• Tag Archives 4th Amendment

  • With Rule 41, Little-Known Committee Proposes to Grant New Hacking Powers to the Government

    Posted on by Azrael 1 Comment

    The government hacking into phones and seizing computers remotely? It’s not the plot of a dystopian blockbuster summer movie. It’s a proposal from an obscure committee that proposes changes to court procedures—and if we do nothing, it will go into effect in December.

    The proposal comes from the advisory committee on criminal rules for the Judicial Conference of the United States. The amendment would update Rule 41 of the Federal Rules of Criminal Procedure, creating a sweeping expansion of law enforcement’s ability to engage in hacking and surveillance. The Supreme Court just passed the proposal to Congress, which has until December 1 to disavow the change or it becomes the rule governing every federal court across the country.  This is part of a statutory process through which federal courts may create new procedural rules, after giving public notice and allowing time for comment, under a “rules enabling act.”1

    The Federal Rules of Criminal Procedure set the ground rules for federal criminal prosecutions. The rules cover everything from correcting clerical errors in a judgment to which holidays a court will be closed on—all the day-to-day procedural details that come with running a judicial system.

    The key word here is “procedural.”  By law, the rules and proposals are supposed to be procedural and must not change substantive rights.

    But the amendment to Rule 41 isn’t procedural at all. It creates new avenues for government hacking that were never approved by Congress.

    The proposal would grant a judge the ability to issue a warrant to remotely access, search, seize, or copy data when “the district where the media or information is located has been concealed through technological means” or when the media are on protected computers that have been “damaged without authorization and are located in five or more districts.” It would grant this authority to any judge in any district where activities related to the crime may have occurred.

    To understand all the implications of this rule change, let’s break this into two segments.

    The first part of this change would grant authority to practically any judge to issue a search warrant to remotely access, seize, or copy data relevant to a crime when a computer was using privacy-protective tools to safeguard one’s location. Many different commonly used tools might fall into this category. For example, people who use Tor, folks running a Tor node, or people using a VPN would certainly be implicated. It might also extend to people who deny access to location data for smartphone apps because they don’t feel like sharing their location with ad networks. It could even include individuals who change the country setting in an online service, like folks who change the country settings of their Twitter profile in order to read uncensored Tweets.

    There are countless reasons people may want to use technology to shield their privacy. From journalists communicating with sources to victims of domestic violence seeking information on legal services, people worldwide depend on privacy tools for both safety and security. Millions of people who have nothing in particular to hide may also choose to use privacy tools just because they’re concerned about government surveillance of the Internet, or because they don’t like leaving a data trail around haphazardly.

    If this rule change is not stopped, anyone who is using any technological means to safeguard their location privacy could find themselves suddenly in the jurisdiction of a prosecutor-friendly or technically-naïve judge, anywhere in the country.

    The second part of the proposal is just as concerning. It would grant authorization to a judge to issue a search warrant for hacking, seizing, or otherwise infiltrating computers that may be part of a botnet. This means victims of malware could find themselves doubly infiltrated: their computers infected with malware and used to contribute to a botnet, and then government agents given free rein to remotely access their computers as part of the investigation. Even with the best of intentions, a government agent could well cause as much or even more harm to a computer through remote access than the malware that originally infected the computer. Malicious actors may even be able to hijack the malware the government uses to infiltrate botnets, because the government often doesn’t design its malware securely. Government access to the computers of botnet victims also raises serious privacy concerns, as a wide range of sensitive, unrelated personal data could well be accessed during the investigation. This is a dangerous expansion of powers, and not something to be granted without any public debate on the topic.

    Make no mistake: the Rule 41 proposal implicates people well beyond U.S. borders. This update expands the jurisdiction of judges to cover any computer user in the world who is using technology to protect their location privacy or is unwittingly part of a botnet. People both inside and outside of the United States should be equally concerned about this proposal.

