
Rule 41 Proposes to Grant New Hacking Powers to the Government - DiabloD3
https://www.eff.org/deeplinks/2016/04/rule-41-little-known-committee-proposes-grant-new-hacking-powers-government
======
csoghoian
The FBI has been using malware since at least 2003 [1], probably a few years
before that. Today, the FBI has a dedicated team, the Remote Operations Unit,
based out of Quantico, which does nothing but hack into the computers and
mobile phones of targets. According to one former top FBI official, among the
team's many technical capabilities, is the ability to remotely enable a webcam
without the indicator light turning on [2].

Although DOJ has been using malware for nearly fifteen years, it never sought
a formal expansion of legal authority from Congress. There has never been a
Congressional hearing, nor do DOJ/FBI officials ever talk explicitly about
this capability.

The Rule 41 proposal before this advisory committee was the first ever
opportunity for civil society groups, including my employer, the ACLU, to
weigh in. We, along with several other groups, submitted comments and
testified in person.

Our comments can be seen here [3,4]. Incidentally, it was while doing the
research for our second comment that I discovered that the FBI had
impersonated the Associated Press as part of a malware operation in 2007 [5].

Ultimately, the committee voted to approve the change to the rules requested
by DOJ. In doing so, the committee dismissed the criticism from the civil
society groups, by saying that we misunderstood the role of the committee,
that the committee was not being asked to weigh in on the legality of the use
of hacking by law enforcement, and that "[m]uch of the opposition [to the
proposed rule change] reflected a misunderstanding of the scope of the
proposal...The proposal addresses venue; it does not itself create authority
for electronic searches or alter applicable statutory or constitutional
requirements."

[1] [http://www.nytimes.com/2016/04/14/technology/fbi-tried-to-
de...](http://www.nytimes.com/2016/04/14/technology/fbi-tried-to-defeat-
encryption-10-years-ago-files-show.html)

[2]
[https://www.washingtonpost.com/business/technology/2013/12/0...](https://www.washingtonpost.com/business/technology/2013/12/06/352ba174-5397-11e3-9e2c-e1d01116fd98_story.html)

[3]
[https://www.aclu.org/sites/default/files/assets/aclu_comment...](https://www.aclu.org/sites/default/files/assets/aclu_comments_on_rule_41.pdf)

[4]
[https://www.aclu.org/files/assets/aclu_comment_on_remote_acc...](https://www.aclu.org/files/assets/aclu_comment_on_remote_access_proposal.pdf)

[5]
[http://bigstory.ap.org/article/23f882720e564b918d83abb18cd5d...](http://bigstory.ap.org/article/23f882720e564b918d83abb18cd5deef/fbi-
argument-can-be-made-fake-ap-story-broke-rules)

~~~
tptacek
Thanks for writing this comment. It's deeply informative and useful.

Two things I want to call out, one minor and one more significant. The
significant one first:

Your employer, in the response you linked to, wrote approvingly of Orin Kerr's
proposed alternative language, which would enable the same sort of remote
"hacking" with the new precondition that it be allowed only when it's
impossible for the courts to ascertain the right district.

If ACLU is OK with that narrower language, is it safe to say that you disagree
with your employer? Because your arguments strongly implicate Kerr's proposed
language as well. Put simply: you appear to favor broad restrictions on DOJ's
ability to coercively collect electronic evidence regardless of whether courts
authorize it.

The minor objection I have to your comment is the link to WaPo about the FBI
being able to record video from laptop cameras without lighting the LED.
That's an unsourced anonymous claim that, by my reading, can't possibly be
accurate as stated, since different laptops have different mechanisms and it
is vanishingly unlikely that the FBI has defeated all of them. I'm prepared to
be wrong about this, but expect that I'm not, and would like to know if you
can provide any more evidence backing that extraordinary WaPo claim up.

~~~
csoghoian
1\. My employer, the ACLU, filed two comments in the Rule 41 process.

The first, before public comments were even solicited, resulted in DOJ
dropping one of their proposed changes to rule 41, which would have permitted
the gov to piggyback from a hacked target's computer to a cloud account (such
as Dropbox or Google), rather than the gov going to the cloud provider with a
warrant.

