret search and an attack vector for an infection are pretty much the same thing. They just put through a different payload.
[ link to this | view in chronology ]
Re: Re: Just wondering...
The very idea that they would themselves infect a system in order to have an excuse to search it is just beyond absurd, and in fact you should feel ashamed for expressing or even having doubt about such a sterling and law abiding agency, as such thoughts are absolutely un-American and dare I say it even a little red.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
This could well be the last bill the senators get to pass without being pressured by a threat of child porn or terrorist materials being 'found' on their computers.
[ link to this | view in chronology ]
I mean, shouldn't you make sure your own house is clean before telling us that ours aren't?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Besides, there are other ways to prove the illegal material was put there by you - once they have the evidence, they only need to get a search warrant for your whole house.
[ link to this | view in chronology ]
What exactly is PLAIN VIEW in this case?
So far, I don't have a big problem here -- although I trust the government in my computer even less than I trust the malware.
Now the question. What is plain view? Even if the FBI injects a software payload into the computer's memory to look for very specific things; what is 'plain view' as far as anything else I have on my computer?
It's not like this injected software has artificial intelligence and can say: oh, my, that's pr0n! Or that file has a very anti-government file name (gasp!).
The only way ANYTHING would be in 'plain view' is if they start exhaustively searching the computer for things. And those searches would be by nature of a search, directed at specific targets.
Or would the FBI have a live agent interacting with the FBI's malware, so the agent could selectively view files with names that seem interesting to the agent? And would such an approach scale?
[ link to this | view in chronology ]
Re: What exactly is PLAIN VIEW in this case?
not to mention one of the reasons WHY we are all extra vulnerable is because the spooks are hoarding zero-day exploits they refuse to reveal which would actually help protect us all; OR, they have actually written (or paid some hackers to program) malware and other intrusive software which i am absolutely certain never finds its way into the sweaty palms of nogoodniks...
[ link to this | view in chronology ]
The 3 branches are just one branch working together to fuck the citizens over, its getting time to overthrow the tyrants.
[ link to this | view in chronology ]
Coming soon...
[ link to this | view in chronology ]
Re: Coming sooner...
The government already has shown a willingness to operate CP servers, a botnet would just help fill their "toolbox".
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Even if it made past illegal actions retroactively pardoned because of this bill it would never have stopped them from doing it in the first place.
[ link to this | view in chronology ]
Re:
"Before this bill we couldn't do X legally(we still did it of course), but now we can. Y was an even more invasive action, but at the time we figured that we were toeing the line enough with X, so we held off. Now that we can do X though, Y's not that much worse..."
[ link to this | view in chronology ]
A government; by any other name, still smells.
Should be less than a decade now, till we start getting some good old fashioned and obviously-illegal defense software for the home and office.
You know, little apps that can determine the presence of unauthorized "users", verify that they are indeed unauthorized, backtrack to their origin, ascertain that the origin is indeed the actual source of the intrusion and upload a nastygram-destructo-dragon-worm on the perps there, turning their computers into smouldering door-stops and ending that particular intrusion, in just a few seconds.
Yeah sure there will be some mistakes at first and a few innocents will be mistakenly cyber-assaulted, but time will force the public to begin demanding something for the defense of their property against a government that follows no rules and obeys no laws.
I'm hoping it is sooner, rather than later, because this situation is not going to get any better over time, when the perps are also the people who selectively uphold the laws of the land and who are themselves now only accountable to the set of secret rules and laws that they themselves wrote.
Push the public far enough and often enough and they will push back.
What does one call a "government" whose actions follow no rules and obey no laws?
A "gang" might suit.
===
[ link to this | view in chronology ]