Sophos Cloud Optix
The US Department of Justice (DOJ) is proposing a power grab that would make it easier for domestic law enforcement to break into computers of people trying to protect their anonymity via Tor or other anonymizing technologies.
That’s according to a law professor and litigator who deals with constitutional issues that arise in espionage, cybersecurity and counterterrorism prosecutions.
Ahmed Ghappour, a visiting professor at UC Hastings College of the Law, San Francisco, explained the potential ramifications of the legal maneuver in a post published last week.
Concerns center around a DOJ proposal to amend Rule 41 of the Federal Rules of Criminal Procedure – the part that describes the authority necessary to issue a warrant in search and seizure – to lawfully achieve two law enforcement activities:
- Piercing Tor, a free, open-source program that bestows online anonymity via a circuit of multilayered, encrypted connections routed through a worldwide volunteer network of servers, and
- Ignoring borders and using the internet – now considered a “global commons” – in order to track down extraterritorial evidence.
The latter would be similar to what it did in 2002, when an FBI agent accessed servers in Chelyabinsk, Russia, to seize evidence against Russians that was later used in their criminal trial.
Russia’s Federal Security Service subsequently filed criminal charges against the agent for trespassing on servers located within its borders.
The DOJ explicitly said last year that it’s not looking for that type of power:
This amendment does not purport to authorize courts to issue warrants that authorize the search of electronic storage media located in a foreign country or countries. The Fourth Amendment does not apply to searches of the property of non-United States persons outside the United States ... and the Fourth Amendment's warrant requirement does not apply to searches of United States persons outside the United States
But Professor Ghappour says that in practical terms, that’s exactly what would happen:
The practical reality of the underlying technology means doing so is almost unavoidable.
This is the wording for the proposed change to Rule 41:
Authority to Issue a Warrant. At the request of a federal law enforcement officer or an attorney for the government: (6) a magistrate judge with authority in any district where activities related to a crime may have occurred has authority to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information located within or outside that district if: (A) the district where the media or information is located has been concealed through technological means; or (B) in an investigation of a violation of 18 U.S.C. § 1030(a)(5), the media are protected computers that have been damaged without authorization and are located in five or more districts.
The proposal is about the so-called Network Investigative Techniques used by US law enforcement to conduct surveillance – techniques that can cause a computer to perform commands as willingly as a well-trained dog.
That can include covertly uploading files, photographs and stored emails to an FBI controlled server; using a computer’s camera or microphone to gather images and sound at any time the FBI chooses; or even taking over computers by, for example, accessing a website hosted on a server that the FBI has secretly programmed to infect any computer that accesses it.
Such techniques come in handy when the law’s pursuing targets on the anonymous internet – most particularly, people covering their location by using Tor and by using so-called “hidden” websites on servers whose locations are theoretically untraceable.
But as far as a Network Investigative Technique is concerned, the physical location of the target computer doesn’t matter, and the DOJ justifies its proposal because these tools are, it says, the only reasonable way to get past anonymizing software:
...because the target of the search has deliberately disguised the location of the media or information to be searched.
As it is, the FBI is using tools – malware, in fact – to track down evidence.
Last month, for example, US courts demanded that the FBI justify its use of drive-by downloads of spyware onto the computers of people visiting child porn sites hidden on Tor.
Professor Ghappour notes that the DOJ’s commentary articulates a standard of searches that would include not only searches within the US but also “where the location of the electronic media is unknown”.
From the DOJ’s commentary:
Under this proposed amendment, law enforcement could seek a warrant either where the electronic media to be searched are within the United States or where the location of the electronic media is unknown. In the latter case, should the media searched prove to be outside the United States, the warrant would have no extraterritorial effect, but the existence of the warrant would support the reasonableness of the search.
Given the global nature of the internet, the latter part appears to grant a loophole that would pretty much open the door wide to overseas searches, Professor Ghappour notes:
For instance, over 85% of computers directly connecting to the Tor network are located outside the United States. And since (according to the DOJ) each computer's "unknown location" is virtually indistinguishable from the next, any law enforcement target pursued under this provision of the amendment may be located overseas.
Just when you thought Surveillance Nation couldn’t get any more Big Brotherish, this proposed amendment could cause a “radical departure” from current policy, wherein the US has, at least generally, adhered to international law, in which one country carrying out law enforcement activities in another, without its consent, is considered an invasion of sovereignty, Ghappour says:
Overseas cyber operations will be unilateral and invasive; they will not be limited to matters of national security; nor will they be executed with the consent of the host country, or any meaningful coordination with the Department of State or other relevant agency.
Ghappour recommends the amendment is thoroughly deliberated with input between technologists, policy makers and lawyers before it’s accepted.
Beyond that, it’s got to respect other states’ sovereignty, and it must disallow weaponized software to establish remote access of target computers or drive-by malware downloads that infect computers indiscriminately, Ghappour said.
If you’d like to comment on the public draft, the public has until 17 February 2015 to do so.
Image of mask courtesy of Shutterstock.
I wish everyone used TOR.
The FBI and the NSA would go nuts.
“or even taking over computers by, for example, accessing a website hosted on a server that the FBI has secretly programmed to infect any computer that accesses it.”: You write as if this were no big deal, as if every combination of browser, add-ons, operating system, and hardware has some vulnerability known to spooks that can be exploited to “take over”. That’s fine as a paranoid assumption, but is it genuinely the case? In particular, does Sophos really believe this to be the case even for machines equipped with its products? If so, it seems to me the company should close up shop.
My apologies. As you pointed out—and Paul Ducklin concurs with you, as do I—I used the word “easier” in the article in a way that seemed to conflate “to extend law enforcement’s rights to surveillance” and “to make it technically simpler to achieve the break-in in the first place.”
That was not my intention, and I regret giving this impression. I was thinking of the amendment’s easing of leaping legal hurdles, not technical ones.
A well-protected computer is not trivial to take over, of course, and I’ll make sure that when I address legal matters in the future, I don’t muddy the issue in this way.
Thanks for the feedback.
Sure they do.. they come masked as “security updates” and weekly patches.. You’re served an warrant that you can never disclose on the.. sic terror aspect.. that for 1 or week you need to make a patch available in your software with xyz traits, and after that you can unpatch and pretend it never happened.. It’s not that hard see.. and if word gets caught up.. tip on the next hearthbleed.
“If you’d like to comment on the public draft, the public has until 17 February 2015 to do so.”
After which, regardless of the comments, the DOJ will go ahead an implement the power grab anyway.
The First Amendment gurantees the people to right to petition the government for redress of grievance. However, it does not require the government to actually redress grievance.
The government keeps coming up with a few cases where the bad guys used TOR. What about the thousands, maybe millions, of criminals who use IE, Firefox, chrome, etc? Should we ban those browswers too?
I really wish we didn’t have people in congress who don’t understand what Netflix is, making decisions about laws that effect security and privacy rights for the internet.
This strengthens my impression that the real terrorist threat to the UK is from organisations like the CIA rather than Islamist extremists.