Challenging Government Hacking: What’s at Stake

The FBI is making increasing use of an investigative technique that puts the public’s internet security at risk. This month, the ACLU filed amicus briefs in two cases to challenge the FBI’s use of this technique, which has significant cybersecurity implications for everyone.

The technique — government hacking — involves sending malware over the Internet to search computers remotely, often for information that is transmitted by or stored on anonymous targets’ computers. The malware can give investigators total control over a computer system. Absent extraordinary circumstances, courts should not grant this kind of power to law enforcement — much less with just a run-of-the-mill search warrant.

Malware — software designed to covertly damage a computer, take control of a system, or steal data — is not new to the federal government. The FBI has been deploying tools to search anonymous users’ computers since at least 2002. More recently, however, the FBI has expanded its use of this technique. Rather than deploying tailored malware against individual targets, the agency is now conducting “watering hole” operations that deliver malware to everyone who visits a particular webpage or pages. This can result in hundreds or thousands of computers being compromised, as well as the uncontrolled distribution of malware around the globe.

What the FBI didn’t disclose in court

This month, the ACLU filed briefs in the two cases pending before the Ninth Circuit Court of Appeals that involve the most recent publicly known malware investigation, aimed at users of the Playpen website. Playpen was a site primarily dedicated to disseminating child pornography, though it also hosted some lawful activities like chat and fiction forums. The FBI learned of Playpen, seized the server, and then actually ran the site out of its Virginia offices for two weeks. During that time, the federal government reportedly became one of the largest purveyors in the world of child pornography.  

The FBI took this step in an effort to identify people who visited the site, since visitors were using a privacy-protective web browser called Tor to mask their IP addresses, and thus their identities. (Playpen was designed so that only people using Tor could visit it. The U.S. government originally funded Tor, which serves as an essential tool for activism and free speech across the world. Journalists, bloggers, whistleblowers, human rights workers, and other activists have relied on the Tor network to avoid surveillance by potentially repressive regimes.) 

To obtain permission to deploy the malware —  to which the government gave the anodyne name “Network Investigative Technique,” or “NIT” — the government sought a warrant from a magistrate in the Eastern District of Virginia. The warrant granted the FBI permission to send computer instructions from Playpen to anyone who logged in with a user name and password. These instructions, the magistrate was told, would gather identifying information from the activating computers and send it to the FBI.

In Playpen, the FBI sought to search as many as 158,000 computers around the world with this malware. As a result, there are now approximately 140 Playpen prosecutions for possession of child pornography wending their way through the federal courts. The ACLU has filed several other amicus briefs with the Electronic Frontier Foundation challenging Playpen searches on the grounds that a single warrant cannot lawfully authorize a search of more than 100,000 people, and that the searches unconstitutionally violated Federal Rule of Criminal Procedure 41, which at the time limited magistrates’ ability to authorize searches to the district in which they operate — whereas the Playpen searches were global in scope. (Rule 41 has since been modified and now removes that procedural obstacle for the government to hack remotely.)

In the  briefs we filed with several of our affiliates located in the Ninth Circuit this month — United States v. Tippens and United States v. Henderson — we argue that the FBI failed in its duty of candor to the magistrate judge, rendering the searches unconstitutional. What the FBI did not tell the magistrate judge, among other things, is that for its NIT to work, it had to force visitors’ computers to do something that Tor and every other web browser is not supposed to do — download, install, and run the code transmitted by a webpage. To get that to happen, the NIT used exploit code — software designed to take advantage of a flaw in the way the Tor browser works. Further, because the Tor browser runs on the Firefox Mozilla code, this exploit likely worked on millions of Firefox users.

In other words, the government became a hacker, sending exploit code around the country and the world, compromising browser security and searching computers for information. And astoundingly, it didn’t tell the court that this was how the NIT worked. It even kept secret from the magistrate the very fact that it was, through its exploit, planning to take advantage of a vulnerability in Tor (and likely Firefox).

While the public doesn’t know what the vulnerability was, it likely gave the government, in Mozilla’s words, “total control” over the users’ computers. The FBI may have chosen to use that power only to collect identifying information, as it represented in the search warrant affidavit. But it could have accessed far more — and more private — information.

Without knowing that the government’s malware contained an exploit, the court was not in a good position to closely supervise the computer searches that the FBI’s computer instructions conducted. The magistrate likely had no idea she should police the search to ensure that the government would not misuse its capabilities to search private data for which it had no probable cause. Where searches are particularly intrusive (and especially when they involve digital media like computers), Fourth Amendment case law recommends heightened standards of proof for issuing warrants, search protocols, destruction of unrelated materials, and more to ensure that legitimate government searches do not metastasize into fishing expeditions. The magistrate couldn’t have known that she might want to impose such safeguards in this case.