While our first comment does indeed describe and quote from some alternative
language proposed by Orin Kerr, I don't think it is fair to describe that as
evidence of ACLU approval of hacking of users whose location cannot be
determined. For example, in that comment, we note that:

 _[U]nder Professor Kerr’s language, the government would still be able to
obtain warrants to use malware, zero-day exploits, and other techniques that
raise serious constitutional and policy questions._

2\. While some public interest groups and tech policy advocates are publicly
(or, in some cases, privately) embracing the idea of giving law enforcement
formal, regulated hacking powers, in a desperate attempt to push back against
legislative pressure for crypto backdoors, I'm thankful that the ACLU has not
done so. If the organization does at some point decide to come out in favor of
law enforcement hacking, I strongly doubt my name will be on that document.

[I'll note, however, that one of the great perks that come with working for
the ACLU is that it's perfectly OK to disagree with some of the organizations'
official policy positions. I'm not forced to tow the company line publicly on
issues in which I disagree.]

3\. Just so all of my cards are on the table. I'm volunteering, unpaid, as an
expert for the defense in several of the Playpen FBI watering hole cases. I am
strongly opposed to bulk hacking, enough so to volunteer my time to helping to
fight the FBI's use of this outrageous surveillance technique.

4\. The FBI being able to remotely activate webcams without the light turning
on is not an "unsourced anonymous claim".

From the Washington Post story, linked to in my comment above:

 _The FBI has been able to covertly activate a computer’s camera — without
triggering the light that lets users know it is recording — for several years,
and has used that technique mainly in terrorism cases or the most serious
criminal investigations, said Marcus Thomas, former assistant director of the
FBI’s Operational Technology Division in Quantico._

~~~
tptacek
I'll ask again. Is it your belief that the claim in this article, that the FBI
can defeat the LED indicator on _every popular laptop camera_ , accurately
describes reality?

~~~
csoghoian
I think that _some_ webcam indicator lights are vulnerable to remote
disabling. Although it is certainly possible that some are not, I and most
other users have no way of knowing which lights are reliable, and which ones
are vulnerable.

As such, I put a Band-Aid over my webcam.

Now if only I could figure out an equally easy way to reliably disable my
laptop microphone without opening up the laptop and cutting the cable.

------
tptacek
EFF's misleading summary aside (EFF's gonna EFF), I have a question about the
substantive issue here. Specifically:

How could the FRCP work otherwise? They're in effect saying: if the evidence
pertinent to a crime is online, and is either (a) on Tor or some other service
where we don't know precisely where it is, or (b) on a botnet or some other
environment where it's spread across 100 different jurisdictions, a judge can
issue a warrant to obtain that evidence.

Judges can already issue warrants to obtain electronic evidence in, I think,
exactly the fashion EFF describes here. The limitation they have today is
procedural: they can only issue those warrants in their own court district.

But if you don't _know_ the right court district, or a search would
effectively require you to get warrants in _every_ district, procedural rules
make it hard to get a warrant today. That seems... stupid. The fact that
evidence pertinent to a criminal case is on a Tor hidden service shouldn't
make it inaccessible to the courts.

~~~
pdkl95
> rules make it hard to get a warrant today

Procedural or otherwise, rules that make getting a warrant hard is a feature,
not a bug. Perhaps "hard" is too strong; the 4th Amendment requirement for
_specific_ warrants is intended to add a burdeon to the warrant process.
Preventing generalizations that make search and seizure easier is the very
reason the 4th Amendment was written.

> require you to get warrants in every district

If a search is to be performed in many districts, they _yes_ , that is what
the constitution requires. As for Tor hidden services, I'm going to echo Susan
Landau's advice to congress during the recent FBI/Apple backdoor hearings. The
FBI needs to update their investigative methods. Modern technology provides
many new ways to investigate. We already know that the NSA, for example, is
very adept at using side channels and metadata.

Your "Tor hidden service" example _assumes_ that giving these powers are the
_only way_ to prosecute some criminal cases. It's basically demonstrating a
lack of creativity.

> inaccessible

Warrants are a permission to conduct a search and seize certain items _if they
find them_. It is not a guarantee that the search will be successful; nor
should it be. Besides, it isn't going to be inaccessible in many cases anyway.
You already know the power of timing attacks and traffic analysis. That should
be enough, in many cases, to figure out which jurisdiction(s) should be
searched. The only reason you would need a warrant in "every" district is if
nobody even bothered investigating.

