• Tag Archives 4th Amendment

  • What to Do About Lawless Government Hacking and the Weakening of Digital Security

    Posted on by Azrael 1 Comment

    In our society, the rule of law sets limits on what government can and cannot do, no matter how important its goals. To give a simple example, even when chasing a fleeing murder suspect, the police have a duty not to endanger bystanders. The government should pay the same care to our safety in pursuing threats online, but right now we don’t have clear, enforceable rules for government activities like hacking and “digital sabotage.” And this is no abstract question—these actions increasingly endanger everyone’s security.

    The problem became especially clear this year during the San Bernardino case, involving the FBI’s demand that Apple rewrite its iOS operating system to defeat security features on a locked iPhone. Ultimately the FBI exploited an existing vulnerability in iOS and accessed the contents of the phone with the help of an “outside party.” Then, with no public process or discussion of the tradeoffs involved, the government refused to tell Apple about the flaw.Despite the obvious fact that the security of the computers and networks we all use is both collective and interwoven—other iPhones used by millions of innocent people presumably have the same vulnerability—the government chose to withhold information Apple could have used to improve the security of its phones.

    Other examples include intelligence activities like Stuxnet and Bullrun, and law enforcement investigations like the FBI’s mass use of malware against Tor users engaged in criminal behavior. These activities are often disproportionate to stopping legitimate threats, resulting in unpatched software for millions of innocent users, overbroad surveillance, and other collateral effects. 

    That’s why we’re working on a positive agenda to confront governmental threats to digital security. Put more directly, we’re calling on lawyers, advocates, technologists, and the public to demand a public discussion of whether, when, and how governments can be empowered to break into our computers, phones, and other devices; sabotage and subvert basic security protocols; and stockpile and exploit software flaws and vulnerabilities.  

    Smart people in academia and elsewhere have been thinking and writing about these issues for years. But it’s time to take the next step and make clear, public rules that carry the force of law to ensure that the government weighs the tradeoffs and reaches the right decisions.

    This long post outlines some of the things that can be done. It frames the issue, then describes some of the key areas where EFF is already pursuing this agenda—in particular formalizing the rules for disclosing vulnerabilities and setting out narrow limits for the use of government malware. Finally it lays out where we think the debate should go from here.

    Recognizing That Government Intrusion and Subversion of Digital Security Is a Single Issue

    The first step is to understand a wide range of government activities as part of one larger threat to security. We see the U.S. government attempt to justify and compartmentalize its efforts with terms like “lawful hacking” and “computer network attack.” It is easy for the government to argue that the FBI’s attempts to subvert the security of Apple iOS in the San Bernardino case are entirely unrelated to the NSA’s apparent sabotage of the Dual_EC_DRBG algorithm. Likewise, the intelligence community’s development of the Stuxnet worm to target the Iranian nuclear program was governed by a set of rules entirely separate from the FBI’s use of malware to target criminals using Tor hidden services.

    These activities are carried out by different agencies with different missions. But viewing them as separate—or allowing government to present it that way—misses the forest for the trees. When a government takes a step to create, acquire, stockpile or exploit weaknesses in digital security, it risks making us all less safe by failing to bolster that security.

    Each of these techniques should involve consideration of the tradeoffs involved, and none of them should be viewed as risk-free to the public. They require oversight and clear rules for usage, including consideration of the safety of innocent users of affected technologies.

    There is hope, albeit indirectly. In the United States, high-ranking government officials have acknowledged that “cyber threats” are the highest priority, and that we should be strengthening our digital security rather weakening it to facilitate government access. In some cases, this is apparently reflected in government policy. For instance, in explaining the government’s policy on software vulnerabilities, the cybersecurity coordinator for the White House and the Office of the Director of National Intelligence have both stated in blog posts that the there is a “strong presumption” in favor of disclosing these vulnerabilities to the public so they can be fixed.

    But the government shouldn’t engage in “policy by blog post.” Government action that actively sabotages or even collaterally undermines digital security is too important to be left open to executive whim.

    Finding Models for Transparency and Limits on When Government Can Harm Digital Security

    While government hacking and other activities that have security implications for the rest of us are not new, they are usually secret. We should demand more transparency and real, enforceable rules.

    Fortunately, this isn’t the first time that new techniques have required balancing public safety along with other values. Traditional surveillance law gives us models to draw from. The Supreme Court’s 1967 decision in Berger v. New York is a landmark recognition that electronic wiretapping presents a significant danger to civil liberties. The Court held that because wiretapping is both invasive and surreptitious, the Fourth Amendment required “precise and discriminate” limits on its use.

    Congress added considerable structure to the Berger Court’s pronouncements with the Wiretap Act, first passed as Title III of the Omnibus Crime Control and Safe Streets Act of 1968. First, Title III places a high bar for applications to engage in wiretapping, so that it is more of an exception than a rule, to be used only in serious cases. Second, it imposes strict limits on using the fruits of surveillance, and third, it requires that the public be informed on a yearly basis about the number and type of government wiretaps.