How FBI hacking can hurt the public

Beyond just the facts of this case, the government’s development, storage, and use of exploits create computer security risks for the public that cannot be mitigated by the warrant process. The government may lose control of malware if an insider leaks or sells the tools, if the government itself is hacked, or if a malware target identifies and publishes the code. Once a hacking tool has been disclosed outside the government, malicious actors have a window of opportunity to use it for their own nefarious purposes.

We know the risk that the government will lose control of exploits is real, because we’ve seen it happen a number of times:

  • In 2013, the FBI deployed malware on multiple websites hosted by a company called Freedom Hosting. This malware similarly took advantage of a Firefox security vulnerability to identify users of Tor. Innocent individuals who visited the targeted Freedom Hosting sites — which included TorMail, an encrypted email service used by all kinds of people all over the world to ensure privacy in their communications — noticed the hidden computer instructions embedded in the sites, and within days, the code was being “circulated and dissected all over the net.” Eventually, the same attack showed up “in the wild”, using essentially the same exploit the government used to compromise Freedom Hosting visitors to hack users of the Tor browser more widely.
     
  • The government’s exploits also can be stolen. In 2016, the public learned that an entity calling itself the Shadow Brokers obtained National Security Agency malware from an external NSA “staging server.” Following some initial attempts to sell the exploits, the Shadow Brokers dumped dozens of NSA hacking tools online for free in April 2017. One of the tools the Shadow Brokers released — called EternalBlue — exploited a flaw in Microsoft software. Once released, the tool was repurposed into a virulent piece of ransomware called WannaCry, which infected hundreds of thousands of computer systems worldwide in May 2017.
     

  • The very next month, another malware attack began spreading internationally after initially hitting critical infrastructure in Ukraine. Similar to WannaCry, the worm, dubbed NotPetya, made use of EternalBlue as well as another NSA exploit, called EternalRomance, also released by the Shadow Brokers. WannaCry and NotPetya infected such crucial systems as hospitals, power companies, shipping, and banking, endangering human life as well as economic activity.

Courts have said that dangerous tools used to effectuate otherwise lawful searches — tools like flashbang grenades and battering rams — can be unreasonable under the Fourth Amendment. Government malware is another such tool. Some investigative techniques are just too dangerous to use.

Cybersecurity is hard, and we are not doing a very good job of protecting the systems that we rely on. This task gets even harder if the government is an active attacker on the network with a vested interest in keeping computers insecure in case an investigator wants to conduct a search. If we aren’t careful, this powerful tool that the FBI now uses, like other powerful tools, will eventually trickle down to state and local police departments.

The government should be fighting to secure computers — not to hack them or to stockpile exploit codes that can be lost or stolen, and then misused and abused. As we told the Ninth Circuit, the Fourth Amendment needs to protect the public’s privacy and security. Secretive and unregulated government hacking endangers both.

Add a comment (11)
Read the Terms of Use

Dr. Joseph Goebbels

Face it, if the government wants to stick its big nose into your business, it is going to. Your best bet is not to have any business that the government would want to stick its big nose into. Remember all forms of electronic communication are susceptible to interception by third parties and it is too easy and too much of a temptation for them to do so.

Curious bystander

Dr Goebbels (interesting choice of name) did you enjoy the whizzing noise as the point being made went over your head?

Your comment is of zero relevance to the victims of WannaCry malicious code, which included individuals, companies and hospitals. It's like saying "oh if you're a criminal, the police should be able to shoot you - by spraying assault rifles that endanger anyone else who happens to be on the block".

Dr. Joseph Goebbels

I enjoy all whizzing sounds, especially the one when I, myself, am taking a whiz. All my comments here have "zero relevance", and you are not the first person to notice this. No soup for you.

Anonymous

Goebbels is right. All “his” comments are irrelevant and often have no meaning. However, “he” has the right to free speech. If one person has it, all have it. Even the dumdass Gerald Broflowski that feels so sorry for themselves that they can’t help but cause disruption and discord. They are often whites with privileges they fear will disappear. Or they might just be crazy asshole with nothing better to do. Either way theyre easy to ignore and track electronically for mental illness leading to violent action.

FreeHacker

What point was made by this pointless article? Everyone knows the FBI, NSA, CIA and other agencies work hand in hand. Ever since 9/11, and the white peoples resolve to unite, each agency has had close links with each other sharing techniques and technology.