~~~
tptacek
Why should it be made difficult to get a warrant? I don't understand.

Making it difficult for law enforcement to casually search things without
oversight is a good thing. But making it harder for the courts themselves to
direct searches seems like... I don't know, a bad thing?

~~~
pdkl95
> made difficult

> making it harder

It's not being "made difficult". Nobody is making the warrant process harder.
You're trying to reframe the status quo as a new difficulty in the warrant
process.

------
tomku
As I posted on the other thread about this news, the interpretation that this
gives the government "new hacking powers" is just flat-out wrong, and shame on
the EFF for using it to spread FUD.

The ONLY thing changed by this proposed rule is the venue in which the
government can apply for warrants, expanding it to include any jurisdiction
involved in the crime under those two specific circumstances that the EFF blog
post mentions.

It does NOT change any of the rules of probable cause involved in getting a
warrant. It does NOT grant any kind of "new hacking powers". It does NOT
criminalize Tor or allow law enforcement to get a warrant simply because
someone used Tor.

There are reasons to not like this rule change based on what it actually
means. Misrepresenting things that you don't agree with ultimately hurts your
own side because it makes it trivial for people on the other side to dismiss
your complaints as ignorant and wrong.

~~~
mtgx
Leaving aside the "new hacking powers" thing, I still see two problems with
this:

1) the FBI can go the same friendly judge over and over again for all hacking
requests. We've seen this kind of problem before like with the DEA going to
the same judge tens of thousands of times for what other judges considered
illegal wiretapping. So at the very least, if this passes, we'll need to
somehow improve the oversight on judges much more than how it currently works.

2) it allows the FBI to hack people from outside of the country as well, even
without permission from other countries to do so, which can cause all sorts of
problems on its own. I believe Russia sued the FBI for doing something similar
about a decade ago.

~~~
tomku
1) This is only partially accurate - it expands the venues for warrant
applications, but it doesn't do it willy-nilly. The government would be
allowed to "shop" for judges inside of the set of jurisdictions where illegal
activity allegedly took place. Obviously if you're conspiracy-minded you could
claim that the government will claim that every hacking attempt includes a
target in Nowhere City, Wyoming where a judge that's particularly enthusiastic
about remote searches is, but that's something that could actually be
challenged at trial. I share your concern about being able to find a "lowest
common denominator" judge though, even if it's not across the entire country.

2) This rule doesn't really change the legality of the FBI hacking foreign
PCs, something that I don't personally support either. It makes it easier to
get warrants that might result in foreign searches, but as you note, just
because a warrant is legal in the US doesn't mean that another country will
smile and say "Oh, it's fine". This is one of the reasons I don't like "remote
searches" in general.

~~~
esbranson
> that's something that could actually be challenged at trial

How so? How is a judicial order challengable because the judge is in Wyoming?
Or are you saying that the defense is going to bring a mind reader to testify
about the motives of the government?

~~~
azernik
When you're at trial, you claim the search warrant is invalid because the
judge lacked jurisdiction, and try to get all the evidence obtained through
that warrant thrown out.

It has NOTHING to do with motive - if the warrant is improperly obtained it
doesn't matter what the motive of the government was.

See e.g. [http://www.socalcriminallawyer.com/challenging-the-
validity-...](http://www.socalcriminallawyer.com/challenging-the-validity-of-
a-search-warrant-california/)

------
maxerickson
What a great headline to attach to an action signed by the Chief Justice of
the Supreme Court and sent to the leaders of both houses of Congress.

Recent discussion of the rule change:

[https://news.ycombinator.com/item?id=11594597](https://news.ycombinator.com/item?id=11594597)

A smaller one:

[https://news.ycombinator.com/item?id=11604112](https://news.ycombinator.com/item?id=11604112)

~~~
dang
We've taken the distracting "little-known committee" bit out of the title.

