• Tag Archives hacking
  • D.C. Circuit Court Issues Dangerous Decision for Cybersecurity: Ethiopia is Free to Spy on Americans in Their Own Homes

    The United States Court of Appeals for the District of Columbia Circuit today held that foreign governments are free to spy on, injure, or even kill Americans in their own homes–so long as they do so by remote control. The decision comes in a case called Kidane v. Ethiopia, which we filed in February 2014.

    Our client, who goes by the pseudonym Mr. Kidane, is a U.S. citizen who was born in Ethiopia and has lived here for over 30 years. In 2012 through 2013, his family home computer was attacked by malware that captured and then sent his every keystroke and Skype call to a server controlled by the Ethiopian government, likely in response to his political activity in favor of democratic reforms in Ethiopia. In a stunningly dangerous decision today, the D.C. Circuit ruled that Mr. Kidane had no legal remedy against Ethiopia for this attack, despite the fact that he was wiretapped at home in Maryland. The court held that, because the Ethiopian government hatched its plan in Ethiopia and its agents launched the attack that occurred in Maryland from outside the U.S., a law called the Foreign Sovereign Immunities Act (FSIA) prevented U.S. courts from even hearing the case.

    The decision is extremely dangerous for cybersecurity. Under it, you have no recourse under law if a foreign government that hacks into your car and drives it off the road, targets you for a drone strike, or even sends a virus to your pacemaker, as long as the government planned the attack on foreign soil. It flies in the face of the idea that Americans should always be safe in their homes, and that safety should continue even if they speak out against foreign government activity abroad.  

    Factual background

    Mr. Kidane discovered traces of state-sponsored malware called FinSpy, a sophisticated spyware product which its maker claims is sold exclusively to governments and law enforcement, on his laptop at his home in suburban Maryland. A forensic examination of his computer showed that the Ethiopian government had been recording Mr. Kidane’s Skype calls, as well as monitoring his (and his family’s) web and email usage. The spyware was launched when Kidane opened an attachment in an email. The spying began at his home in Maryland.

    The spyware then reported everything it captured back to a command and control server in Ethiopia, owned and controlled by the Ethiopian government. The infection was active from October 2012 through March 2013, and was stopped just days after researchers at the University of Toronto’s Citizen Lab released a report exposing Ethiopia’s use of FinSpy. The report specifically referenced the very IP address of the Ethiopian government server responsible for the command and control of the spyware on Mr. Kidane’s laptop.

    We strenuously disagree with the D.C. Circuit’s opinion in this case. Foreign governments should not be immune from suit for injuring Americans in their own homes and Americans should be as safe from remote controlled, malware, or robot attacks as they are from human agents. The FSIA does not require the courts to close their doors to Americans who are attacked, and the court’s strained reading of the law is just wrong. Worse still, according to the court, so long as the foreign government formed even the smallest bit of its tortious intent abroad, it’s immune from suit. We are evaluating our options for challenging this ruling.

    Source: D.C. Circuit Court Issues Dangerous Decision for Cybersecurity: Ethiopia is Free to Spy on Americans in Their Own Homes | Electronic Frontier Foundation

  • The Playpen Story: Some Fourth Amendment Basics and Law Enforcement Hacking

    It’s an old legal adage: bad facts make bad law. And the bad facts present in the Playpen prosecutions—the alleged possession and distribution of child porn, coupled with technology unfamiliar to many judges—have resulted in a number of troubling decisions concerning the Fourth Amendment’s protections in the digital age.

    As we discussed in our previous post, courts have struggled to apply traditional rules limiting government searches—specifically, the Fourth Amendment, the Constitution’s primary protection against governmental invasions of privacy—to the technology at issue in this case, in some cases finding that the Fourth Amendment offers no protection from government hacking at all. That’s a serious problem.

    In this post, we’ll do two things: explain the Fourth Amendment “events”—that is, the types of searches and seizures—that take place when the government uses malware, explain how some of the courts considering this issue have gone astray (and some have gotten it right), and what all this means for our digital rights.

    Hacks, searches, seizures, and the Fourth Amendment

    The Fourth Amendment generally prohibits warrantless law enforcement searches and seizures. A Fourth Amendment “search” occurs when the government intrudes on an area or information in which a person has a reasonable expectation of privacy. A “seizure” occurs when the government substantially interferes with a person’s property or their liberty.

    As we’ve spelled out in an amicus brief filed in a number of the Playpen prosecutions, when the government hacks into a user’s computer, a series of significant Fourth Amendment searches and seizures occur:

    Each use [of the government’s malware] caused three Fourth Amendment events to occur: (1) a seizure of the user’s computer; (2) a search of the private areas of that computer; and (3) a seizure of private information from the computer.

    First, the government’s malware “seized” the user’s computer. More specifically, the execution of the government’s code on a user’s device “meaningful[ly] interfered” with the intended operation of the software: it turned a user’s computer into a tool for law enforcement surveillance. By hacking into the user’s device, the government exercised “dominion and control” over the device. And that type of interference and control over a device constitutes a “seizure” for Fourth Amendment purposes.

    Next, the government’s code “searched” the device to locate certain specific information from the computer: the MAC address, the operating system running on the computer, and other identifying information. In this instance, where the search occurred is central to the Fourth Amendment analysis: here, the search was carried out on a user’s personal computer, likely located inside their home. Given the wealth of sensitive information on a computer and the historical constitutional protections normally afforded peoples’ homes, a personal computer located within the home represents the fundamental core of the Fourth Amendment’s protections.

