ACLU: Plan to Expand FBI Search Powers May Compromise Cybersecurity

02_18_FBI
Muslim and Arab advocacy groups, briefed by the agency on its new program to counter extremism in youth, have strong objections to its disproportionate focus on Islamic extremism. Lucas Jackson/Reuters

Updated | In the midst of a robust national debate about how to address cybersecurity threats, the Department of Justice is leveraging a little-known committee to tinker with the way warrants are issued that critics say would leave Americans more vulnerable to cyberattacks.

Last year, the Justice Department requested that the Advisory Committee on Criminal Rules (a committee tasked with updating federal rules of court procedure, such as when to file briefs) pass an amendment that would allow the FBI to obtain a warrant to hack computers, even if their location or the identity of their owners are unknown. (Judges are generally restricted to issuing warrants to the government for searches within their jurisdiction.)

The move came after Stephen Smith, a federal judge in Texas, denied a request for a search warrant (the government wanted to remotely hack a computer but had no idea where it was located).

“I think the government fears that other judges will deny warrant applications on the same grounds,” says Nathan Wessler, a lawyer for the American Civil Liberties Union (ACLU).

In October, the ACLU outlined its concerns about the proposed amendment. Among them: The types of searches the FBI would be conducting, the methods used, the risks associated with such methods, what kind of data the bureau is going to acquire and what it will do with that data.

“There is a real need for judges to have accurate information,” Wessler says. “A lot of judges are not technical experts... But when they are only getting one side of the argument, it is hard for them to spot all of the issues.”

The ACLU also argues that such a rule change would assume that it’s OK for the FBI to remotely hack into computers using any means at their disposal—all of which could degrade cybersecurity.

It’s been widely reported, for example, that the government is sitting on a stockpile of zero-day exploits, or software vulnerabilities, unknown to the software’s manufacturer, that can be used to monitor and attack computers. By using these vulnerabilities for intelligence purposes instead of reporting them to a manufacturer, the U.S. leaves its population open to “serious security ramifications,” Wessler says, such as snooping and attacks from people other than the FBI.

Other FBI methods include sending out malware over the Internet, a tactic the bureau has reportedly been using since at least 2001. Employing such methods has potential ramifications. “There is a risk it might not get to its intended target...there is a risk that it might spread from its intended target,” Wessler says.  

The ACLU is also concerned about the types of warrants that would enable digital searches, such as scraping large amounts of data from computers or remotely turning on webcams. “Those are the kinds of searches that should be regulated like wiretaps,” Wessler says.

Under the federal wiretapping statute, for instance, law enforcement can only obtain a warrant for 30 days, can only listen to calls pertinent to the investigation and must delete irrelevant information that is captured.“Those are the kinds of robust privacy protections that these digital searches desperately require,” Wessler says. “And nothing in this proposal offers that kind of oversight.”

In practice, the ACLU says, the proposal risks violating the Constitution. As a matter of constitutional interpretation, Wessler says, federal criminal rules require the government to notify someone if they’ve been searched. While it’s difficult to do so when you don’t know where a computer is located or the identity of its owner, the proposal only requires that a reasonable effort be made to notify someone that the bureau has conducted a search.  

The Justice Department disagrees with the ACLU. "This proposal would not authorize any searches or remote access not already authorized under current law," says Peter Carr, public affairs specialist at the Justice Department.

"With the rise of techniques that make it easy for criminals without any technical skill to hide their true locations, lawfully authorized remote access has become increasingly important to protect people from predators and solve serious crimes.  Our rule change will ensure that courts can be asked to review warrant applications for probable cause in situations where is it currently unclear what judge has authority to review a warrant application," he says. 

On Tuesday, the period for the public to submit comments about the proposed change ended. The ACLU, Google, New America Foundation and others offered their concerns.

The government responded to those grievances on Tuesday by, among other things, laying out a series of scenarios in which they would employ this new authority, such as obtaining stored emails hosted on a Tor hidden service, which allows for anonymous communication.

Wessler wasn’t satisfied. “I don’t think they addressed any of our concerns in a way that makes us reconsider them,” he says. He argues that the government’s scenarios captured only innocuous ways the new power could be used.

In a time when it is almost impossible to participate in modern society without using a computer or leaving a digital trail, Wessler says there should be a more open discussion about how to properly balance civil liberties and Internet security concerns with the need for law enforcement to do its job.

In coming weeks, the advisory committee will look at the public comments and decide if it will accept, change or reject the warrant proposal. It will then pass off that decision to a series of bodies that will do the same thing. Eventually, the decision will arrive at the Supreme Court. If the Court approves the amendment, it will be up to Congress to block it. If Congress decides not to  act, the changes go into effect. 

The ACLU and others have criticized this process, saying it’s far too important to go through the current system. “This,” Wessler says, “is the type of change that should be dealt with by Congress [directly].”