DOJ seeks to lift limits on hacking into suspects' computers
The US Justice Department wants authorities to have more leeway to hack into computers - at times with “zero-day exploits” on software vulnerabilities - amid criminal probes. Critics say the plan could violate privacy rights and lead to online insecurity.
The Justice Department (DOJ) is urging a federal committee of judges that referee national policy regarding criminal inquiries to eliminate geographical restrictions attached to search warrants during computer investigations. Currently, the law permits magistrate judges to clear searches only within their judicial districts. The limit, supporters say, has been a check on government overreach pertaining to Fourth Amendment privacy rights.
The new plan would allow law enforcement to “use remote access” to search computers even when “the district where the media or information is located has been concealed through technological means.” A single warrant could be used to search computers located in five or more judicial districts.
“This proposal ensures that courts can be asked to review warrant applications in situations where it is currently unclear what judge has that authority,” Justice Department spokesman Peter Carr told Bloomberg. “The proposal makes explicit that it does not change the traditional rules governing probable cause and notice.”
Supporters say the rule would target child pornographers and other criminals using online anonymity through proxy servers or comprised computers via a botnet to commit wrongdoing.
The law currently allows federal investigators to obtain warrants that allow them to secretly implant malicious software on criminal suspects for as long as 30 days, or longer if an extension is granted by a judge. Law enforcement, though, are limited to attaining warrants in specific judicial districts, of which there are 94 in the United States.
Critics point out that law enforcement’s ability to use malware to hack into computers over the internet could easily compromise broader online security. One tactic is a “zero-day” exploit, or exposing a software flaw even the manufacturer does not know exists, and then leaving the vulnerabilities open, which could lead to malicious attacks if the responsible company is not notified.
The wide scope of the DOJ’s warrant-seeking power embedded in the rule would certainly lead to privacy abuses, also, opponents add.
“We have real concerns about allowing the police too much ability to search with too little oversight,” said Hanni Fakhoury, a lawyer for privacy advocate Electronic Frontier Foundation. The DOJ plan would “dramatically expand the reach of federal prosecutors and investigators.”
Needing a single warrant to attach malware to an innumerable amount of computers possibly spread throughout the country would violate constitutional requirements that court-approved searches are specific and narrow, Fakhoury said.
Fakhoury fears the rule could be used to illegally access data stored online with services like Google's Drive cloud storage.
The proposal will be up to the Judicial Conference Committee on Rules of Practice and Procedure, which will meet at the end of the month. If it takes up the rule, the proposal would be opened for public comment in August for six months, then it would go to Congress for review.
“The proposed amendment would enable investigators to conduct a search and seize electronically stored information by remotely installing software on a large number of affected victim computers pursuant to one warrant issued by a single judge,” committee said in an analysis. “The current rule, in contrast, requires obtaining multiple warrants to do so, in each of the many districts in which an affected computer may be located.”
The law currently allows federal investigators to obtain warrants that allow them to secretly implant malicious software on criminal suspects for as long as 30 days, or longer if an extension is granted by a judge. Law enforcement, though, are limited to attaining warrants in specific judicial districts, of which there are 94 in the United States.
It is known that both the National Security Agencyand the FBI exploits software vulnerabilities for its own purposes, the American Civil Liberties Union says. The organization has submitted a Freedom of Information Act request for records regarding the use of zero-day exploits by federal authorizes and intelligence agencies.
The DOJ offered a broader rule change last year that would have allowed remote computer hacking, including remote access to cloud services, during the search of a physical computer. The plan was revised after the ACLU raised concerns about its violations of the Fourth Amendment.
