Judge rejects FBI's request to use 'extremely intrusive' hack tactic
A federal judge in Texas has denied a Federal Bureau of Investigation request to move forward with an investigation tactic that would have tracked alleged hackers by turning a suspect’s computer into a surveillance agent.
In a 13-page explanation Houston magistrate Judge Stephen Smith eviscerated the FBI’s attempt to push an “extremely intrusive” tactic to track down someone who allegedly used his or her computer to commit federal bank fraud and identity theft.
Smith’s order denied the use of a so-called Trojan Horse tool investigators would have installed on a computer to override its operating system and use a webcam to take pictures of the suspect. The request also asked for permission to access the computer’s email contents, chat message logs, documents, pictures and passwords as well as Internet activity, according to Smith’s memorandum.
Known as a remote administration tool (RAT), hackers have previously used the method proposed by the FBI to spy on women through their computers and share stolen erotic pictures with hackers.
Judge Smith wrote that the FBI hoped to “surreptitiously install data extraction software on the Target Computer. Once installed, the software has the capacity to search the computer’s hard drive, random access memory, and other storage media; to activate the computer’s built-in camera; to generate latitude and longitude coordinates for the computer’s location; and to transmit the extracted data to FBI agents within the district.”
He decried law enforcement’s overly broad intentions, which, if
granted, could have set a dangerous precedent for other judges
approached with similar requests in the future.
“What if the Target Computer is located in a public library, an Internet café, or a workplace accessible to others?” he continued. “What if the computer is used by family or friends uninvolved in the illegal scheme? What if the counterfeit email address is used for legitimate reasons by others unconnected to the criminal conspiracy? What if the email address is accessed by more than one computer, or by a cell phone and other digital devices? There may well be sufficient answers to these questions, but the government’s application does not supply them.”
Judge Smith estimated that tens of thousands of secret surveillance orders are issued by judges annually. Hanni Fakhoury, an attorney with the Electronic Frontier Foundation, told Ars Technica that the rejection is a surprise because “the government has been very secretive about this surveillance tool.”
Chris Soghoian, a principal technologist with the American Civil Liberties Union, agreed.
“Hacking should be something that is the last resort, not the first option,” he told Ars Technica. “No one knows anything about [how the FBI’s software works]. We know from a [Freedom of Information Act request] that there was a [Computer and Internet Protocol Address Verifier software], but this seems to be much more sophisticated…as a general rule, we don’t think law enforcement should be in the hacking business. It’s sexy, but it’s terrifying.”