Normally we'd treat this thread as a dupe of the first one you linked to, but
this seems to be one of those stories the community wants to discuss
thoroughly, and this thread is pretty good, so we'll leave it up.

------
MichaelBurge
The rules mention that the police must notify the owners of the computers or
information, so police wouldn't be secretly hacking into your computers
without telling you. That actually would be pretty bad.

The malware one seems entirely reasonable to me. If you have malware, chances
are you're aiding criminals by providing them with hardware to commit their
crimes with. Why shouldn't a judge issue a search warrant or have your
computer seized? The computer is literally part of the crime scene. If you
don't like it, don't install malware.

The first one I'm not really sure where it would be used. Is it just, say,
"police are allowed to use TOR vulnerabilities to gain access to the servers
serving .onion links in the course of their investigation"?

I guess their point is that the changes should've been initiated by Congress,
since it's more than procedural. I can buy that, even if the changes
themselves seem innocent enough.

------
pappyo
Every US politician will side on the side of security. If they don't and some
awful terrorist plot happens on US soil under their watch, their political
career is over. If the argument is between fear and an abstract notion of
freedom, fear will always win out.

The only way it changes is if the US does away with career politicians, or
fear of the government becomes > fear of terrorists.

------
joering2
That;s fine, they can hack into our computers. Its not like they would plant
something on your computer..

Truly the poison tree and its fruit are both dead.

------
benevol
Official version: "grant new hacking powers"

Reality: "Make legal what has been going on illegally for years"

Ok, land of the free.

------
JustSomeNobody
December, huh? This being an election year we all know this won't happen.

------
___ab___
The Judicial Conference of the United States is neither a "little-known
committee" or in any way secretive or shady, unless one is totally ignorant of
how the judicial system works. The EFF certainly is not.

The conference is composed of: "the Chief Justice of the United States, the
chief judge of each court of appeals federal regional circuit, a district
court judge from various federal judicial districts, and the chief judge of
the United States Court of International Trade." [0]

You can disagree with their decisions, but don't try and imply that they are
duplicitous. I expect better of the EFF.

[0]
[https://en.wikipedia.org/wiki/Judicial_Conference_of_the_Uni...](https://en.wikipedia.org/wiki/Judicial_Conference_of_the_United_States)

~~~
guelo
I consider myself well read and politically savvy but I had never heard of
this body. When was the last time they made news outside of maybe the narrow
interests of federal trial lawyers?

~~~
rayiner
Java isn't something a guy on the street would recognize, but if you were
writing to a lay audience, would you describe the Oracle v. Google as
involving a "little known programming language?

That wouldn't be good journalism. It would give the reader an inaccurate
depiction of what the lawsuit is really about. It would be good lawyering,
depending on which side you are on. A classic lawyering tactic is to use the
most favorable (to your side) characterization of something you can justify.

~~~
studentrob
> It would give the reader an inaccurate depiction of what the lawsuit is
> really about

Yeah. Part of the EFF's job is educating _us_. When they add such slant they
lose credibility in my book. They're still great at keeping tabs on government
actions that impact tech.

~~~
rayiner
EFF is an advocacy organization. They're like Sierra Club or PETA.[1] They're
not in the business of neutral analysis; they're in the business of
pursuasion. Their job is not to provide the most reasonable take; it's to give
up no ground to their opponents.

[1] Both of which are organizations I hold in high esteem, so that's not a
negative comparison.

~~~
studentrob
> Their job is not to provide the most reasonable take; it's to give up no
> ground to their opponents.

That sounds like a lawyer's perspective. You could say that about anyone
working towards any particular goal. Please pardon my disagreement.

One of the EFF's jobs is to educate technologists. When they use slanted
language, they lose some readers/"students".

The EFF has many roles, including educating and lobbying the government.
Totally fine if you want to call it advocacy too. I often find myself digging
for extra facts after reading their slanted positions. I wish they'd do full
reporting of both sides more often. C'est la vie.

