Although DOJ has been using malware for nearly fifteen years, it never sought a formal expansion of legal authority from Congress. There has never been a Congressional hearing, nor do DOJ/FBI officials ever talk explicitly about this capability.
The Rule 41 proposal before this advisory committee was the first ever opportunity for civil society groups, including my employer, the ACLU, to weigh in. We, along with several other groups, submitted comments and testified in person.
Our comments can be seen here [3,4]. Incidentally, it was while doing the research for our second comment that I discovered that the FBI had impersonated the Associated Press as part of a malware operation in 2007 .
Ultimately, the committee voted to approve the change to the rules requested by DOJ. In doing so, the committee dismissed the criticism from the civil society groups, by saying that we misunderstood the role of the committee, that the committee was not being asked to weigh in on the legality of the use of hacking by law enforcement, and that "[m]uch of the opposition [to the proposed rule change] reflected a misunderstanding of the scope of the proposal...The proposal addresses venue; it does not itself create authority for electronic searches or alter applicable statutory or constitutional requirements."
Two things I want to call out, one minor and one more significant. The significant one first:
Your employer, in the response you linked to, wrote approvingly of Orin Kerr's proposed alternative language, which would enable the same sort of remote "hacking" with the new precondition that it be allowed only when it's impossible for the courts to ascertain the right district.
If ACLU is OK with that narrower language, is it safe to say that you disagree with your employer? Because your arguments strongly implicate Kerr's proposed language as well. Put simply: you appear to favor broad restrictions on DOJ's ability to coercively collect electronic evidence regardless of whether courts authorize it.
The minor objection I have to your comment is the link to WaPo about the FBI being able to record video from laptop cameras without lighting the LED. That's an unsourced anonymous claim that, by my reading, can't possibly be accurate as stated, since different laptops have different mechanisms and it is vanishingly unlikely that the FBI has defeated all of them. I'm prepared to be wrong about this, but expect that I'm not, and would like to know if you can provide any more evidence backing that extraordinary WaPo claim up.
The first, before public comments were even solicited, resulted in DOJ dropping one of their proposed changes to rule 41, which would have permitted the gov to piggyback from a hacked target's computer to a cloud account (such as Dropbox or Google), rather than the gov going to the cloud provider with a warrant.
While our first comment does indeed describe and quote from some alternative language proposed by Orin Kerr, I don't think it is fair to describe that as evidence of ACLU approval of hacking of users whose location cannot be determined. For example, in that comment, we note that:
[U]nder Professor Kerr’s language, the government would still be able to obtain warrants to use malware, zero-day exploits, and other techniques that raise serious constitutional and policy questions.
2. While some public interest groups and tech policy advocates are publicly (or, in some cases, privately) embracing the idea of giving law enforcement formal, regulated hacking powers, in a desperate attempt to push back against legislative pressure for crypto backdoors, I'm thankful that the ACLU has not done so. If the organization does at some point decide to come out in favor of law enforcement hacking, I strongly doubt my name will be on that document.
[I'll note, however, that one of the great perks that come with working for the ACLU is that it's perfectly OK to disagree with some of the organizations' official policy positions. I'm not forced to tow the company line publicly on issues in which I disagree.]
3. Just so all of my cards are on the table. I'm volunteering, unpaid, as an expert for the defense in several of the Playpen FBI watering hole cases. I am strongly opposed to bulk hacking, enough so to volunteer my time to helping to fight the FBI's use of this outrageous surveillance technique.
4. The FBI being able to remotely activate webcams without the light turning on is not an "unsourced anonymous claim".
From the Washington Post story, linked to in my comment above:
The FBI has been able to covertly activate a computer’s camera — without triggering the light that lets users know it is recording — for several years, and has used that technique mainly in terrorism cases or the most serious criminal investigations, said Marcus Thomas, former assistant director of the FBI’s Operational Technology Division in Quantico.
As such, I put a Band-Aid over my webcam.
Now if only I could figure out an equally easy way to reliably disable my laptop microphone without opening up the laptop and cutting the cable.
it is Trivial to create software to no turn on the light.
The Light is not considered by manufacturers to be a Security feature, or something to warn a user of someone other than the user is using the webcam, it is simply there to inform the user when their cam is active using normal "friendly" software, it is a convenience feature, not a security feature
Many commercial management and security software packages sold to schools, corporations, and individuals have the ability to turn on the webcam with out illuminating the light, this often billed as a "theft prevention" feature.
