Botnet Bill Could Give FBI Permission To Take Warrantless Peeks At The Contents Of People's Computers

from the mind-if-we-take-a-look-around,-they-asked-never dept

In a recent ruling in a child porn investigation case, a judge declared that the FBI’s Network Investigative Technique (NIT) — which sent identifying user info from the suspect’s computer to the FBI — was the equivalent of a passing cop peering through broken blinds into a house.

[I]n Minnesota v. Carter, the Supreme Court considered whether a police officer who peered through a gap in a home’s closed blinds conducted a search in violation of the Fourth Amendment. 525 U.S. 83, 85 (1998). Although the Court did not reach this question, id at 91, Justice Breyer in concurrence determined that the officer’s observation did not violate the respondents’ Fourth Amendment rights. Id at 103 (Breyer, J., concurring). Justice Breyer noted that the “precautions that the apartment’s dwellers took to maintain their privacy would have failed in respect to an ordinary passerby standing” where the police officer stood.

What would normally be awarded an expectation of privacy under the Fourth Amendment becomes subject to the “plain view” warrant exception. If a passerby could see into the house via the broken blinds, there’s nothing to prevent law enforcement from enjoying the same view — and acting on it with a warrantless search.

Of course, in this analogy, the NIT — sent from an FBI-controlled server to unsuspecting users’ computers — is the equivalent of a law enforcement officer first entering the house to break the blinds and then claiming he saw something through the busted slats.

The DOJ may be headed into the business of breaking blinds in bulk. Innocuous-sounding legislation that would allow the FBI to shut down botnets contains some serious privacy implications.

Senators Whitehouse (D-RI), Graham (R-SC), and Blumenthal (D-CT) introduced the Botnet Prevention Act in May, which (among other things) amends the portion of federal law (18 U.S.C. § 1345) that authorizes these injunctions. The bill would expand § 1345 by adding violations of a section of the Computer Fraud and Abuse Act (“CFAA”) that covers botnets (and more) to the list of offenses that trigger the DOJ’s ability to get an injunction.

More specifically, it would allow injunctions in all violations or attempted violations of subsection (a)(5) of the CFAA that result or could result in damage to 100 or more computers in a year, including any case involving the “impair[ment of] the availability or integrity of the protected computers without authorization,” or the “install[ation] or maintain[nance of] control over malicious software on the protected computers” that “caused or would cause damage” to the protected computers.

It only sounds like a good idea: the government riding to the rescue of unaware computer users whose devices have been pressed into service by malware purveyors and criminals. But, as Gabe Rottman of CDT points out, there’s some vague wording in the existing law that would undercut important Fourth Amendment protections when used in conjunction with the DOJ’s botnet-fighting powers.

Buried deep within § 1345(b) is a single phrase that could open up a number of thorny issues when this injunctive authority is applied to botnets. The section not only allows the government to obtain a restraining order that stops someone from doing something nefarious, but also an order that directs someone to “take such other action, as is warranted to prevent a continuing and substantial injury . . . .”’

Rottman points to the FBI’s 2011 shutdown of the Coreflood botnet. After obtaining a restraining order under the federal rule, the FBI used its own server to issue commands to infected computers, halting further spread of the malware and shutting down the software on infected host devices. Again, this seems like a good use of the government’s resources until you take a closer look at what’s actually happening when the FBI does this sort of thing.

The court hearing the Coreflood case accepted the government’s argument that the “community caretaker” doctrine allowed the transmission of the shutdown order, as the action was “totally divorced from the detection, investigation, or acquisition of evidence relating to the violation of a criminal statute.” At the time, the government likened its actions to a police officer who, while responding to a break-in, finds the door to a house open or ajar and then closes it to secure the premises.

The “community caretaker” function is one exception to warrant requirements. Accessing peoples’ computers without their permission under these auspices allows the FBI to avail itself of a second warrant exception.

In order to scrub private computers for malware, the government would, by necessity, have to search the computer and its contents for the malware. Once the door is ajar, rather than closing it, the police would actually “walk in” to the computer. And anything they find in “plain view” can be used as evidence of a crime. Nothing in the current version of the bill would prevent such a search or collection, giving the government the potential means to search countless computers of victims of the botnet (not the perpetrators) without a warrant.

While these are both valid exceptions to warrant requirements, they’ve never been deployed on this sort of scale. Officers can perform community caretaker functions that may result in contraband being discovered in plain view. When the FBI takes on a botnet, however, it will have access to potentially thousands of computers at a time and the legislated permission to not only “enter” these computers, but to take a look around at the contents.

The Fourth Amendment was put into place to end the practice of general warrants. The FBI’s botnet-fighting efforts turn court-ordered injunctions into digital general warrants, only without the pesky “warrant” part of the phrase. And, unlike other warrants, the proposed legislation would do away with another Fourth Amendment nicety: notification.

As CDT noted in its comments on the Rule 41 change mentioned above, potentially as many as a third of computers in the United States are infected with some form of malware. And, botnets are extremely hard to clean up, especially when you depend on victims to voluntarily submit their computers for cleaning. Given this reality, unless notice is required by statute, law enforcement would have an incentive to dispense with notice in the much wider array of shutdowns permitted under the Graham-Whitehouse bill.

