Federal agents now have even greater scope for spying on computers
belonging to regular citizens, thanks to a controversial amendment that passed
into law as of Dec. 1, 2016.
The long-standing Rule 41 governs how the FBI can search and seize
property thought to be involved with crime. Its most recent amendment expands
the search remit to include remote access of computers whose locations have
been "concealed through technological means.”
In other words, the FBI can obtain a warrant to hack any device
whose IP address is masked. This can include computers using a virtual proxy
network (VPN), a common internet tool used to maintain privacy on
public Wi-Fi networks, to watch Netflix (and
other geo-restricted media) from another country, to improve streaming
speeds or simply to remain anonymous
online. Similarly vulnerable under the updated rule are
computers running the Tor browser, which users use for privacy and security or
to browse the Deep Web for
reasons including visiting illegal sites and accessing secured communications
for political dissidents and whistle-blowers.
The amendment also makes it legal to search computers that have
been “damaged without authorization” — that is, subjected to malware such as
hijacking into botnets used to launch distributed denial of service (DDoS)
attacks. Considering that 16 million American
households experienced serious virus problems in the past
two years, that’s a lot of computers that the FBI could legally hack.
“This unprecedented increase in government hacking authority gives
the government ability to more easily infiltrate, monitor, copy data from,
inject malware into and otherwise damage computers, including victims of a
crime, remotely,” said Nate Cardozo, senior staff attorney at the Electronic
Frontier Foundation (EFF).
Dragnet for online crime
Until now, the FBI had to specify particular users it wanted a
search warrant for. In the case of illegal sites, such as those on the Deep Web where
traffic is heavily anonymized, this often proved difficult. Agents could also
search computers only in the region where a warrant was granted, often an
ineffective tactic because involved computers could be located anywhere in the
world.
Under the new Rule 41, any computer with a hidden IP address or
location can be included in the scope of a search warrant. Warrants can be
granted in any jurisdiction and used to search multiple location-masking
computers anywhere.
“This is about the FBI having the power to search any visitors to
sites where they know or suspect illegal activity is going on,” says Chester
Wisniewski, principal research scientist at cybersecurity firm Sophos.
In theory, the new rule helps the government ferret out faceless
perpetrators of massive cybercrimes. Examples of these crimes include child
pornography or drug trading rings and the botnet DDoS attack that
recently took down Spotify, Twitter and Amazon.
But some of the FBI’s methodology for tracking suspected criminals
online could endanger innocent users’ systems.
“Precisely because law enforcement doesn't know where the computer
is, it has to use malware to uncover the real address of the computer they're
looking for," said Gabe Rottman, deputy director of the Freedom, Security
and Technology project at the Center for Democracy and Technology. "In
doing so, law enforcement casts a very wide net, accessing computers that have
nothing to do with the underlying investigation.”
For example, in 2013, the FBI obtained warrants to hack the dark
web TorMail accounts of 300 users allegedly linked to child pornography crimes,
but the malware activated
before users logged in, suggesting that it infected any computer
that visited the login page.
“We should be concerned. This is more invasive than even wiretapping,
and it’s inconsistent with the basic American value that the government
shouldn’t be looking into your affairs unless it has some evidence you’ve done
something wrong,” Rottman said.
What you can do
For those who want to protect themselves and their files from this
form of recently legalized hacking, the usual cyber security
principles apply, Wisniewski said. Use strong encryption for email
and files. Always download updates to your operating system, browsers and apps.
Use a password manager or strong passwords, and keep a good antivirus program
updated. These measures lower the risk that your system has a vulnerability
that misfired criminal-targeting malware could exploit.
“The scary thing is that the malware law enforcement will be using
is potentially more powerful because the government has an incentive to hoard
the most valuable zero days [unknown vulnerabilities in users’ software to
attack],” Rottman said.
Because the new Rule 41 came into effect with no opposition to the
proposal made by the Supreme Court earlier this year, it’s
possible that Congress can reform or even remove the rule change in the future.
“There need to be strong guidelines to keep this new power in check, lest it
result in increased privacy intrusions,” said Cardozo.
The CDT has suggested
reforms such as limiting the type of information that can
be gathered and requiring more detail before warrants are granted.
While civil liberties groups including the EFF and CDT have been
vocal about the dangers of the change, members of the public can also make
their voices heard through online petitions or directly contacting their local
representatives. “Average users can absolutely still engage," Rottman
said. "We haven’t had a national conversation on how to control government
hacking to protect privacy and civil liberties.”
No comments:
Post a Comment