BY AHMED GAPPOUR
A Department of Justice proposal to amend Rule 41 of the Federal Rules of Criminal Procedure would make it easier for domestic law enforcement to hack into computers of people attempting to protect their anonymity on the Internet. The DOJ has explicitly stated that the amendment is not meant to give courts the power to issue warrants that authorize searches in foreign countries—but the practical reality of the underlying technology means doing so is almost unavoidable.
The result? Possibly the broadest expansion of extraterritorial surveillance power since the FBI’s inception.
This post highlights key issues raised by the international aspect of the DOJ proposal, in the attempt to encourage wider public debate before the FBI is granted such expansive powers.
The FBI brand of hacking: Network Investigative Techniques.
Broadly, the term “Network Investigative Techniques,” (NIT) describes a method of surveillance that entails “hacking,” or the remote access of a computer to install malicious software without the knowledge or permission of the owner/operator. Once installed, malware controls the target computer.
The right Network Investigative Technique can cause a computer to perform any task the computer is capable of—covertly upload files, photographs and stored e-mails to an FBI controlled server, use a computer’s camera or microphone to gather images and sound at any time the FBI chooses, or even take over computers which associate with the target (e.g. by accessing a website hosted on a server the FBI secretly controls and has programmed to infect any computer that accesses it).
Network Investigative Techniques are especially handy in the pursuit of targets on the anonymous Internet—defined for the purposes of this post as those using Tor, a popular and robust privacy software, in order to obscure their location (and other identifying information), and to utilize so-called “hidden” websites on servers whose physical locations are theoretically untraceable.
Since Network Investigative Techniques work by sending surveillance software over the Internet (at 9), the physical location of the target computer is not essential to the execution of the search. Indeed, the DOJ proposal is justified as the only reasonable way to confront the use of anonymizing software, “because the target of the search has deliberately disguised the location of the media or information to be searched.” (at 9).
The DOJ Proposal
The proposed amendment addresses a jurisdictional limitation in the current version of Rule 41(b)(1) that prevents a judge from issuing a warrant unless the target is known to be located within her district.
(6) a magistrate judge with authority in any district where activities related to crime may have occurred has authority to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information located within or outside of that district if (A) the district where the media or information is located has been concealed through technological means F.R.Cr.P. Rule 41(b)(6)(A) (proposed) (emphasis added).
The amendment mirrors language setting out the jurisdictional scope of terrorism investigations under Rule 41(b)(3) (emphasized above), but applies to investigations forgeneral crimes:
“The Department’s proposal is intended to clarify that the issuance of such a warrant is proper in other criminal investigations as well” Jonathan J. Wroblewski, director of the Department Justice’s Office of Policy and Legislation, in a memo to the chair of the subcommittee considering the rule change. (at 179).
As for extraterritorial hacking, the DOJ commentary explicitly states that the proposal does not seek power to extend search authority beyond the United States:
In light of the presumption against international extraterritorial application, and consistent with the existing language of Rule 41(b)(3), this amendment does not purport to authorize courts to issue warrants that authorize the search of electronic storage media located in a foreign country or countries. AUSA Mythili Raman, Letter to Committee.
Yet the commentary also articulates a standard of searches that “are within the United States or where the location of the electronic media is unknown.”
Under this proposed amendment, law enforcement could seek a warrant either where the electronic media to be searched are within the United States or where the location of the electronic media is unknown. In the latter case, should the media searched prove to be outside the United States, the warrant would have no extraterritorial effect, but the existence of the warrant would support the reasonableness of the search. AUSA Mythili Raman, Letter to Committee (emphasis added).
The latter standard seems to be a significant loophole in the DOJ’s own formulation of the approach, particularly given the global nature of the Internet. For instance, over 85% of computers directly connecting to the Tor network are located outside the United States. And since (according to the DOJ) each computer’s “unknown location” is virtually indistinguishable from the next, any law enforcement target pursued under this provision of the amendment may be located overseas.
When the FBI finds itself abroad.
The FBI’s extraterritorial authority is nothing new. Indeed, the agency’s extraterritorial responsibilities date back to the mid-1980′s when Congress first passed laws authorizing the FBI to exercise federal jurisdiction overseas when a U.S. national is murdered, assaulted, or taken hostage by terrorists.
The FBI’s extraterritorial activities have generally fallen in line with customary international law, where it is considered an invasion of sovereignty for one country to carry out law enforcement activities within another country without that country’s consent. To that end, the FBI avoids acting unilaterally—relying instead on the United States’ diplomatic relations with other countries and the applicability of any treaties, seeking permission from the host country before deploying personnel, and requesting assistance from local authorities when possible.
Radical departures from current policy.
