In a recent ruling in a child porn investigation case, a judge declared that the FBI's Network Investigative Technique (NIT) -- which sent identifying user info from the suspect's computer to the FBI -- was the equivalent of a passing cop peering through broken blinds into a house.
[I]n Minnesota v. Carter, the Supreme Court considered whether a police officer who peered through a gap in a home's closed blinds conducted a search in violation of the Fourth Amendment. 525 U.S. 83, 85 (1998). Although the Court did not reach this question, id at 91, Justice Breyer in concurrence determined that the officer's observation did not violate the respondents' Fourth Amendment rights. Id at 103 (Breyer, J., concurring). Justice Breyer noted that the "precautions that the apartment's dwellers took to maintain their privacy would have failed in respect to an ordinary passerby standing" where the police officer stood.
What would normally be awarded an expectation of privacy under the Fourth Amendment becomes subject to the "plain view" warrant exception. If a passerby could see into the house via the broken blinds, there's nothing to prevent law enforcement from enjoying the same view -- and acting on it with a warrantless search.
Of course, in this analogy, the NIT -- sent from an FBI-controlled server to unsuspecting users' computers -- is the equivalent of a law enforcement officer first entering the house to break the blinds and then claiming he saw something through the busted slats.
The DOJ may be headed into the business of breaking blinds in bulk. Innocuous-sounding legislation that would allow the FBI to shut down botnets contains some serious privacy implications.
Senators Whitehouse (D-RI), Graham (R-SC), and Blumenthal (D-CT) introduced the Botnet Prevention Act in May, which (among other things) amends the portion of federal law (18 U.S.C. § 1345) that authorizes these injunctions. The bill would expand § 1345 by adding violations of a section of the Computer Fraud and Abuse Act (“CFAA”) that covers botnets (and more) to the list of offenses that trigger the DOJ’s ability to get an injunction.
More specifically, it would allow injunctions in all violations or attempted violations of subsection (a)(5) of the CFAA that result or could result in damage to 100 or more computers in a year, including any case involving the “impair[ment of] the availability or integrity of the protected computers without authorization,” or the “install[ation] or maintain[nance of] control over malicious software on the protected computers” that “caused or would cause damage” to the protected computers.
It only sounds like a good idea: the government riding to the rescue of unaware computer users whose devices have been pressed into service by malware purveyors and criminals. But, as Gabe Rottman of CDT points out, there's some vague wording in the existing law that would undercut important Fourth Amendment protections when used in conjunction with the DOJ's botnet-fighting powers.
Buried deep within § 1345(b) is a single phrase that could open up a number of thorny issues when this injunctive authority is applied to botnets. The section not only allows the government to obtain a restraining order that stops someone from doing something nefarious, but also an order that directs someone to “take such other action, as is warranted to prevent a continuing and substantial injury . . . .”'
Rottman points to the FBI's 2011 shutdown of the Coreflood botnet. After obtaining a restraining order under the federal rule, the FBI used its own server to issue commands to infected computers, halting further spread of the malware and shutting down the software on infected host devices. Again, this seems like a good use of the government's resources until you take a closer look at what's actually happening when the FBI does this sort of thing.
The court hearing the Coreflood case accepted the government’s argument that the “community caretaker” doctrine allowed the transmission of the shutdown order, as the action was “totally divorced from the detection, investigation, or acquisition of evidence relating to the violation of a criminal statute.” At the time, the government likened its actions to a police officer who, while responding to a break-in, finds the door to a house open or ajar and then closes it to secure the premises.
The "community caretaker" function is one exception to warrant requirements. Accessing peoples' computers without their permission under these auspices allows the FBI to avail itself of a second warrant exception.
In order to scrub private computers for malware, the government would, by necessity, have to search the computer and its contents for the malware. Once the door is ajar, rather than closing it, the police would actually “walk in” to the computer. And anything they find in “plain view” can be used as evidence of a crime. Nothing in the current version of the bill would prevent such a search or collection, giving the government the potential means to search countless computers of victims of the botnet (not the perpetrators) without a warrant.
While these are both valid exceptions to warrant requirements, they've never been deployed on this sort of scale. Officers can perform community caretaker functions that may result in contraband being discovered in plain view. When the FBI takes on a botnet, however, it will have access to potentially thousands of computers at a time and the legislated permission to not only "enter" these computers, but to take a look around at the contents.
The Fourth Amendment was put into place to end the practice of general warrants. The FBI's botnet-fighting efforts turn court-ordered injunctions into digital general warrants, only without the pesky "warrant" part of the phrase. And, unlike other warrants, the proposed legislation would do away with another Fourth Amendment nicety: notification.
As CDT noted in its comments on the Rule 41 change mentioned above, potentially as many as a third of computers in the United States are infected with some form of malware. And, botnets are extremely hard to clean up, especially when you depend on victims to voluntarily submit their computers for cleaning. Given this reality, unless notice is required by statute, law enforcement would have an incentive to dispense with notice in the much wider array of shutdowns permitted under the Graham-Whitehouse bill.
The bill has only been introduced and there's no forward motion as of yet. It's in need of serious repair before it heads further up the legislative chain. As it's written, there's nothing standing between people's personal files and a host of digital officers wandering through virtual houses in search of malware and searching/seizing anything else that catches their eye.