The United States Department of Justice wants to broaden its ability to hack criminal suspects’ computers, according to a new legal proposal that was first published by The Wall Street Journal on Thursday.

If passed as currently drafted, federal authorities would gain an expanded ability to conduct “remote access” under a warrant against a target computer whose location is unknown or outside of a given judicial district. It would also apply in cases where that computer is part of a larger network of computers spread across multiple judicial districts. In the United States, federal warrants are issued by judges who serve one of the 94 federal judicial districts and are typically only valid for that particular jurisdiction.

The 402-page document entitled “Advisory Committee on Criminal Rules" is scheduled to be discussed at an upcoming Department of Justice (DOJ) meeting next month in New Orleans.

Federal agents have been known to use such tactics in past and ongoing cases: a Colorado federal magistrate judge approved sending malware to a suspect’s known e-mail address in 2012. But similar techniques have been rejected by other judges on Fourth Amendment grounds. If this rule revision were to be approved, it would standardize and expand federal agents’ ability to surveil a suspect and to exfiltrate data from a target computer regardless of where it is.

Peter Carr, a DOJ spokesperson, told Ars that he was “not aware of any figures” as to how many times such “remote access” by law enforcement has taken place.

Cracking Tor is hard!

Civil libertarians and legal experts are very concerned that this would unnecessarily expand government power.

“It is nuts,” Chris Soghoian, a technologist and senior policy analyst with the American Civil Liberties Union, told Ars.

“What’s most shocking is that they’re not going to Congress and asking for this authority. This is a pretty big shift. This is a dangerous direction for the government to go in, and if we’re going to go in that direction then we really need Congress to sign on the dotted line, and [the DOJ is] trying to sneak it through the back door.”

Carr told Ars that the change is needed to combat criminals who use “sophisticated anonymizing technologies,” like Tor.

“Our proposal would not authorize any searches or remote access not already authorized under current law,” he wrote by e-mail. “The proposal relates solely to venue for a warrant application.”

Carr did not answer Ars’ specific questions as to the technical capabilities of such actions nor whether its capability involves zero-day exploits.

“The documents don’t reveal what the FBI is using,” the ACLU’s Chris Soghoian added. “They’re probably using zero-days, and there are a huge number of policy discussions associated with the use of zero-days by law enforcement. These issues are too important to be taking place without public debate. If we’re going to enter this world of law enforcement hacking, it needs to happen after an open discussion where our legislative officials vote for or against it. The government shouldn’t just grab this power for themselves.”

“Locating them can be impossible”

Carr also sent Ars a five-page letter dated September 18, 2013 from Mythili Raman, an acting assistant attorney general to Judge Reena Raggi, a federal judge in Brooklyn who is the chair of the Advisory Committee on Criminal Rules.

Raman’s letter to the judge further outlines the government’s case and its need to “better enable law enforcement to investigate and prosecute botnets and crimes involving Internet anonymizing technologies, both of which pose substantial threats to members of the public.”

As she writes:

For example, a fraudster exchanging email with an intended victim or a child abuser sharing child pornography over the Internet may use proxy services designed to hide his or her true IP address. Proxy services function as intermediaries for Internet communications: when one communicates through an anonymizing proxy service, the communications pass through the proxy, and the recipient of the communications receives the proxy's IP address, rather than the originator's true IP address. There is a substantial public interest in catching and prosecuting criminals who use anonymizing technologies, but locating them can be impossible for law enforcement absent the ability to conduct a remote search of the criminal's computer. Law enforcement may in some circumstances employ software that enables it through a remote search to determine the true IP address or other identifying information associated with the criminal's computer.

Ruthann Robson, a law professor at the City University of New York, told Ars that the new proposed changes are indeed disturbing.

“While the suggestion is to have some sample warrants reviewed by a subcommittee, one wonders how this might be helpful, especially if these ‘sample’ warrants become ‘model’ warrants that prosecutors use and that judges learn in their continuing judicial education classes,” she said, referring to a draft sample warrant included in the 402-page document. “Adapting the warrant requirement for the extraterritorial technologies is difficult, but the Fourth Amendment nevertheless requires warrants to be supported by oaths and ‘particularly describing the place to be searched, and the persons or things to be seized.’”

One warrant to rule them all

The government appears to have already heard some opposition to the proposed rule change.

Orin Kerr, a professor of law at George Washington University and one of three committee members who is not a sitting judge or prosecutor, raised similar questions to his fellow committee members in memos also included in the 402-page proposal.

Under the proposal, Kerr points out that gaining user data via this proposed method as a matter of course will “have two major policy implications” in terms of how searches are executed and whether and how the target is notified. The first, he notes, would make it more likely that law enforcement would use this delayed-notice, remote-search tactic. The second, these new warrants would allow the government to avoid issuing individual warrants to individual companies under the Electronic Communications Privacy Act (ECPA).

At present, Kerr writes, getting user data from Apple, Dropbox, and Amazon requires three separate warrants issued to those three different companies.

Critically, this means that the government must show probable cause as to each service. It must show that there is probable cause to believe that there is evidence in the Dropbox account; probable cause to believe that there is evidence in the Google Cloud account; and probable cause to believe that there is evidence in the Amazon Cloud Drive account. I gather that this would no longer be true under Mr. Wroblewski’s proposed rule. Because all of the accounts would be accessible through remote access, the government could obtain a single warrant to search the target’s home and all of their cloud services together. Investigators could search directly instead of obtaining ECPA warrants. There would only need to be one showing of probable cause, not many. The only issue would be existence of probable cause somewhere in computers owned and operated by that person, rather than probable cause as to evidence being located in each place (whether physical or in the cloud) where the warrant would be executed. I can appreciate the view that these two changes are beneficial changes. They are understandably attractive to law enforcement: They enable the government to search more and with less notice to targets. Replacing physical searches with remote searches also has the salutary effect of less intrusive searches, at least if the remote searches are not later followed by subsequent physical searches. At the same time, there are also significant arguments on the other side. Some may prefer a stronger notice requirement and may object to a new norm of delayed-notice remote searches. Others may prefer requiring the government show probable cause as to each cloud service. Either way, choosing between the two rules requires difficult decisions about how to balance law enforcement and civil liberties concerns.

Hanni Fakhoury, a staff attorney for the Electronic Frontier Foundation, wrote that the EFF agrees with Kerr's concerns. "There are serious particularity problems with allowing the government to search multiple computers remotely," Fakhoury wrote. "What's even more troubling is we know that these 'network investigative techniques' are really just malware that is capable of hijacking a computer. These sorts of invasive tools require vigilant oversight and should be used in only the most extreme of circumstances."