    The change to Rule 41 isn’t merely a procedural update.  It significantly expands the hacking capabilities of the United States government without any discussion or public debate by elected officials. If members of the intelligence community believe these tools are necessary to advancing their investigations, then this is not the path forward. Only elected members of Congress should be writing laws, and they should be doing so in a matter that considers the privacy, security, and civil liberties of people impacted.

    Rule 41 seeks to sidestep the legislative process while making sweeping sacrifices in our security. Congress should reject the proposal completely.

    Read EFF and Access Now’s joint testimony on Rule 41.

     

    • 1.See 28 U.S.C. § 2073

    Source: With Rule 41, Little-Known Committee Proposes to Grant New Hacking Powers to the Government | Electronic Frontier Foundation


    📂This entry was posted in News and Politics 📎and tagged

  • Secret Court Takes Another Bite Out of the Fourth Amendment

    Posted on by Azrael 1 Comment

    Defenders of the NSA’s mass spying have lost an important talking point: that the erosion of our privacy and associational rights is justified given the focus of surveillance efforts on combating terrorism and protecting the national security. That argument has always been dubious for a number of reasons. But after a November 2015 ruling [.pdf] by the secretive Foreign Intelligence Surveillance Court (FISC) was unsealed this week, it’s lost another chunk of its credibility. The ruling confirms that NSA’s warrantless spying has been formally approved for use in general criminal investigations. The national security justification has been entirely blown.

    That’s because the secret court, over the objection of its hand-selected amicus, determined that once information is collected by the NSA for “foreign intelligence” purposes under section 702 of the FISA Amendments Act, that information can be searched by the FBI for regular criminal investigations without any need for a warrant or prior court oversight. Although the FISC has signed off on the FBI’s procedures claiming this authority for years, this ruling from late 2015 may be the first time the FISC has actually considered their legality.

    Section 702 is the law that the government uses to conduct two massive NSA programs: access to communications as they travel the Internet backbone (called Upstream) and access to communications stored with service providers like Google and Facebook (called Prism).

    According to this ruling, communications like email and Facebook posts collected by the government under the broad authority of section 702 that the FBI has access to—including all “raw” Prism data—can be mined for any “evidence of a crime” and used against you, even if you’re inside the United States.

    The amicus appointed by the FISC, Amy Jeffress a former DOJ attorney, argued:

    the FBI may query the data using U.S. person identifiers for the purposes of any criminal investigation or even an assessment. There is no requirement that the matter be a serious one, nor that it have any relation to national security…[T]hese practices do not comply with….the Fourth Amendment.

    The FISC Court did not listen to its amicus. Instead it applied some faulty (not to mention scary) bootstrap reasoning.

    The court questioned whether it’s constitutional for the FBI to query NSA intelligence databases to find information to use against Americans in regular criminal investigations unrelated to national security. Government lawyers suggested that “targeting” and “minimization” procedures erase the harm that surveillance causes to Fourth Amendment principles, though we’ve explained why those procedures impose inadequate limits and allow unconstitutional spying to continue.  We’re also reminded of Justice Roberts’ recent observation: “the Founders did not fight a revolution to gain the right to government agency protocols.”

    Nevertheless, the FISC court decided that, instead of determining whether the Fourth Amendment was violated by the specific use of NSA collected information against particular Americans in criminal investigations, it only had to determine whether the program “as a whole” violated the Fourth Amendment.  To do that, it perverted a prior case decided by the FISA appeals court, called the FISCR.

    That case, In Re Directives [.pdf], upheld national security surveillance as a “special need” not subject to the Fourth Amendment’s normal warrant requirement, and reasonable specifically because this surveillance was not used for “garden-variety law enforcement.” While we disagree with the In Re Directives case, it plainly rested its analysis on when “surveillance is conducted to obtain foreign intelligence for national security purposes.”

    But according to the FISC, that justification only applies at the time of initial collection (including the kind of massive overcollection that is occurring under 702) and can be completely abandoned once the government has its mitts on your communications.

