The FBI is making increasing use of an investigative technique that puts the public’s internet security at risk. This month, the ACLU filed amicus briefs in two cases to challenge the FBI’s use of this technique, which has significant cybersecurity implications for everyone.
The technique — government hacking — involves sending malware over the Internet to search computers remotely, often for information that is transmitted by or stored on anonymous targets’ computers. The malware can give investigators total control over a computer system. Absent extraordinary circumstances, courts should not grant this kind of power to law enforcement — much less with just a run-of-the-mill search warrant.
Malware — software designed to covertly damage a computer, take control of a system, or steal data — is not new to the federal government. The FBI has been deploying tools to search anonymous users’ computers since at least 2002. More recently, however, the FBI has expanded its use of this technique. Rather than deploying tailored malware against individual targets, the agency is now conducting “watering hole” operations that deliver malware to everyone who visits a particular webpage or pages. This can result in hundreds or thousands of computers being compromised, as well as the uncontrolled distribution of malware around the globe.
What the FBI didn’t disclose in court
This month, the ACLU filed briefs in the two cases pending before the Ninth Circuit Court of Appeals that involve the most recent publicly known malware investigation, aimed at users of the Playpen website. Playpen was a site primarily dedicated to disseminating child pornography, though it also hosted some lawful activities like chat and fiction forums. The FBI learned of Playpen, seized the server, and then actually ran the site out of its Virginia offices for two weeks. During that time, the federal government reportedly became one of the largest purveyors in the world of child pornography.
The FBI took this step in an effort to identify people who visited the site, since visitors were using a privacy-protective web browser called Tor to mask their IP addresses, and thus their identities. (Playpen was designed so that only people using Tor could visit it. The U.S. government originally funded Tor, which serves as an essential tool for activism and free speech across the world. Journalists, bloggers, whistleblowers, human rights workers, and other activists have relied on the Tor network to avoid surveillance by potentially repressive regimes.)
To obtain permission to deploy the malware — to which the government gave the anodyne name “Network Investigative Technique,” or “NIT” — the government sought a warrant from a magistrate in the Eastern District of Virginia. The warrant granted the FBI permission to send computer instructions from Playpen to anyone who logged in with a user name and password. These instructions, the magistrate was told, would gather identifying information from the activating computers and send it to the FBI.
In Playpen, the FBI sought to search as many as 158,000 computers around the world with this malware. As a result, there are now approximately 140 Playpen prosecutions for possession of child pornography wending their way through the federal courts. The ACLU has filed several other amicus briefs with the Electronic Frontier Foundation challenging Playpen searches on the grounds that a single warrant cannot lawfully authorize a search of more than 100,000 people, and that the searches unconstitutionally violated Federal Rule of Criminal Procedure 41, which at the time limited magistrates’ ability to authorize searches to the district in which they operate — whereas the Playpen searches were global in scope. (Rule 41 has since been modified and now removes that procedural obstacle for the government to hack remotely.)
In the briefs we filed with several of our affiliates located in the Ninth Circuit this month — United States v. Tippens and United States v. Henderson — we argue that the FBI failed in its duty of candor to the magistrate judge, rendering the searches unconstitutional. What the FBI did not tell the magistrate judge, among other things, is that for its NIT to work, it had to force visitors’ computers to do something that Tor and every other web browser is not supposed to do — download, install, and run the code transmitted by a webpage. To get that to happen, the NIT used exploit code — software designed to take advantage of a flaw in the way the Tor browser works. Further, because the Tor browser runs on the Firefox Mozilla code, this exploit likely worked on millions of Firefox users.
In other words, the government became a hacker, sending exploit code around the country and the world, compromising browser security and searching computers for information. And astoundingly, it didn’t tell the court that this was how the NIT worked. It even kept secret from the magistrate the very fact that it was, through its exploit, planning to take advantage of a vulnerability in Tor (and likely Firefox).
While the public doesn’t know what the vulnerability was, it likely gave the government, in Mozilla’s words, “total control” over the users’ computers. The FBI may have chosen to use that power only to collect identifying information, as it represented in the search warrant affidavit. But it could have accessed far more — and more private — information.
Without knowing that the government’s malware contained an exploit, the court was not in a good position to closely supervise the computer searches that the FBI’s computer instructions conducted. The magistrate likely had no idea she should police the search to ensure that the government would not misuse its capabilities to search private data for which it had no probable cause. Where searches are particularly intrusive (and especially when they involve digital media like computers), Fourth Amendment case law recommends heightened standards of proof for issuing warrants, search protocols, destruction of unrelated materials, and more to ensure that legitimate government searches do not metastasize into fishing expeditions. The magistrate couldn’t have known that she might want to impose such safeguards in this case.
How FBI hacking can hurt the public
Beyond just the facts of this case, the government’s development, storage, and use of exploits create computer security risks for the public that cannot be mitigated by the warrant process. The government may lose control of malware if an insider leaks or sells the tools, if the government itself is hacked, or if a malware target identifies and publishes the code. Once a hacking tool has been disclosed outside the government, malicious actors have a window of opportunity to use it for their own nefarious purposes.
We know the risk that the government will lose control of exploits is real, because we’ve seen it happen a number of times:
- In 2013, the FBI deployed malware on multiple websites hosted by a company called Freedom Hosting. This malware similarly took advantage of a Firefox security vulnerability to identify users of Tor. Innocent individuals who visited the targeted Freedom Hosting sites — which included TorMail, an encrypted email service used by all kinds of people all over the world to ensure privacy in their communications — noticed the hidden computer instructions embedded in the sites, and within days, the code was being “circulated and dissected all over the net.” Eventually, the same attack showed up “in the wild”, using essentially the same exploit the government used to compromise Freedom Hosting visitors to hack users of the Tor browser more widely.
The government’s exploits also can be stolen. In 2016, the public learned that an entity calling itself the Shadow Brokers obtained National Security Agency malware from an external NSA “staging server.” Following some initial attempts to sell the exploits, the Shadow Brokers dumped dozens of NSA hacking tools online for free in April 2017. One of the tools the Shadow Brokers released — called EternalBlue — exploited a flaw in Microsoft software. Once released, the tool was repurposed into a virulent piece of ransomware called WannaCry, which infected hundreds of thousands of computer systems worldwide in May 2017.
The very next month, another malware attack began spreading internationally after initially hitting critical infrastructure in Ukraine. Similar to WannaCry, the worm, dubbed NotPetya, made use of EternalBlue as well as another NSA exploit, called EternalRomance, also released by the Shadow Brokers. WannaCry and NotPetya infected such crucial systems as hospitals, power companies, shipping, and banking, endangering human life as well as economic activity.
Courts have said that dangerous tools used to effectuate otherwise lawful searches — tools like flashbang grenades and battering rams — can be unreasonable under the Fourth Amendment. Government malware is another such tool. Some investigative techniques are just too dangerous to use.
Cybersecurity is hard, and we are not doing a very good job of protecting the systems that we rely on. This task gets even harder if the government is an active attacker on the network with a vested interest in keeping computers insecure in case an investigator wants to conduct a search. If we aren’t careful, this powerful tool that the FBI now uses, like other powerful tools, will eventually trickle down to state and local police departments.
The government should be fighting to secure computers — not to hack them or to stockpile exploit codes that can be lost or stolen, and then misused and abused. As we told the Ninth Circuit, the Fourth Amendment needs to protect the public’s privacy and security. Secretive and unregulated government hacking endangers both.