The DOJ proposal will result in significant departures from the FBI’s customary practice abroad: overseas cyber operations will be unilateral and invasive; they will not be limited to matters of national security; nor will they be executed with the consent of the host country, or any meaningful coordination with the Department of State or other relevant agency.
Under the DOJ’s proposal, unilateral state action will be the rule, not the exception, in the event an anonymous target “prove[s] to be outside the United States.” The reason is simple: without knowing the target location before the fact, there is no way to provide notice (or obtain consent from) a host country until after its sovereignty has been encroached.
Without advanced knowledge of the host country, law enforcement will not be able to adequately avail itself to protocols currently in place to facilitate foreign relations. For example, the FBI will not be able to coordinate with the Department of State before launching a Network Investigative Technique. This puts the U.S. in a position where a law enforcement entity encroaches on the territorial sovereignty of foreign states without coordination with the agency in charge of its foreign relations.
The encroachments that result will be public—bound to arise in the event of a criminal trial. In 2002, for example, Russia’s Federal Security Service (FSB) filed criminal chargesagainst an FBI agent for “illegally accessing” servers in Chelyabinsk, Russia in order toseize evidence against Russian hackers later used in their criminal trial. The FSB was tipped off to the fact when the defendants were indicted in Seattle, Washington.
Reportedly, an FBI press release stated that this was “the first FBI case to ever utilize the technique of extraterritorial seizure of digital evidence.” The FBI accessed the overseas server through the web, using login information it obtained from a suspect in custody.
The next accidental cyber war?
When a state’s sovereignty is encroached upon, its response depends on the nature and intensity of the encroachment. In the context of cyberspace, states (including the United States) have asserted sovereignty over their cyber infrastructure, despite the fact that cyberspace as a whole, much like the high seas or outer space, is considered a “global common” under international law.
To be sure, the FBI’s known arsenal of Network Investigative Techniques, if executed properly, do not rise to the level of a cyber “armed attack”—as defined in Article 51 of the UN Charter—for which a use of (cyber or kinetic) force in response would be permissible. Doing so would require the attack be reasonably expected to cause injury or death to persons or damage or destruction to objects of a significant scale. Forceful responses to cyber attacks below that threshold are only permissible with UN Security Council authorization.
As a general matter, there are no prohibitions on cyber espionage (clandestine information gathering by one state from the territory of another) in international law. Perhaps, then, law enforcement hacking (as with other forms of espionage by organs of the State) will be regulated by the violated state’s domestic criminal law, counterespionage, or other countermeasures. Given the public nature of the U.S. criminal justice system, it is hard to see how the FBI will avoid risk of prosecution (similar to that in the Chelyabinsk incident) if the DOJ proposal is approved.
Too fast too soon.
In light of the above, I would be hesitant to amend Rule 41 at this time without first having a thorough discussion of the potentially far-reaching consequences of the change. The technologies involved are rapidly developing and poorly understood, as are the existing international legal norms that apply to them. It is critical that these issues be approached with comprehensive deliberation (between technologists, policy makers and lawyers) that looks beyond the operational frame.
Nonetheless, if we do amend the Rule, we should certainly take steps to minimize the encroachment on other states’ sovereignty, leaving open the possibility for diplomatic overtures. To that end, the Rule should require Network Investigative Techniques to return only country information at first, prompting the executing FBI agent to utilize the appropriate protocols and institutional devices.
The Rule should also insure that Network Investigative Techniques are used sparingly and only when necessary by requiring a showing similar to that required by the Electronic Communications Privacy Act, namely, that less intrusive investigative methods have failed or are reasonably unlikely to succeed. See 18 U.S.C. § 2518(1)(c)). Another way to do this might be to narrow the class of potential targets, from targets whose location is “concealed through technological means” to those whose location is not “reasonably ascertainable” by less invasive means.
The Rule should also limit the range of hacking capabilities it authorizes. “Remote access” should be limited to the use of constitutionally permissible methods of law enforcement trickery and deception that result in target-initiated access (e.g., requiring the target to click a link contained within a deceptive email in order to initiate delivery and installation of malware). “Search” capabilities should be limited to monitoring and duplication of data on the target (e.g., copying a hard drive or monitoring keystrokes).
The Rule should not authorize drive-by-downloads that infect every computer that associates with a particular webpage, the use of weaponized software exploits in order to establish “remote access” of a target computer, or deployment methods that riskindiscriminately infecting computer systems along the way to the target. Nor should the Rule authorize a “search” method that requires taking control of peripheral devices (such as a camera or microphone).
There are other suggestions, of course. As it stands, the proposed amendment allows the FBI to use a wide array of invasive (and potentially destructive) hacking techniques where it may not be necessary to do so, against a broad pool of potential targets that could be located virtually anywhere.
The public has until Feb. 17, 2015, to comment on the preliminary draft.