FBI Might Break Into the Computers of VPN and Tor Users

A law professor claims that the DOJ wants to equip the FBI with the power to hack into computers located outside the United States. The proposal put forward by the Department of Justice (DOJ) to amend the Rule 41 of the Federal Rules of Criminal Procedure will make it easier for law enforcement officials to break into the computers of people trying to protect their privacy.


Photo: Gil C / Shutterstock

The proposed changes to the ‘search and seizure’ rules would give the FBI authority to seize targets whose physical location is ‘concealed through technological means,’ which means that the device was hosted on the Darknet. A tech savvy user can accomplish this using several technologies. They can, for example, use Tor or a proxy server. They can also make use of a VPN server.

When people use technologies like a VPN or Tor, it makes it difficult for law enforcement authorities to know the exact location of the individuals trying to safeguard their anonymity. Without this knowledge, it is difficult to decide which district has the authority to issue warrants.

The proposed amendment to Rule 41 will allow law enforcement officials in the US to break into the computer of any individual using anonymizing techniques. They will not need to know the geographical location of the computer first.

Law professor Ahmed Ghappour feels that the proposed amendment would result in what is perhaps “the broadest expansion of extraterritorial surveillance power since the inception of FBI.”

This, however, does not mean that FBI will use malicious software to infect the computers of individuals who use a virtual private network or Tor.

However, if the rule is amended, the government will have the legal right to secretly deploy software for remote searching of computers. And that software will make it possible for the FBI to surreptitiously upload photos, files, or emails. The software will also be able to turn on the microphone and webcam attached to the computer on which it is installed. The physical location of the computer does not matter.

The Department of Justice said that it was not seeking the authority to search electronic data stored in a foreign country as the 4th Amendment will only apply to US persons. Ghappour, however, argues that the nature of the technology will make it almost unavoidable to do so.

Ghappour is a visiting professor at UC Hastings College of Law. He is also the Director of the Liberty, Security and Technology Clinic, where he deals with legal issues arising in cybersecurity, counterterrorism prosecutions, and espionage. He warns that the amendment will give the FBI the authority to investigate general crimes as if they were investigating terrorism.

He is particularly concerned about the proposed changes to the rule that will deal with the authority to issue warrants.

“A magistrate judge with authority in any district where activities related to a crime may have occurred has authority to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information located within or outside that district if: (A) the district where the media or information is located has been concealed through technological means; or (B) in an investigation of a violation of 18 U.S.C. § 1030(a)(5), the media are protected computers that have been damaged without authorization and are located in five or more districts.”

This type of FBI hacking will be broadly classified as ‘Network Investigative Techniques.’ This gives the FBI the authority to use technical force on any computer using anonymizing technology. The professor is worried about FBI hacking into computers located in other countries. This, he feels, might even start a cyberwar.

In his opinion, there has to be a comprehensive deliberation before amending the Rule 41. He argues that Network Investigative Techniques such as these have to be used carefully and only in cases where less intrusive techniques have failed.

He also suggests that the rule should limit the scope of hacking methods it authorizes. ‘Remote access’ has to be restricted to the deployment of constitutionally acceptable techniques of law enforcement. In addition, any malware that the FBI might deploy should require the target to click a malicious link contained in a deceptive email. Also search capabilities should be restricted to simple monitoring and copying of information on the device.

The rule must not permit drive-by downloads which infect all devices that associate with a particular website, deployment methods that might indiscriminately infect all computer networks along the way, or the deployment of weaponized software. Neither should the rule permit search methods that would allow investigators to take control of the peripheral devices like microphone or camera.

The general public can voice their opinion on the preliminary draft until Feb. 17, 2015.

The DoJ, however, said that the proposed amendment will not give the court the authority to issue warrants that permit overseas searches.

When asked whether the enhanced extraterritorial power of the FBI might encroach on NSA’s turf, Ghappour said that the implications can be more severe and the issue might even affect the CIA and US State Department. In his opinion, uncoordinated unilateral cyber operations by the FBI may as well interfere with America’s foreign affairs.