Don’t be surprised if that fat assed FBI boss in Texas is watching you jack off right now.

Anonymous

I'm more concerned about the REPUBLICAN Congress regulating the censorship of social media. Have you liberals missed the fact that the Republican Congress is taking control of that? I'm fine with the malware. Its not much different from a stakeout.

Anonymous

It's hard to quantify the grave harm these bureaucrats do when they betray their oath of office to uphold the U.S. Constitution. Maybe it started with the Tonkin Gulf, McCarthyism and CoinTelPro - but there is harm, that may destroy the nation, when Americans have absolutely no faith in their government institutions. Maybe the FBI can violate their oath of office with impunity and get away with it - but that cynicism by their employers, the American people, has a very steep cost.

Maybe the top focus should be on returning integrity to the Judicial Branch - some states have virtually made politicians like the other two political branches. The Judicial Branch needs to check & balance the political branches like the FBI.

Anonymous

It started with paranoid old white people, mostly Christian, who couldn’t tolerate anyone that didn’t love Jesus. You know what, fuck Jesus, there as said it. He was a lazy ass gay Jew with a foot fetish. Yup, it’s true. That’s right, the Bible says Jesus slept and ate with 12 other dudes day and night. Story after story of “brotherly” love, no wonder Ben Franklin was gay.

I killed Jesus Christ. I stabbed him the side with a long sword while my friend took a selfie of us. It was fun, but I never forgave myself.

Known as jorge

I am a victim for over 3.5 yrs of Gangstalking. I been harassed, and even last year I was assaulted and sent to the trauma center. by people who in my opinion were hired by organized stalkers to beat me up outside a port a potty. I was called a crackhead, paranoid, crazy, Mexican, a faggot, and other horrible things as they justify the beating. As I sit at the MLK centro the jornaleros. I have individuals who serve as civilian informants, playing the usual mindgames. people have been offered insentives in order to try to irritate me. but If anything happens to me. As I have even said outside Portland's city hall. the blame will go the group who since 2014 have victimized me and commited violations of privacy, and civil rights. I don't endorce crime, nor do I allowe anyone to speak on my behalf. Only I can verify any information anyone has about me. And if Organised stalkers have influenced anything, then I have to ask them to sign a piece of paper confirming that they back the accusations they have, with their names, non profit or group they represent, somewhere were sources can be verify and my concent.

Only I can verify anything positive or negative. I have been 24/7 surveillance for over 3.5 yrs. and most of the people I see everyday don't have the right to spread their opinions about me as facts without first verifying with me. Organised stalkers yesterday were accusing me of been paranoid and on sometype of drug. and they were wrong. they would even go as far as to ask people to entrap me. and have me look or get my attention at a person or a house, and then accuse me of pervert, or crazy.

But everyday I go out and collect cans, since they have prevented me from obtaining a fulltime job, by going to business and telling lies to employees or managers, and when I had a nice job , they make it obvious they influence people to act in a manner that they think will make me paranoid or stress, and even make jobs dangerous when they get their influence, like on a construction site I worked for about a week. before I told the person who hired me I was not able to work anymore. and even posted on my blog 4 hours before I quit, that I would not return, because I will not have someone cause an accident due to poor judgement and anger at me, due to lies and promises by organized stalkers. I worked real hard and got compliments, and Gangstalkers don't like any positive feed back at me.

Known as jorge

The computers at Multnomah county library. have root certificates and Organised stalkers are able to remote access them, everytime I go there , they're able to hack them. I been trying to tell people for over 3.5 yrs. I told Lars Larson, Federal Protective Services. The library staff, and even tried over at city hall.

but as usual Gangstalkers influence tells them i'm crazy or paranoid. Its easy to spot when they influence people, by the gestures and usual "whatever". Last time I was at city hall I asked people outside to ask the staff there, if they in any way shape or form where expecting me there, or intentionaly acted in a manner that would make me feel bad. I want them to go and ask, because if I got lied, can you also be lied, or have city hall staff act in a manner that is not professional against you, due to influences by organized stalkers? i'm not sure if I would be taken serious. So ask in writing if they said the true to me yes, or no. and then tell me so that I would know for sure.

Its been almost 4yrs and I feel positive because the truth is starting to show. When people are starting to ask if in reality the accusations against me by Organised stalkers were true. They will not produce a document where they can 100% back all accusations as facts. So due to poor judgement and in my opinion lack of common sence, specially since for 3.5 yrs they can't figure out if I'm good or not, I can't allowe anyone from their group to say anything positive or negative as a fact without first verifying with me. Period no exeptions

Pages

Stay Informed