Tor users could be FBI’s main target if legal power grab succeeds

Tor users could be FBI's main target if legal power grab succeeds

Image of mask courtesy of ShutterstockThe US Department of Justice (DOJ) is proposing a power grab that would make it easier for domestic law enforcement to break into computers of people trying to protect their anonymity via Tor or other anonymizing technologies.

That’s according to a law professor and litigator who deals with constitutional issues that arise in espionage, cybersecurity and counterterrorism prosecutions.

Ahmed Ghappour, a visiting professor at UC Hastings College of the Law, San Francisco, explained the potential ramifications of the legal maneuver in a post published last week.

Concerns center around a DOJ proposal to amend Rule 41 of the Federal Rules of Criminal Procedure – the part that describes the authority necessary to issue a warrant in search and seizure – to lawfully achieve two law enforcement activities:

  1. Piercing Tor, a free, open-source program that bestows online anonymity via a circuit of multilayered, encrypted connections routed through a worldwide volunteer network of servers, and
  2. Ignoring borders and using the internet – now considered a “global commons” – in order to track down extraterritorial evidence.

The latter would be similar to what it did in 2002, when an FBI agent accessed servers in Chelyabinsk, Russia, to seize evidence against Russians that was later used in their criminal trial.

Russia’s Federal Security Service subsequently filed criminal charges against the agent for trespassing on servers located within its borders.

The DOJ explicitly said last year that it’s not looking for that type of power:

This amendment does not purport to authorize courts to issue warrants that authorize the search of electronic storage media located in a foreign country or countries. The Fourth Amendment does not apply to searches of the property of non-United States persons outside the United States ... and the Fourth Amendment's warrant requirement does not apply to searches of United States persons outside the United States

But Professor Ghappour says that in practical terms, that’s exactly what would happen:

The practical reality of the underlying technology means doing so is almost unavoidable.

This is the wording for the proposed change to Rule 41:

Authority to Issue a Warrant. At the request of a federal law enforcement officer or an attorney for the government: (6) a magistrate judge with authority in any district where activities related to a crime may have occurred has authority to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information located within or outside that district if: (A) the district where the media or information is located has been concealed through technological means; or (B) in an investigation of a violation of 18 U.S.C. § 1030(a)(5), the media are protected computers that have been damaged without authorization and are located in five or more districts.

The proposal is about the so-called Network Investigative Techniques used by US law enforcement to conduct surveillance – techniques that can cause a computer to perform commands as willingly as a well-trained dog.

That can include covertly uploading files, photographs and stored emails to an FBI controlled server; using a computer’s camera or microphone to gather images and sound at any time the FBI chooses; or even taking over computers by, for example, accessing a website hosted on a server that the FBI has secretly programmed to infect any computer that accesses it.

Such techniques come in handy when the law’s pursuing targets on the anonymous internet – most particularly, people covering their location by using Tor and by using so-called “hidden” websites on servers whose locations are theoretically untraceable.

But as far as a Network Investigative Technique is concerned, the physical location of the target computer doesn’t matter, and the DOJ justifies its proposal because these tools are, it says, the only reasonable way to get past anonymizing software:

...because the target of the search has deliberately disguised the location of the media or information to be searched.

As it is, the FBI is using tools – malware, in fact – to track down evidence.

Last month, for example, US courts demanded that the FBI justify its use of drive-by downloads of spyware onto the computers of people visiting child porn sites hidden on Tor.

Professor Ghappour notes that the DOJ’s commentary articulates a standard of searches that would include not only searches within the US but also “where the location of the electronic media is unknown”.

From the DOJ’s commentary:

Under this proposed amendment, law enforcement could seek a warrant either where the electronic media to be searched are within the United States or where the location of the electronic media is unknown. In the latter case, should the media searched prove to be outside the United States, the warrant would have no extraterritorial effect, but the existence of the warrant would support the reasonableness of the search.

Given the global nature of the internet, the latter part appears to grant a loophole that would pretty much open the door wide to overseas searches, Professor Ghappour notes:

For instance, over 85% of computers directly connecting to the Tor network are located outside the United States. And since (according to the DOJ) each computer's "unknown location" is virtually indistinguishable from the next, any law enforcement target pursued under this provision of the amendment may be located overseas.

Just when you thought Surveillance Nation couldn’t get any more Big Brotherish, this proposed amendment could cause a “radical departure” from current policy, wherein the US has, at least generally, adhered to international law, in which one country carrying out law enforcement activities in another, without its consent, is considered an invasion of sovereignty, Ghappour says:

Overseas cyber operations will be unilateral and invasive; they will not be limited to matters of national security; nor will they be executed with the consent of the host country, or any meaningful coordination with the Department of State or other relevant agency.

Ghappour recommends the amendment is thoroughly deliberated with input between technologists, policy makers and lawyers before it’s accepted.

Beyond that, it’s got to respect other states’ sovereignty, and it must disallow weaponized software to establish remote access of target computers or drive-by malware downloads that infect computers indiscriminately, Ghappour said.

If you’d like to comment on the public draft, the public has until 17 February 2015 to do so.

Image of mask courtesy of Shutterstock.