Several schools have gotten in trouble for using this feature to spy on students using school owned laptops
In short, they do not have to "defeat all of the laptops" they just have to right a program for windows, and get 99% of them, the capability is already in the OS, the harder part is installing it with out the user knowing, and hiding the process from the user... Disabling the LED is trivial
Is disabling the LED on a modern Macbook trivial? I'm genuinely asking. If so, can you provide a link demonstrating how? The ability to override the LED on the old iSight cameras was interesting enough that the paper demonstrating it got published at USENIX.
I personally have never and will never own a Apple product, so I can not say what is true or not True in the Apple Space, I speak to the 90% of other computers running Windows Operating Systems
MAC's are better left to the history books
How could the FRCP work otherwise? They're in effect saying: if the evidence pertinent to a crime is online, and is either (a) on Tor or some other service where we don't know precisely where it is, or (b) on a botnet or some other environment where it's spread across 100 different jurisdictions, a judge can issue a warrant to obtain that evidence.
Judges can already issue warrants to obtain electronic evidence in, I think, exactly the fashion EFF describes here. The limitation they have today is procedural: they can only issue those warrants in their own court district.
But if you don't know the right court district, or a search would effectively require you to get warrants in every district, procedural rules make it hard to get a warrant today. That seems... stupid. The fact that evidence pertinent to a criminal case is on a Tor hidden service shouldn't make it inaccessible to the courts.
The three Tor watering hole operations (Freedom Hosting, Torpedo and Playpen) are the only cases we know of where DOJ has obtained a warrant from a single judge which it then used to conduct searches on hundreds or thousands of computers. DOJ did not seek new powers to conduct bulk searches/hacks from Congress, they just went ahead and got an ex-parte warrant from a judge. In the case of Freedom Hosting, it looks like they also screwed up and then hacked the computers of innocent people visiting other, non contraband sites, hosted on the same server.
I think that reasonable people can disagree about whether or not it makes sense to allow a judge to sign a warrant to hack a single computer in an unknown location which is probably outside of his or her district. Bulk hacks are very, very different, and a very new thing for our legal system.
However, I'm compelled to point out that the courts routinely order searches on parties that turn out to be uninvolved with a case, or even to the wrong people already. The standard of accuracy here is much lower than you make it out to be.
On the issue of courts authorizing the searching of wrong people, we don't know if the court in Freedom Hosting even knew that the government would deliver the malware to innocent people who were merely visiting other websites hosted from the same server as the contraband sites targeted by the warrant. We don't know this, because three years later, the freedom hosting search warrant is still sealed.
If the courts are routinely signing search warrants on parties that are not involved in cases or criminal activity that highlights how much of a rubber stamp the warrant process as become, and how little "probable cause" means any more
Probable cause has become "Judge we want to search this place"
The point of a search warrant isn't to establish guilt! It's merely to ensure that the search is connected to a legitimate investigation --- and legitimate dragnet investigations are common! --- and not as an instrument of harassment.
They should not be, that is my point
The purpose of the 4th amendment is to require the police to have a probable reason that a crime has been committed, AND to define what EXACTLY they are looking for, and where EXACTLY they are looking for it at
the fact that judges can sign warrants for all computers in the nation, or entire city blocks should be considered unconstitutional
That is a General Warrant something the Founders were very very very very much opposed to
> not as an instrument of harassment.
General Warrants, which is what is being talked about here, are infact a instrument of harassment
Rubber Stamping Warrants with out any actual probable cause is also a instrument of Harassment
If you believe having your door busted down by armed men at 3am because you tossed the loose leaf tea in the trash bin is not harassment than I shutter to thing what your definition would be
The real issue seems to be what evidence you need to have probable cause to search a thousand computers. I'm willing to believe the standard being applied is too low, but the Rule 41 changes don't change that standard one way or the other.
Procedural or otherwise, rules that make getting a warrant hard is a feature, not a bug. Perhaps "hard" is too strong; the 4th Amendment requirement for specific warrants is intended to add a burdeon to the warrant process. Preventing generalizations that make search and seizure easier is the very reason the 4th Amendment was written.
> require you to get warrants in every district
If a search is to be performed in many districts, they yes, that is what the constitution requires. As for Tor hidden services, I'm going to echo Susan Landau's advice to congress during the recent FBI/Apple backdoor hearings. The FBI needs to update their investigative methods. Modern technology provides many new ways to investigate. We already know that the NSA, for example, is very adept at using side channels and metadata.
Your "Tor hidden service" example assumes that giving these powers are the only way to prosecute some criminal cases. It's basically demonstrating a lack of creativity.