    Other statutes concerned with classified information also find ways of informing the public while maintaining basic secrecy. For example, the USA Freedom Act, passed in 2015 to reform the intelligence community, requires that significant decisions of the FISA Court either be published in redacted form or be summarized in enough detail to be understood by the public.

    These principles provide a roadmap that can be used to prevent government from unnecessarily undermining our digital security. Here are a few areas where EFF is working to craft these new rules:

    Item 1: Rules for When Government Stockpiles Vulnerabilities

    It’s no secret that governments look for vulnerabilities in computers and software that they can exploit for a range of intelligence and surveillance purposes. The Stuxnet worm, which was notable for causing physical or “kinetic” damage to its targets, relied on several previously unknown vulnerabilities, or “zero days,” in Windows. Similarly, the FBI relied on a third party’s knowledge of a vulnerability in iOS to access the contents of the iPhone in the San Bernardino case.

    News reports suggest that many governments—including the U.S.—collect these vulnerabilities for future use. The problem is that if a vulnerability has been discovered, it is likely that other actors will also find out about it, meaning the same vulnerability may be exploited by malicious third parties, ranging from nation-state adversaries to simple thieves. This is only exacerbated by the practice of selling vulnerabilities to multiple buyers, sometimes even multiple agencies within a single government.

    Thanks to a FOIA suit by EFF, we have seen the U.S. government’s internal policy on how to decide whether to retain or disclose a zero day, the Vulnerabilities Equities Process (VEP). Unfortunately, the VEP is not a model of clarity, setting out a bureaucratic process without any substantive guidelines in favor of disclosure, More concerning, we’ve seen no evidence of how the VEP actually functions. As a result, we have no confidence that the government discloses vulnerabilities as often as claimed. The lack of transparency fuels an ongoing divide between technologists and the government.

    A report published in June by two ex-government officials—relying heavily on the document from EFF’s lawsuit—offers a number of helpful recommendations for improving the government’s credibility and fueling transparency.

    These proposals serve as an excellent starting point for legislation that would create a Vulnerabilities Equities Process with the force of law, formalizing and enforcing a presumption in favor of disclosure. VEP legislation should also:

    • Mandate periodic reconsideration of any decision to retain a vulnerability;
    • Require the government to publish the criteria used to decide whether to disclose;
    • Require regular reports to summarize the process and give aggregate numbers of vulnerabilities retained and disclosed in a given period;
    • Preclude contractual agreements that sidestep the VEP, as in the San Bernardino case, where the FBI apparently signed a form of non-disclosure agreement with the “outside party.” The government should not be allowed to enter such agreements, because when the government buys a zero day, we should not have to worry about defending ourselves from a hostile state exploiting the same vulnerability. If tax dollars are going to be used to buy and exploit vulnerabilities, the government should also eventually use them to patch the security of affected systems, with benefits to all.

    Above all, formalizing the VEP will go a long way to reassuring the public, especially members of the technology industry, that the U.S. government takes its commitment to strengthening digital security seriously.

    Item 2:  Preventing Disproportionate Use of Government Malware and Global Hacking Warrants

    EFF has also long been concerned about state-sponsored malware. It’s at the heart of our suit against the government of Ethiopia. Even in the United States, when the government seeks court permission to use malware to track and surveil suspects over the Internet, it can endanger innocent users as well as general network security.

    A particularly egregious example is the Playpen case, involving an FBI investigation into a Tor hidden service that hosted large amounts of child pornography. The FBI seized the site’s server and operated it as a honey pot for visitors. A single warrant authorized the FBI to install malware on any and all visitors’ computers in order to breach the anonymity otherwise provided by Tor. By not specifying particular users—even though the list of users and logs of their activity was available to the FBI—the warrant totally failed to satisfy the Fourth Amendment requirement that warrants particularly describe persons and places to be searched.

    What’s more, the FBI asked the court to trust that it would operate its malware safely, without accidentally infecting innocent users or causing other collateral damage. Once defendants began to be charged in these cases, the government staunchly refused to turn over certain information about how the malware operated to the defense, even under seal, arguing that it would compromise other operations. As a result, defendants are left unable to exercise their right to challenge the evidence against them. And of course, anyone else whose computer is vulnerable to the same exploit remains at risk.

    In these cases, the FBI flouted existing rules: the Playpen warrant violated both the Fourth Amendment and Rule 41 of the Federal Rules of Criminal Procedure. Other cases have involved similarly overboard uses of malware. EFF has been working to explain the danger of this activity to courts, asking them to apply Fourth Amendment precedent and require that the FBI confront serious threats like Playpen in a constitutional manner. We have also been leaders of a coalition to stop an impending change that would loosen the standards for warrants under Rule 41 and make it easier for the FBI to remotely hack users all over the world.

