In December 2016 Congress approved seemingly innocuous changes to Rule 41 of the Federal Rules of Criminal Procedure, a controversial investigative authority governing complex cyber cases. The Rule 41 changes will be the latest addition to the government’s growing arsenal of post-9/11 surveillance powers. As privacy advocates have rightly pointed out, the oftentimes vague phrasing of Rule 41 and its new changes mean the rule could easily be abused to infringe on personal privacy and grant investigators undue computer-hacking powers.
Implications of the New Changes
The new changes center around two main subjects. One clause gives judges the authority to issue warrants in any district where illicit activities may have occurred. On its face this seems reasonable, but it means judges can potentially issue warrants way outside their intended jurisdiction. It also means investigators can potentially shop around for judges in various districts who will grant the wide-ranging warrants. The second major change affects users who were compromised in criminal hacking attacks. Under the changes, investigators can remotely access and collect all information from any device compromised in an attack as part of an investigation. For botnet attacks which may compromise many thousands of individual devices, this means a large amount of personal information not relevant to the investigation will be in the hands of federal investigators.
The Controversial History of Rule 41
First introduced as an amendment to the 2001 USA PATRIOT Act, Rule 41 allows law enforcement agencies to “hack”, or remotely access, computers under certain poorly-defined circumstances. Rule 41 was controversially used by the FBI in February 2015 to compromise and seize the server hosting Playpen, a known dark web child pornography site. After the successful hack and confiscation, the FBI decided rather than shutting down the site it would instead run and operate the site in order to spy on its users and hack their IP addresses. Calling it (unfortunately) “Operation Pacifier”, the FBI then decided to host Playpen on its own servers in Newington, Virginia, distributing as many as 1 million pictures and videos of child pornography to more than 100,000 users in a two-week time frame, as according to case documentation. The FBI’s classified hacking tools in the case, technically justified under Rule 41, potentially compromised over 100,000 Playpen visitors in dozens of countries. Of the thousands of alleged Playpen visitors hacked by the FBI, a meager 186 have been charged with crimes. Furthermore, the FBI used its Rule 41 warrant to target a global user base and an open-ended number of individuals. This is different from almost all other warrants, which allow for specified activities targeting specified individuals within specified geographic boundaries.
Playpen is not the only time investigators have used Rule 41 authorities to justify broad hacking activities against potentially innocent individuals. In Operation Torpedo the FBI utilized a tactic known as a watering hole, where hackers first gain control of the server hosting sites and then embed spyware on the site’s pages that infect users indiscriminately. The FBI also used this tactic against Freedom Hosting, an anonymous web hosting service. FBI hackers embedded a code within all sites hosted by Freedom Hosting that exploited a Firefox vulnerability and ultimately sent the IP address of all site visitors back to the FBI. The obvious potential problem here is Freedom Hosting hosts a plethora of sites, such as those belonging to legitimate businesses, and the customers of those sites were infected and investigated as potential child pornography offenders.
Parallel Track: The British Investigatory Powers Act
The Investigatory Powers (IP) Act passed British Parliament with hardly a whisper of dissent in November 2016. The act gives the Government Communications Headquarters (GCHQ, aka British Signals Intelligence) and other investigative bodies bulk hacking powers to perform “equipment interference,” which means remotely accessing computers, networks, mobile devices, servers, and other connected devices both inside and outside the UK. The act also allows investigators to access and analyze entire databases, whether they are held by private companies or public organizations, even though the database users may not be suspected of any wrongdoing. Although the IP Act is new, it was passed to confer legality on already ongoing secret activities revealed by the Edward Snowden leaks. Privacy advocates have charged that the IP Act waves a wand of permission for the intercept and storage of every text, picture, post, webcam or FaceTime session, and access into any possible device that accesses the internet, owned by a private citizen, organization, or company. And under US law, US agencies can simply receive this UK data without having a constitutional discussion or secret court warrant.
As the FBI Playpen investigation shows, oftentimes investigative authorities such as Rule 41 can do more harm than good. Although by hacking the Playpen servers the FBI was able to glean valuable information about dark web child pornography activities, by taking over and running the servers themselves the FBI furthered the distribution of pornographic material. They prosecuted only 186 of more than 100,000 site visitors, and offered restitution to none of the children whom they re-victimized by re-distributing their pictures online. As Rule 41’s new provisions on judges’ warrant-issuing authorities and compromised user devices come into effect, we must all be vigilant about maintaining due process and personal privacy considerations so that the innocent are not unnecessarily ensnared in police investigations for which they and their personal data have no relevance.