DOJ Proposal Would Let FBI Hack Into Computers Overseas With Little Oversight

from the freedom?-what-freedom? dept

The DOJ proposal will result in significant departures from the FBI’s customary practice abroad: overseas cyber operations will be unilateral and invasive; they will not be limited to matters of national security; nor will they be executed with the consent of the host country, or any meaningful coordination with the Department of State or other relevant agency.



Under the DOJ’s proposal, unilateral state action will be the rule, not the exception, in the event an anonymous target “prove[s] to be outside the United States.” The reason is simple: without knowing the target location before the fact, there is no way to provide notice (or obtain consent from) a host country until after its sovereignty has been encroached.



Without advanced knowledge of the host country, law enforcement will not be able to adequately avail itself to protocols currently in place to facilitate foreign relations. For example, the FBI will not be able to coordinate with the Department of State before launching a Network Investigative Technique. This puts the U.S. in a position where a law enforcement entity encroaches on the territorial sovereignty of foreign states without coordination with the agency in charge of its foreign relations.

When a state’s sovereignty is encroached upon, its response depends on the nature and intensity of the encroachment. In the context of cyberspace, states (including the United States) have asserted sovereignty over their cyber infrastructure, despite the fact that cyberspace as a whole, much like the high seas or outer space, is considered a “global common” under international law.



[....] Given the public nature of the U.S. criminal justice system, it is hard to see how the FBI will avoid risk of prosecution (similar to that in the Chelyabinsk incident) if the DOJ proposal is approved.

The Rule should not authorize drive-by-downloads that infect every computer that associates with a particular webpage, the use of weaponized software exploits in order to establish “remote access” of a target computer, or deployment methods that risk indiscriminately infecting computer systems along the way to the target. Nor should the Rule authorize a “search” method that requires taking control of peripheral devices (such as a camera or microphone). There are other suggestions, of course. As it stands, the proposed amendment allows the FBI to use a wide array of invasive (and potentially destructive) hacking techniques where it may not be necessary to do so, against a broad pool of potential targets that could be located virtually anywhere.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Ahmed Ghappour, over at JustSecurity, alerts us to a rather frightening proposal from the Justice Department that would enable law enforcement to hack into the computers of people who are trying to be anonymous online . At issue is that current rules basically would extend the powers granted forto, concerning specifically the DOJ/FBI's ability to hack into computers. In the past, judges could issue warrants for such computer hacking if the target was known to be located in the same district. But the proposed change would wipe out that limitation, and basically give the DOJ/FBI the power to get approval for hacking into a much broader range of computers. Without the geographical limitation, there's concern about just how broadly this new power would be (ab)used:In short, every new criminal investigation by the FBI will open up the possibility of a diplomatic nightmare and embarrassment. But, really, who cares when there are criminals to go after, right?The Chelyabinsk incident refers to involved Russia filing criminal hacking charges against the FBI for the FBI logging into a Russian server, seeking evidence against some Russian hackers.And, of course, there are other issues with the proposal as well -- as you'd expect any time you see law enforcement seek to move anti-terrorism tools over to standard crime-fighting. For example, the current proposal could authorize questionable hacking techniques by the FBI. Ghappour suggests that if the DOJ really wishes to push forward with such a proposal, it needs to clearly limit the techniques that are allowed:Of course, why would the DOJ ever limit itself when it has the chance to get access to an even more powerful tool for hacking into anyone's computers?

Filed Under: anonymity, cooperation, diplomacy, doj, fbi, hacking, overseas, tor