    Item 3:  A “Title III for Hacking”

    Given the dangers posed by government malware, the public would likely be better served by the enactment of affirmative rules, something like a “Title III for Hacking.” The legislative process should involve significant engagement with technical experts, soliciting a range of opinions about whether the government can ever use malware safely and if so, how. Drawing from Title III, the law should:

    • Require that the government not use invasive malware when more traditional methods would suffice or when the threats being addressed are relatively insignificant;
    • Establish strict minimization requirements, so that the targets of hacking are identified with as much specificity as the government can possibly provide;
    • Include public reporting requirements so that the public has a sense of the scope of hacking operations; and
    • Mandate a consideration of the possible collateral effects—on individuals and the public interest as a whole—on the decision to unleash malware that takes advantages of known or unknown vulnerabilities. Even if the VEP itself does not encompass publicly known vulnerabilities (“N-days”), using remote exploits should impose an additional requirement on the government to mitigate collateral damage, through disclosure and/or notice to affected individuals.

    The same principles should apply to domestic law enforcement activities and foreign intelligence activities overseen by the FISA Court or conducted under the guidelines of Executive Order 12333.

    Of course, these sorts of changes will not happen overnight. But digital security is an issue that affects everyone, and it’s time that we amplify the public’s voice on these issues. We’ve created a single page that tracks our work as we fight in court and pursue broader public conversation and debate in the hopes of changing government practices of sabotaging digital security. We hope you join us.

    Source: What to Do About Lawless Government Hacking and the Weakening of Digital Security | Electronic Frontier Foundation


    📂This entry was posted in News and Politics 📎and tagged

  • Federal Court: The Fourth Amendment Does Not Protect Your Home Computer

    Posted on by Azrael Comment

    In a dangerously flawed decision unsealed today, a federal district court in Virginia ruled that a criminal defendant has no “reasonable expectation of privacy” in his personal computer, located inside his home. According to the court, the federal government does not need a warrant to hack into an individual’s computer.

    This decision is the latest in, and perhaps the culmination of, a series of troubling decisions in prosecutions stemming from the FBI’s investigation of Playpen—a Tor hidden services site hosting child pornography. The FBI seized the server hosting the site in 2014, but continued to operate the site and serve malware to thousands of visitors that logged into the site. The malware located certain identifying information (e.g., MAC address, operating system, the computer’s “Host name”; etc) on the attacked computer and sent that information back to the FBI.  There are hundreds of prosecutions, pending across the country, stemming from this investigation.

    Courts overseeing these cases have struggled to apply traditional rules of criminal procedure and constitutional law to the technology at issue. Recognizing this, we’ve been participating as amicus to educate judges on the significant legal issues these cases present. In fact, EFF filed an amicus brief in this very case, arguing that the FBI’s investigation ran afoul of the Fourth Amendment. The brief, unfortunately, did not have the intended effect.

    The implications for the decision, if upheld, are staggering: law enforcement would be free to remotely search and seize information from your computer, without a warrant, without probable cause, or without any suspicion at all. To say the least, the decision is bad news for privacy. But it’s also incorrect as a matter of law, and we expect there is little chance it would hold up on appeal. (It also was not the central component of the judge’s decision, which also diminishes the likelihood that it will become reliable precedent.)

    But the decision underscores a broader trend in these cases: courts across the country, faced with unfamiliar technology and unsympathetic defendants, are issuing decisions that threaten everyone’s rights. As hundreds of these cases work their way through the federal court system, we’ll be keeping a careful eye on these decisions, developing resources to help educate the defense bar, and doing all we can to ensure that the Fourth Amendment’s protections for our electronic devices aren’t eroded further. We’ll be writing more about these cases in the upcoming days, too, so be sure to check back in for an in-depth look at the of the legal issues in these cases, and the problems with the way the FBI handled its investigation.

    Source: Federal Court: The Fourth Amendment Does Not Protect Your Home Computer | Electronic Frontier Foundation


    📂This entry was posted in News and Politics 📎and tagged

  • FBI pushes for more power to crush your privacy

    Posted on by Azrael Comment

    With a treasure trove of digital information tantalizingly within reach, the FBI doesn’t want to be slowed down by inconveniences like Fourth Amendment protections. So frustrated is FBI chief James Comey by constitutional limits that he told the Senate Intelligence Committee that the FBI’s difficulty in getting its hands on Americans’ online communications resulted from a “typo” in the law that should be changed. He may get his wish.

