from the freedom?-what-freedom? dept
The DOJ proposal will result in significant departures from the FBI’s customary practice abroad: overseas cyber operations will be unilateral and invasive; they will not be limited to matters of national security; nor will they be executed with the consent of the host country, or any meaningful coordination with the Department of State or other relevant agency.In short, every new criminal investigation by the FBI will open up the possibility of a diplomatic nightmare and embarrassment. But, really, who cares when there are criminals to go after, right?
Under the DOJ’s proposal, unilateral state action will be the rule, not the exception, in the event an anonymous target “prove[s] to be outside the United States.” The reason is simple: without knowing the target location before the fact, there is no way to provide notice (or obtain consent from) a host country until after its sovereignty has been encroached.
Without advanced knowledge of the host country, law enforcement will not be able to adequately avail itself to protocols currently in place to facilitate foreign relations. For example, the FBI will not be able to coordinate with the Department of State before launching a Network Investigative Technique. This puts the U.S. in a position where a law enforcement entity encroaches on the territorial sovereignty of foreign states without coordination with the agency in charge of its foreign relations.
When a state’s sovereignty is encroached upon, its response depends on the nature and intensity of the encroachment. In the context of cyberspace, states (including the United States) have asserted sovereignty over their cyber infrastructure, despite the fact that cyberspace as a whole, much like the high seas or outer space, is considered a “global common” under international law.The Chelyabinsk incident refers to involved Russia filing criminal hacking charges against the FBI for the FBI logging into a Russian server, seeking evidence against some Russian hackers.
[....] Given the public nature of the U.S. criminal justice system, it is hard to see how the FBI will avoid risk of prosecution (similar to that in the Chelyabinsk incident) if the DOJ proposal is approved.
And, of course, there are other issues with the proposal as well -- as you'd expect any time you see law enforcement seek to move anti-terrorism tools over to standard crime-fighting. For example, the current proposal could authorize questionable hacking techniques by the FBI. Ghappour suggests that if the DOJ really wishes to push forward with such a proposal, it needs to clearly limit the techniques that are allowed:
Of course, why would the DOJ ever limit itself when it has the chance to get access to an even more powerful tool for hacking into anyone's computers?
The Rule should not authorize drive-by-downloads that infect every computer that associates with a particular webpage, the use of weaponized software exploits in order to establish “remote access” of a target computer, or deployment methods that risk indiscriminately infecting computer systems along the way to the target. Nor should the Rule authorize a “search” method that requires taking control of peripheral devices (such as a camera or microphone).
There are other suggestions, of course. As it stands, the proposed amendment allows the FBI to use a wide array of invasive (and potentially destructive) hacking techniques where it may not be necessary to do so, against a broad pool of potential targets that could be located virtually anywhere.