The bill has only been introduced and there’s no forward motion as of yet. It’s in need of serious repair before it heads further up the legislative chain. As it’s written, there’s nothing standing between people’s personal files and a host of digital officers wandering through virtual houses in search of malware and searching/seizing anything else that catches their eye.

Filed Under: , , , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Botnet Bill Could Give FBI Permission To Take Warrantless Peeks At The Contents Of People's Computers”

Subscribe: RSS Leave a comment
That One Guy (profile) says:

Just wondering...

So out of curiosity, what stops them from simply claiming that a given system was infected and searching it without a warrant for potentially incriminating evidence? Or just for fun? If they don’t need a warrant, and they don’t have to tell the one who’s computer they accessed, seems to me they could just search any computer they wanted at whim without any real limit, simply by claiming that they thought it was infected.

Nah, I’m sure the paragons of virtue in the FBI would never do something like that given the total respect they have for the rights and privacy of the public, such that they would never abuse their power in such a manner. Never mind, I see now it was a silly thought and one completely divorced from reality.

David says:

Re: Just wondering...

So out of curiosity, what stops them from simply claiming that a given system was infected

What makes you think they cannot make bloody sure the system was infected? An attack vector for a secret search and an attack vector for an infection are pretty much the same thing. They just put through a different payload.

That One Guy (profile) says:

Re: Re: Just wondering...

Oh I’m sure he FBI would never do something like that, I mean really now, it’s not like we’re talking about an agency with a history of setting up patsies just to bust them so they can crow about how awesome they are at stopping criminals/terrorists/communists.

The very idea that they would themselves infect a system in order to have an excuse to search it is just beyond absurd, and in fact you should feel ashamed for expressing or even having doubt about such a sterling and law abiding agency, as such thoughts are absolutely un-American and dare I say it even a little red.

AJ says:

I wonder what happens when you “peek” through the blinds of the FBI? I’m betting, if you even managed to survive the peeking itself, they would seize your computers, shoot your dog, put you on the sex offender registry and the no fly list, label you a terrorist/traitor, then question you by making you watch reruns of happy days with the volume wide open while waterboarding you….. and of course it would all be legal because the secret court would have had a secret judge sign off on the secret paper that you could never see, or even be told actually existed. …

DannyB (profile) says:

What exactly is PLAIN VIEW in this case?

So the FBI’s software looks at your network for specific traffic, or looks into your computer files for specific malware, and / or looks into your computer’s memory for specific malware in memory.

So far, I don’t have a big problem here — although I trust the government in my computer even less than I trust the malware.

Now the question. What is plain view? Even if the FBI injects a software payload into the computer’s memory to look for very specific things; what is ‘plain view’ as far as anything else I have on my computer?

It’s not like this injected software has artificial intelligence and can say: oh, my, that’s pr0n! Or that file has a very anti-government file name (gasp!).

The only way ANYTHING would be in ‘plain view’ is if they start exhaustively searching the computer for things. And those searches would be by nature of a search, directed at specific targets.

Or would the FBI have a live agent interacting with the FBI’s malware, so the agent could selectively view files with names that seem interesting to the agent? And would such an approach scale?

art guerrilla (profile) says:

Re: What exactly is PLAIN VIEW in this case?

yep, have ZERO trust that ANY gummint agency is actually going to spy on me for my own benefit…
not to mention one of the reasons WHY we are all extra vulnerable is because the spooks are hoarding zero-day exploits they refuse to reveal which would actually help protect us all; OR, they have actually written (or paid some hackers to program) malware and other intrusive software which i am absolutely certain never finds its way into the sweaty palms of nogoodniks…

That One Guy (profile) says:

Re: Re:

If they can make what they were doing in the shadows legal(often retroactively), then that means they can and will do even worse down the road.

“Before this bill we couldn’t do X legally(we still did it of course), but now we can. Y was an even more invasive action, but at the time we figured that we were toeing the line enough with X, so we held off. Now that we can do X though, Y’s not that much worse…”

GEMont (profile) says:

A government; by any other name, still smells.

Even a rabbit will fight back when cornered.

Should be less than a decade now, till we start getting some good old fashioned and obviously-illegal defense software for the home and office.

You know, little apps that can determine the presence of unauthorized “users”, verify that they are indeed unauthorized, backtrack to their origin, ascertain that the origin is indeed the actual source of the intrusion and upload a nastygram-destructo-dragon-worm on the perps there, turning their computers into smouldering door-stops and ending that particular intrusion, in just a few seconds.

Yeah sure there will be some mistakes at first and a few innocents will be mistakenly cyber-assaulted, but time will force the public to begin demanding something for the defense of their property against a government that follows no rules and obeys no laws.

I’m hoping it is sooner, rather than later, because this situation is not going to get any better over time, when the perps are also the people who selectively uphold the laws of the land and who are themselves now only accountable to the set of secret rules and laws that they themselves wrote.

Push the public far enough and often enough and they will push back.

What does one call a “government” whose actions follow no rules and obey no laws?

A “gang” might suit.


Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...