The Facts
In April, the Advisory Committee on Criminal Rules proposed amendments to the Federal Rules of Criminal Procedure that would give authorities “more leeway to secretly hack into the suspected criminal’s computer,” so The Hacker News in a recent report.
According to the draft minutes of the Criminal Rules Meeting, the subcommittee on Rule 41 (Search and Seizure) envisioned the following amendment:
A magistrate judge with authority in any district where activities related to crime may have occurred has authority to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information within or outside that district. (p. 515)
Effectively, so the document, the change is intended to cover remotely accessed searches and seizures primarily a) to find out about the location of a computer when it is not known, and b) to search multiple computers in known locations outside the district of the issuing judge.
The Hacker News assessed the proposed amendment and translated it into plain English: With the new Rule 41, statutory law would allow authorities to “easily obtain warrants,” in order to secretly access suspects’ and witnesses’ computers
- by employing zero-day exploits on software vulnerabilities (thus hacking into suspects’ computers)
- whenever their location is unknown and presumably outside the jurisdiction of the issuing judge (thus in any of the other 93 judicial districts)
- in large quantities whenever evidence or technical details related to suspected operators of botnets are targeted (hence, a single warrant could authorize the search of thousands of computers)
The Problem
Both The Hacker News and the Advisory Sub-Committee on the Criminal Rules provide a what occurs to me as an easily accessible set of reasons and justifications for the invasive proposal. It is based on the nature of cyber crime and a) how anonymizing technologies prevent the identification of the originating computer, and b) how containing and dismantling botnets require measures in many different jurisdictions.
My take on what makes the proposed amendment a messy policy problem, which will not be solved to the satisfaction of either stakeholder (government/law enforcement or civil society/privacy), builds on several layers where interests conflict with the pros of the envisioned change to the Federal Rules of Criminal Procedure:
1. The Ethical Layer: Governmental Use of Spyware
When governments employ spyware to utilize zero-day exploits and software vulnerabilities, ramifications range from the national to the global level, including:
- A Potentially lower level of checks and balances:
Conventional surveillance measures often have additional checks and balances on the organizational level, for example when telecommunication service providers facilitate wire-taps only after having received rightfully issued warrants. Contrarily, for the use of spyware, government agencies do not have to satisfy such external procedural requirements. Additionally, spyware suites usually equip their operators with remote access measures that may be more invasive than and exceed those that are covered by the respective warrant. In 2011, the German Bundestrojaner and its Staatstrojaners, spyware employed by German federal and state law enforcement agencies, carved out this difficulty of the government catching up with technology.
- Negative impact on overall Internet security:
Making zero-day exploits of vulnerabilities in commonly used software an integral part of law enforcement is likely to have negative impacts on the overall level of security in the Internet. The Heartbleed Bug and how it had reportedly been exploited over the course of a longer time by the National Security Agency serves as an example of choice, as it shows how governments can have knowledge about pervasive security flaws without sharing it. While they keep zero-day exploits secret in order to keep using them, these security gaps remain open and can be exploited by anyone who comes across them (our post about the zero-day exploit market and how suppliers cater to governments may be worth a look in this context as well).
2. The Factual Layer: Potential Extraterritoriality
Despite the intention of covering (only) all 94 judicial districts of the United States (US), the purpose of the amendment to Rule 41 is to search and seize data electronically stored on systems, whose location is not known. Accordingly, the very nature of cyberspace implicates potential search and seizure operations targeting devices that are not within the US at all. In that case, given that no prior consent has been obtained from the authority that has jurisdiction over the targeted system, a nation-state’s sovereignty may have been violated.
3. The Constitutional/Legal Layer: Particularity and Proportionality
The authorization of a search and seize of computers without knowing where they are located or how many will be subject to a (single) warrant also calls for considerations of particularity and proportionality. The draft minutes reflect the committee’s argumentation, due to which “any constitutional restriction should be addressed by each magistrate with each warrant request.” (p. 515)
Concluding Remarks
This post only introduces what occurred to me as the most striking points in favor and against the proposed amendment to Rule 41 of the Federal Rules of Criminal Procedure. Instead of recounting further arguments, my intention is to illustrate how The Onion Router (TOR) and other anonymization technologies or botnet facilitated denial of service attacks are challenging procedural law and call for innovative legislation.
With decision of May 5, the Advisory Committee recommended to publish the proposed amendment to Rule 41 for public comment (p. 486), before it will be passed on to Congress for respective enactment.
Leave a Reply