Warrants are a permission to conduct a search and seize certain items if they find them. It is not a guarantee that the search will be successful; nor should it be. Besides, it isn't going to be inaccessible in many cases anyway. You already know the power of timing attacks and traffic analysis. That should be enough, in many cases, to figure out which jurisdiction(s) should be searched. The only reason you would need a warrant in "every" district is if nobody even bothered investigating.
Meanwhile, the Feds can easily get a warrant some some innocuous stuff like selling raw milk because locating a real business is easy.
This just deals with an issue of where you know the specific server or network of servers you want to search but can't know where they are physically located. This just enable a dragnet to go search random computers.
Making it difficult for law enforcement to casually search things without oversight is a good thing. But making it harder for the courts themselves to direct searches seems like... I don't know, a bad thing?
> making it harder
It's not being "made difficult". Nobody is making the warrant process harder. You're trying to reframe the status quo as a new difficulty in the warrant process.
It might be someplace that doesn't let governments use NITs at all.
There is another way to go: warrants for the Tor exit node, then middle node, then guard. And if you can't justify those---especially hard for the middle node---that's not just a procedural issue, but a substantive problem.
I can do the real world equivalent of using tor by setting up a secure corporate structure and then commit for example insider trading.
I don't fundamentally have a problem with the part of the ruling that allows serving a warrant to a specific party of unknown jurisdiction, based on evidence of criminal activity; however, I do think the terms of the warrant should require that as soon as an appropriate jurisdiction is determined the warrant must be re-issued from a court with that jurisdiction before any evidence can be used. (At the very least, that would result in most such warrants going to a federal court, rather than some local court. Wouldn't help much for international cases, but it's a step in the right direction.)
I do have a problem with the idea that a blanket warrant could be issued to "all operators of Tor nodes", just as I have a problem with the idea that a warrant could be issued to "all operators of Internet routers". Mass surveillance isn't any more acceptable with a warrant than without one.
There's very little courts can do, besides issuing countless of subpoenas and search warrants, which has been the standard way of handling criminal investigations for decades now.
Here's a telephony related example: http://www.nytimes.com/2015/11/29/magazine/the-serial-swatte... ctrl+f subpoenas
The ONLY thing changed by this proposed rule is the venue in which the government can apply for warrants, expanding it to include any jurisdiction involved in the crime under those two specific circumstances that the EFF blog post mentions.
It does NOT change any of the rules of probable cause involved in getting a warrant. It does NOT grant any kind of "new hacking powers". It does NOT criminalize Tor or allow law enforcement to get a warrant simply because someone used Tor.
There are reasons to not like this rule change based on what it actually means. Misrepresenting things that you don't agree with ultimately hurts your own side because it makes it trivial for people on the other side to dismiss your complaints as ignorant and wrong.
1) the FBI can go the same friendly judge over and over again for all hacking requests. We've seen this kind of problem before like with the DEA going to the same judge tens of thousands of times for what other judges considered illegal wiretapping. So at the very least, if this passes, we'll need to somehow improve the oversight on judges much more than how it currently works.
2) it allows the FBI to hack people from outside of the country as well, even without permission from other countries to do so, which can cause all sorts of problems on its own. I believe Russia sued the FBI for doing something similar about a decade ago.
2) This rule doesn't really change the legality of the FBI hacking foreign PCs, something that I don't personally support either. It makes it easier to get warrants that might result in foreign searches, but as you note, just because a warrant is legal in the US doesn't mean that another country will smile and say "Oh, it's fine". This is one of the reasons I don't like "remote searches" in general.
How so? How is a judicial order challengable because the judge is in Wyoming? Or are you saying that the defense is going to bring a mind reader to testify about the motives of the government?
It has NOTHING to do with motive - if the warrant is improperly obtained it doesn't matter what the motive of the government was.
See e.g. http://www.socalcriminallawyer.com/challenging-the-validity-...
In all seriousness, not a stretch to believe a war might start due to somethings like this.
Recent discussion of the rule change:
A smaller one:
Normally we'd treat this thread as a dupe of the first one you linked to, but this seems to be one of those stories the community wants to discuss thoroughly, and this thread is pretty good, so we'll leave it up.
The malware one seems entirely reasonable to me. If you have malware, chances are you're aiding criminals by providing them with hardware to commit their crimes with. Why shouldn't a judge issue a search warrant or have your computer seized? The computer is literally part of the crime scene. If you don't like it, don't install malware.
The first one I'm not really sure where it would be used. Is it just, say, "police are allowed to use TOR vulnerabilities to gain access to the servers serving .onion links in the course of their investigation"?
I guess their point is that the changes should've been initiated by Congress, since it's more than procedural. I can buy that, even if the changes themselves seem innocent enough.
