FBI Bungles Malware Attempt As Courts Begin To Question Its Legality
from the fbi-as-script-kiddies dept
Back during the summer, we wrote about how the FBI was increasingly using malware to spy on people (though they apparently tried to avoid using it with technically savvy people to avoid having its capabilities “discovered”). However, the Washington Post has more details on how the FBI uses malware in trying to track down someone, based on court documents — though it also notes that at least some courts have balked at such techniques, pointing out that they go way too far and probably violate the 4th Amendment.
The FBI has been able to covertly activate a computer’s camera — without triggering the light that lets users know it is recording — for several years, and has used that technique mainly in terrorism cases or the most serious criminal investigations, said Marcus Thomas, former assistant director of the FBI’s Operational Technology Division in Quantico, now on the advisory board of Subsentio, a firm that helps telecommunications carriers comply with federal wiretap statutes.
The FBI’s technology continues to advance as users move away from traditional computers and become more savvy about disguising their locations and identities. “Because of encryption and because targets are increasingly using mobile devices, law enforcement is realizing that more and more they’re going to have to be on the device — or in the cloud,” Thomas said, referring to remote storage services. “There’s the realization out there that they’re going to have to use these types of tools more and more.”
The ability to remotely activate video feeds was among the issues cited in a case in Houston, where federal magistrate Judge Stephen W. Smith rejected a search warrant request from the FBI in April. In that case, first reported by the Wall Street Journal, Smith ruled that the use of such technology in a bank fraud case was “extremely intrusive” and ran the risk of accidentally capturing information of people not under suspicion of any crime.
Smith also said that a magistrate’s court based in Texas lacked jurisdiction to approve a search of a computer whose location was unknown. He wrote that such surveillance software may violate the Fourth Amendment’s limits on unwarranted searches and seizures.
Yet another federal magistrate judge, in Austin, approved the FBI’s request to conduct a “one-time limited search” — not involving the computer’s camera — by sending surveillance software to the e-mail account of a federal fugitive in December 2012.
Still, the report details how the FBI can insert malware in a variety of ways, and that the malware can often do things like turn on your camera without the light turning on. Most reports of malware concerning turning on cameras in the past still had the light go on. It appears that this is all the more reason for people to tape over their cameras. That said, it could be even worse. If they can turn on your camera remotely, they can almost certainly turn on your microphone remotely also. And, of course, with a microphone there is no light in the first place and you can’t just cover it up. Voila, instant wiretaps beyond just phone calls. Seems extreme, but does anyone doubt that the FBI can do this, and likely does do this?
Of course, the Washington Post report also shows that while the FBI may be able to create and install malware like this, it also seems to make an awful lot of mistakes:
Federal magistrate Judge Kathleen M. Tafoya approved the FBI’s search warrant request on Dec. 11, 2012, nearly five months after the first threatening call from Mo. The order gave the FBI two weeks to attempt to activate surveillance software sent to the firstname.lastname@example.org e-mail address. All investigators needed, it seemed, was for Mo to sign on to his account and, almost instantaneously, the software would start reporting information back to Quantico.
The logistical hurdles proved to be even more complex than the legal ones. The first search warrant request botched the Yahoo e-mail address for Mo, mixing up a single letter and prompting the submission of a corrected request. A software update to a program the surveillance software was planning to target, meanwhile, raised fears of a malfunction, forcing the FBI to refashion its malicious software before sending it to Mo’s computer.
The warrant authorizes an “Internet web link” that would download the surveillance software to Mo’s computer when he signed on to his Yahoo account. (Yahoo, when questioned by The Washington Post, issued a statement saying it had no knowledge of the case and did not assist in any way.)
The surveillance software was sent across the Internet on Dec. 14, 2012 — three days after the warrant was issued — but the FBI’s program didn’t function properly, according to a court document submitted in February,
“The program hidden in the link sent to email@example.com never actually executed as designed,” a federal agent reported in a handwritten note to the court.
It looks like this is the typical case of once law enforcement has a tool it’s looking to use it more and more, even as it clearly has not yet worked out the kinks — and there’s been no real chance for a comprehensive look at whether or not the use of such tools is legal, beyond what individual judges are deciding on a case by case basis.
Of course, just the fact that the FBI is able to turn on cameras and microphones without letting someone know has some pretty serious consequences. Jon Schwarz pointed out the basic similarities to 1984 about what happens when the government can magically spy on just about anyone without you knowing about it. Making people live in fear is not what “freedom” is about, now is it?