    The upshot is that the government needs a national security or foreign intelligence purpose only for the initial collection and analysis of information. Once it has communications in its custody, those limitations no longer apply and the government can troll through it for whatever law enforcement purpose it wants without having to worry about getting a pesky warrant.

    Of course we know that the government has lost track of how many things are illegal. So it’s open season.

    This is a constitutional problem. Quite apart from the bait and switch opportunities it creates for the FBI, it’s like saying it’s OK for school officials to set up a drug testing program for non-law enforcement purposes, and then once it’s set up, they can completely abandon that purpose and start testing students to simply to put them in jail. Or that the government can set up a program to test pregnant women for drugs with a goal to get them into treatment, but also hand the information over to the police and use the threat of prosecution as additional leverage.

    The Supreme Court rejected the latter scenario as unconstitutional in Ferguson v. City of Charleston in 2001. Other Supreme Court cases make clear that even holistic, programmatic assessments of Fourth Amendment “reasonableness”—like the one the FISC engages in here—must take into account the invasiveness of these programs. Searching vast databases containing the full content of emails and every website visited by nonsuspect Americans without a warrant is about as invasive as it gets.

    This FISC decision is flawed for all of these reasons. But we won’t get a chance to present those flaws to the court of appeals, much less the US Supreme Court, because in cases before the secret surveillance court only the government, not the amicus (or those of us whose communications are swept up in these massive programs) is allowed to appeal.

    Still, two things are good about this decision. First, we know about it. Second, the court appointed an amicus who did try to get the court to recognize at least some of the Fourth Amendment problems with the government’s actions. Those are both new developments for the FISC, and both are due to parts of the USA Freedom Act that EFF championed.

    We still have a long way to go, but without those sections of the law, we wouldn’t be able to raise our concerns here. Just as important, we wouldn’t be able to use this bad decision to educate Congress about yet another reason why it should let section 702 expire when it comes up for renewal in December 2017.

    Source: Secret Court Takes Another Bite Out of the Fourth Amendment | Electronic Frontier Foundation


    📂This entry was posted in News and Politics 📎and tagged

  • EFF and ACLU Expose Government’s Secret Stingray Use in Wisconsin Case

    Posted on by Azrael Comment

    Thanks to EFF and the ACLU, the government has finally admitted it secretly used a Stingray to locate a defendant in a Wisconsin criminal case, United States v. Damian Patrick. Amazingly, the government didn’t disclose this fact to the defendant—or the court—until we raised it in an amicus brief we filed in the case. In the government’s brief, filed late last week, it not only fails to acknowledge the impact of hiding this fact from the defendant but also claims its warrantless real-time location tracking didn’t violate the Fourth Amendment.

    We first learned about this case when it was already on appeal to the Seventh Circuit Court of Appeals and filed an amicus brief arguing the Fourth Amendment protects all of us from warrantless, real-time location tracking. The government suggested to both Patrick and the trial court that it had relied on location information obtained directly from Sprint. However, we suspected they had instead used a Stingray.

    Stingrays Allow Indiscriminate Dragnet Searches of All Cell Phones in an Area

    Stingrays, otherwise known as cell-site simulators, act as a fake cell-phone tower. They can be small enough to fit in a car and allow the government to direct all cell phones in the area to connect to it instead of the real tower. In doing so, the government can get a very precise picture of exactly where those phones are located—much more precise than many other types of location tracking technologies.

    Stingrays are especially pernicious surveillance tools because they collect information on every single phone in a given area—not just the suspect’s phone—this means they allow the police to conduct indiscriminate, dragnet searches—in some cases on up to 10,000 phones at one time. They are also able to locate people inside traditionally-protected private spaces like homes, doctors’ offices, or places of worship and can be configured to capture the content of communications.