    That pesky Fourth Amendment

    Comey’s campaign against encryption may have stalled, but his push to expand the agency’s use of warrantless searches got a couple of assists recently. The FBI uses an extraordinary search procedure known as National Security Letters (NSLs) to obtain Americans’ bank and phone records without a court order. NSLs not only compel companies to provide the information, they come with gag orders that forbid companies from disclosing the requests. Talk about a process ripe for abuse.

    Various aspects of NSLs have been ruled unconstitutional, but still they persist. The Electronic Frontier Foundation and other civil rights groups have fought for years to spread awareness about the boom in NSL searches and push for greater accountability and oversight of the process. “NSLs have a sordid history. They’ve been abused in a number of ways, including … targeting of journalists,” Andrew Crocker, staff attorney for the EFF, told The Intercept.

    But the Senate Intelligence Committee last week passed a bill that would expandtheir reach. A provision in the 2017 Intelligence Authorization Act would allow the FBI to use NSLs to obtain “electronic communication transactional records” — one of those deliciously vague terms that could include email subject lines and metadata, Web browsing histories, and more.

    The lone dissenting committee vote against the bill came from Oregon Senator Ron Wyden. The bill’s NSL provision “takes a hatchet to important protections for Americans’ liberty,” Wyden said after the vote. “This bill would mean more government surveillance of Americans, less due process, and less independent oversight of U.S. intelligence agencies. Worse, neither the intelligence agencies nor the bill’s sponsors have shown any evidence that these changes would do anything to make Americans more secure.”

    You say reform, I say surveillance

    Meanwhile, Senate Majority Whip John Cornyn has inserted a similar NSL-expansion provision into — ironically — a bill aimed at amending the Electronic Communications Privacy Act (ECPA) to incorporate more protections for electronic communications. When the law was written in 1986, few people used email or cloud computing, and such communications were considered “abandoned” after 180 days. The Email Privacy Act would require the government to obtain warrants before forcing tech companies to turn over these older emails stored in the cloud.

    The House of Representatives passed a companion bill by a unanimous vote, but this and other amendments to the Senate bill seem intended to act as a poison pill to prevent reform of the ECPA.

    “If [the NSL provision] is added to ECPA, it’ll kill the bill,” Gabe Rottman, deputy director of the Center for Democracy and Technology’s freedom, security, and technology project, told The Intercept. “If it passes independently, it’ll create a gaping loophole. Either way, it’s a big problem and a massive expansion of government surveillance authority.”

    Party like it’s “Nineteen Eighty-Four”

    The prospect of Big Brother pawing through all of our electronic activities has understandably made many a tad paranoid. But as Joseph Heller said, “Just because you’re paranoid doesn’t mean they aren’t after you.” A recent study from Oxford University found that Edward Snowden’s revelations about government surveillance has had a “chilling effect” on Americans’ Internet habits, including a 20 percent decline in page views on Wikipedia articles related to terrorism.

    “This is measuring regular people who are being spooked by the idea of government surveillance online,” researcher Jon Penney told the Washington Post. “You want to have informed citizens. If people are spooked or deterred from learning about important policy matters like terrorism and national security, this is a real threat to proper democratic debate.”

    Desirable or not, it’s possible to change our online habits to avoid government surveillance. Changing our biometric markers? Not so much (sorry, writers of “Face/Off“). And since 2008 the FBI has assembled a massive database of Americans’ biometric information called Next Generation Identification (NGI), which has more than 100 million individual records that include fingerprints, facial recognition, iris scans, and palm prints from 52 million-plus people.

    All of this data was collected not only during arrests, but from millions of Americans for noncriminal reasons like background checks and state licensing requirements. As the EFF notes, some states require your prints if you want to be a dentist, accountant, teacher, geologist, realtor, lawyer, or even an optometrist. And all jobs with the federal government — not only those with security clearances — require a fingerprint check, even part-time food service workers, student interns, and maintenance workers, as well as everyone who has served in any capacity in the military.

    “While federal officials and law enforcement hail the NGI program as a futuristic way to track terrorists and criminals, others have been notably less enthusiastic,”International Business Times reports. “In the name of security and public safety, many advocates say the U.S. government is increasing its surveillance, through programs like NGI, on everyday citizens who have done nothing wrong.”

    Building the Eye of Sauron

    Now the FBI wants to exempt this creepy collection of personal data from the federal Privacy Act, which guarantees basic protections such as allowing individuals to view their own records — even though, as Breitbart notes, there have been complaints about the database’s accuracy, with false positives generated 20 percent of the time.

    “If you have no ability to access the record the FBI has on you, even when you’re not part of an investigation or under investigation, and lo and behold inaccurate information forms a ‘pattern of activity’ that then subjects you to [be] the focus of the FBI, then that’s a problem,” noted Jeramie Scott of the Electronic Privacy Information Center, a digital civil liberties group.

    Source: FBI pushes for more power to crush your privacy | InfoWorld


    📂This entry was posted in News and Politics 📎and tagged