(no title)
csoghoian | 9 years ago
Although DOJ has been using malware for nearly fifteen years, it never sought a formal expansion of legal authority from Congress. There has never been a Congressional hearing, nor do DOJ/FBI officials ever talk explicitly about this capability.
The Rule 41 proposal before this advisory committee was the first ever opportunity for civil society groups, including my employer, the ACLU, to weigh in. We, along with several other groups, submitted comments and testified in person.
Our comments can be seen here [3,4]. Incidentally, it was while doing the research for our second comment that I discovered that the FBI had impersonated the Associated Press as part of a malware operation in 2007 [5].
Ultimately, the committee voted to approve the change to the rules requested by DOJ. In doing so, the committee dismissed the criticism from the civil society groups, by saying that we misunderstood the role of the committee, that the committee was not being asked to weigh in on the legality of the use of hacking by law enforcement, and that "[m]uch of the opposition [to the proposed rule change] reflected a misunderstanding of the scope of the proposal...The proposal addresses venue; it does not itself create authority for electronic searches or alter applicable statutory or constitutional requirements."
[1] http://www.nytimes.com/2016/04/14/technology/fbi-tried-to-de...
[2] https://www.washingtonpost.com/business/technology/2013/12/0...
[3] https://www.aclu.org/sites/default/files/assets/aclu_comment...
[4] https://www.aclu.org/files/assets/aclu_comment_on_remote_acc...
[5] http://bigstory.ap.org/article/23f882720e564b918d83abb18cd5d...
tptacek|9 years ago
Two things I want to call out, one minor and one more significant. The significant one first:
Your employer, in the response you linked to, wrote approvingly of Orin Kerr's proposed alternative language, which would enable the same sort of remote "hacking" with the new precondition that it be allowed only when it's impossible for the courts to ascertain the right district.
If ACLU is OK with that narrower language, is it safe to say that you disagree with your employer? Because your arguments strongly implicate Kerr's proposed language as well. Put simply: you appear to favor broad restrictions on DOJ's ability to coercively collect electronic evidence regardless of whether courts authorize it.
The minor objection I have to your comment is the link to WaPo about the FBI being able to record video from laptop cameras without lighting the LED. That's an unsourced anonymous claim that, by my reading, can't possibly be accurate as stated, since different laptops have different mechanisms and it is vanishingly unlikely that the FBI has defeated all of them. I'm prepared to be wrong about this, but expect that I'm not, and would like to know if you can provide any more evidence backing that extraordinary WaPo claim up.
csoghoian|9 years ago
The first, before public comments were even solicited, resulted in DOJ dropping one of their proposed changes to rule 41, which would have permitted the gov to piggyback from a hacked target's computer to a cloud account (such as Dropbox or Google), rather than the gov going to the cloud provider with a warrant.
While our first comment does indeed describe and quote from some alternative language proposed by Orin Kerr, I don't think it is fair to describe that as evidence of ACLU approval of hacking of users whose location cannot be determined. For example, in that comment, we note that:
[U]nder Professor Kerr’s language, the government would still be able to obtain warrants to use malware, zero-day exploits, and other techniques that raise serious constitutional and policy questions.
2. While some public interest groups and tech policy advocates are publicly (or, in some cases, privately) embracing the idea of giving law enforcement formal, regulated hacking powers, in a desperate attempt to push back against legislative pressure for crypto backdoors, I'm thankful that the ACLU has not done so. If the organization does at some point decide to come out in favor of law enforcement hacking, I strongly doubt my name will be on that document.
[I'll note, however, that one of the great perks that come with working for the ACLU is that it's perfectly OK to disagree with some of the organizations' official policy positions. I'm not forced to tow the company line publicly on issues in which I disagree.]
3. Just so all of my cards are on the table. I'm volunteering, unpaid, as an expert for the defense in several of the Playpen FBI watering hole cases. I am strongly opposed to bulk hacking, enough so to volunteer my time to helping to fight the FBI's use of this outrageous surveillance technique.
4. The FBI being able to remotely activate webcams without the light turning on is not an "unsourced anonymous claim".
From the Washington Post story, linked to in my comment above:
The FBI has been able to covertly activate a computer’s camera — without triggering the light that lets users know it is recording — for several years, and has used that technique mainly in terrorism cases or the most serious criminal investigations, said Marcus Thomas, former assistant director of the FBI’s Operational Technology Division in Quantico.
the_ancient|9 years ago
it is Trivial to create software to no turn on the light.
The Light is not considered by manufacturers to be a Security feature, or something to warn a user of someone other than the user is using the webcam, it is simply there to inform the user when their cam is active using normal "friendly" software, it is a convenience feature, not a security feature
Many commercial management and security software packages sold to schools, corporations, and individuals have the ability to turn on the webcam with out illuminating the light, this often billed as a "theft prevention" feature.
Several schools have gotten in trouble for using this feature to spy on students using school owned laptops
In short, they do not have to "defeat all of the laptops" they just have to right a program for windows, and get 99% of them, the capability is already in the OS, the harder part is installing it with out the user knowing, and hiding the process from the user... Disabling the LED is trivial