    The Milwaukee Police Department Tried to Hide its Use of a Stingray

    In this case, the police first told Patrick they’d relied on “information obtained from an anonymous source” to find him sitting in the passenger seat of a car parked in an alley in Milwaukee.  It wasn’t until six months after his arrest that they revealed they’d tracked him through his cell phone, and even then they implied they’d gotten location information directly from the cell phone service provider. The government never got a search warrant to use any kind of technology to find Patrick in real time.

    As we’ve seen in other cases involving Stingrays, the government did everything it could in this case to hide the fact that it used a Stingray—from the court that issued the pen register/trap and trace order, the court that heard Patrick’s motion to suppress the evidence, and even from Patrick, himself. In police reports, the officers said only that they “‘obtained information’ of Patrick’s location; . . . had ‘prior knowledge’ that Patrick was occupying the vehicle; . . . [and] ‘obtained information from an unknown source’ that Patrick was inside the vehicle at that location.” And even at an evidentiary hearing where officers admitted to cellphone tracking, they would only acknowledge, cryptically, that they’d received “electronic information” confirming Patrick was in the vehicle. When Patrick’s attorney asked what “electronic information” meant, the officer on the stand would say only that it involved “tracking [a] cell phone.” The judge cut off any further questioning at that point.

    Luckily, in our amicus brief we were able to point the court to Milwaukee Police Department logs showing the police had used a Stingray on the very same day Patrick was arrested, under strikingly similar circumstances.[1] We also directed the court to a non-disclosure agreement, which the Milwaukee police signed just months before Patrick was arrested. In this standard FBI-issued NDA, signed by many other state and local agencies across the country, the police department agreed not to tell anyone (even the judge) in any civil or criminal proceeding that it had used a Stingray. It also agreed to dismiss any case—at the FBI’s request—if the court tried to force it to reveal anything about the device.

    Once we presented these facts to the appellate court, the government finally admitted it used a Stingray but would not concede this should have any impact on the legal analysis in this case. In a footnote to the brief the government filed last week, it even appeared to blame Patrick for failing to raise this at the trial court.

    The Government Admits it Needs a Probable Cause Warrant to Conduct Real-Time Location Tracking

    Interestingly, even though the government doesn’t think it’s secret use of a Stingray impacts this case, it admits that using technology to track someone’s location in real time (whether through location information obtained from the phone company or by using a Stingray) is a “search” for Fourth Amendment purposes. It also admits it needs probable cause and a search warrant to legally execute such a search. This appears to be the first time the government has admitted these things in an appellate case.

    But the government also argues it didn’t violate the Fourth Amendment in this case because it actually got a warrant—or maybe, in the alternative, the equivalent of a warrant (the police had a warrant to arrest (not search) Patrick and a court order (not a search warrant) to track Patrick’s phone). In a confusing and somewhat circular argument, the government asserts that because it submitted a “sworn affidavit” in support of its request for the pen/trap order, the order must have actually been a search warrant—if it hadn’t been a warrant, then it “wouldn’t have needed a finding of probable cause, which it contained.”

    The Seventh Circuit Should Follow Maryland and Find Secret, Warrantless Stingray Use Unconstitutional

    It’s now up to the Seventh Circuit to try to make sense of this argument (or maybe just to send the case back to the trial court for a new trial). If the appellate court decides to take this issue on, we hope it follows a recent Maryland appellate decision, State of Maryland v. Andrews(another case where we were amicus), where the court held unanimously that the Baltimore Police Department’s very similar secretive behavior and failure to get a search warrant before using a Stingray violated the defendant’s constitutional rights. Andrews is the first appellate decision that we know of where a court has ever looked at police use of a Stingray. We hope it sets a very persuasive precedent to all courts that secret, warrantless Stingray use violates the Fourth Amendment.

    Source: EFF and ACLU Expose Government’s Secret Stingray Use in Wisconsin Case | Electronic Frontier Foundation


    📂This entry was posted in News and Politics 📎and tagged