The only way it changes is if the US does away with career politicians, or fear of the government becomes > fear of terrorists.
Truly the poison tree and its fruit are both dead.
Reality: "Make legal what has been going on illegally for years"
Ok, land of the free.
The conference is composed of: "the Chief Justice of the United States, the chief judge of each court of appeals federal regional circuit, a district court judge from various federal judicial districts, and the chief judge of the United States Court of International Trade." 
You can disagree with their decisions, but don't try and imply that they are duplicitous. I expect better of the EFF.
That wouldn't be good journalism. It would give the reader an inaccurate depiction of what the lawsuit is really about. It would be good lawyering, depending on which side you are on. A classic lawyering tactic is to use the most favorable (to your side) characterization of something you can justify.
Yeah. Part of the EFF's job is educating us. When they add such slant they lose credibility in my book. They're still great at keeping tabs on government actions that impact tech.
 Both of which are organizations I hold in high esteem, so that's not a negative comparison.
That sounds like a lawyer's perspective. You could say that about anyone working towards any particular goal. Please pardon my disagreement.
One of the EFF's jobs is to educate technologists. When they use slanted language, they lose some readers/"students".
The EFF has many roles, including educating and lobbying the government. Totally fine if you want to call it advocacy too. I often find myself digging for extra facts after reading their slanted positions. I wish they'd do full reporting of both sides more often. C'est la vie.
If it barely entered the public consciousness, sure.
> I had never heard of this body
I think you may want to reconsider your self-image.
Did you take your educated guess at that fraction?
I find it very unlikely that you don't understand this.
I bet if you ask 100 random people, not 10 would know what Stripe is. Not 10 would know what Angular is. But would you ever describe either of those as "little known"?
I think in this situation it implies that even if you're in the domain you aren't aware... and on this it's not really the case right?
and since I'm here now I'll throw out my opinion on the meat of the story.
I use Tor a lot and am not based in the US and am nor american. If America gives itself the legal ability to hack anyone, anywhere regardless of what they are doing then all american networks/nodes/people are open to hacking and posting publicly. That includes all private people, public people, everything from correspondence to baby monitor cameras. It calls for an open season against those countries whereby we air every single persons dirty laundry in as public a way as possible.
It is similar to europeans like UK, where certain people there think they can hack all people everywhere, legally, with complete immunity.
Excuse my parlance but fuck everything about that. That is a system balanced way too far in one direction.
but hey, that guy said 'little-known' about the Judicial Conference of the United States. That's what is important to americans...
Posted without Tor because I still live in a free country and am not afraid of speak up.
They know perfectly well what they are doing. They know it leads to people talking about the stuff they exaggerated rather than the actual issue. They know that it turns away reasonable people. They are gambling that they can whip up an ignorant mob as with SOPA. The difference there was that a bunch of high profile corporations and capitalists had a financial interest in that fight and were happy to fuel the outrage machine to get their way.
Why would the EFF want to turn away reasonable people?
Here's the rub (for me). If what you say is correct then to my mind the EFF is doing you a favor. If people don't get at least a little riled up about this then it will go through like all the other rubbish being passed around the world and you will be left with the consequences.
The arrogance is absolutely astounding, on a level with 16th century britain. To think that you can do what you want, to whomever you want, wherever you want in a completely legal manner is disgustingly arrogant and will lead to the same problems as it always has throughout western history.
We have been here before. Technology changes but people (unfortunately) do not. The people pushing this kind of legislation will suffer the least, ordinary americans will take the brunt for them. That is your choice - is this move representative of you and if not - will you do anything to stop it?
edit: excuse my ignorance but this si actually about warrants through proper court mechanisms? I'm okay with proper warrant procedures through proper (ie. not FISA) court systems. I don't hold US courts highly compared to others but every country needs proper procedured.
Someone might comment that the gov't does the same thing, but that's no excuse for such intellectual dishonesty.
The Judicial Conference is currently the subject of a lawsuit for being secretive, shady and duplicitous. (A serious lawsuit on a serious issue, with a serious chance of success.) So I think this statement is a bit subjective.
Or maybe it's that you mean secrets, when legally kept, are not secrets.
Bloggers exaggerate. And commenters like to point that out. Sometimes I hear that commenters even like to overreact to things.
Now, I've been following this issue. I did not know about this committee. I daresay I could pull 100 hackers from a room and most of them wouldn't know of it either.
So for purposes of "legal people", yes, you are correct. What a overstatement! But that's not the audience here, and the headline works -- and it is not an exaggeration.
I'd bet 99 out of 100 non-lawyers wouldn't have a clue about this group of people.