    Finally, the government conducted a “seizure” when its malware copied and sent the information obtained from the user’s device over the internet and back to the FBI. (As an aside, it was sent unencrypted—but more on that in a later blog post about the evidentiary issues arising from these cases.) For its part, the government doesn’t even contest that the copying of this information is a seizure: it described that information as the “information to be seized” in the warrant.

    Law enforcement deploying malware against a user in this way should, from a constitutional perspective, be understood the same way as if the search were carried out in the physical world: a police officer physically taking a computer away, looking through it for identifying information, and writing down the information the officer finds for later use. 

    Fourth Amendment principles meet digital dissonance

    In the physical world, courts would have no problem recognizing the Fourth Amendment consequences of law enforcement physically seizing and searching a computer. Yet, the Playpen cases, and the relatively unfamiliar technology at issue in them, have complicated the application of settled Fourth Amendment law.

    Some courts have held that the Fourth Amendment was not implicated by the government’s malware, incorrectly focusing on the information obtained from the search—critically, the IP address—and not how and where the searches and seizures occurred. Those courts have relied on a separate line of cases that held that, when the government obtains an IP address from an ISP or other third party, the user lacks a reasonable expectation of privacy in the IP address, precisely because it was in the hands of a third party.

    Even if we agreed with that precedent (generally, we don’t), it has no application to the Playpen cases. The government didn’t obtain the IP address and other information from a third party: it got it directly from searching and seizing the user’s device. As one court correctly held:

    The government is not permitted to conduct a warrantless search of a place in which a defendant has a reasonable expectation of privacy simply because it intends to seize property for which the defendant does not have a reasonable expectation of privacy. For example, if [the defendant] had written his IP address [] down on a piece of paper and placed it on his desk in his home, the government would not be permitted to conduct a warrantless search of his home to obtain that IP address. The same is true here.

    As we wrote before, one court went so far as to say that the defendant had no reasonable expectation of privacy—and, thus, no Fourth Amendment protection—in a personal computer, located within a private home, because it was connected to the Internet. Personal computers inside the home should receive the greatest Fourth Amendment protection, not none at all, so it was deeply concerning to see a judge reach that conclusion.

    Essentially, that court held that software vulnerabilities are akin to broken blinds in a person’s house, which allow the government to peer in and see illegal activity—an investigative technique that, although creepy, does not require a warrant. The court held that “Government actors who take advantage of an easily broken system to peer into a user’s computer” are essentially peering in through the digital equivalent of broken blinds.

    Setting aside the difference between looking in a window from the street and actively hacking a computer, tying the protections of the Fourth Amendment to the relative strength of security measures sets a dangerous precedent. Many (if not most) physical security features, like a lock on a door, are easily defeated, yet no court would conclude that the government can warrantlessly search a home, simply because the lock could be picked.

    What these decisions mean for the law of government hacking

    There’s cause for concern about these decisions, but it’s not quite time to panic.

    The legal rules that could ultimately flow from decisions, like those described above—that the government may warrantlessly search an electronic device so long as it is only obtaining information that, in other contexts, has been disclosed to a third party; or that the government’s ability to warrantlessly search devices is checked only by their technological capacity to do so—are very bad for privacy, to say the least.

    Fortunately, the decisions so far have all been at the district court level. That means that although another court might consider the decision persuasive, the decisions do not establish legal rules that other courts or the government must follow. It will be critically important to watch these cases on appeal, though. Decisions of the federal courts of appeals and the Supreme Court are binding on other courts and the government, so the rules the Playpen cases generate on appeal will create lasting legal rules.

    Nevertheless, the cases are still creating a body of troubling decisions in an area that, until now, was relatively lightly covered in the federal courts, creating a kind of bedrock layer of precedent for government hacking. Before the Playpen prosecutions, only a handful of decisions involving government hacking existed; when these cases are all said and done, there may be a hundred. That makes it all the more critical that we get these cases right—and set the right limits on government hacking—at the outset.

    Source: The Playpen Story: Some Fourth Amendment Basics and Law Enforcement Hacking | Electronic Frontier Foundation


  • Playpen: The Story of the FBI’s Unprecedented and Illegal Hacking Operation

    In December 2014, the FBI received a tip from a foreign law enforcement agency that a Tor Hidden Service site called “Playpen” was hosting child pornography. That tip would ultimately lead to the largest known hacking operation in U.S. law enforcement history.

    The Playpen investigation—driven by the FBI’s hacking campaign—resulted in hundreds of criminal prosecutions that are currently working their way through the federal courts. The issues in these cases are technical and the alleged crimes are distasteful. As a result, relatively little attention has been paid to the significant legal questions these cases raise.

    But make no mistake: these cases are laying the foundation for the future expansion of law enforcement hacking in domestic criminal investigations, and the precedent these cases create is likely to impact the digital privacy rights of Internet users for years to come. In a series of blog posts in the coming days and weeks, we’ll explain what the legal issues are and why these cases matter to Internet users the world over.

    So how did the Playpen investigation unfold? The tip the FBI received pointed out that Playpen was misconfigured, and its actual IP address was publicly available and appeared to resolve to a location within the U.S. After some additional investigation, the FBI obtained a search warrant and seized the server hosting the site. But the FBI didn’t just shut it down. Instead, the FBI operated the site for nearly two weeks, allowing thousands of images of child pornography to be downloaded (a federal crime, which carries steep penalties). That decision, alone, has spurred serious debate.

    But it’s what happened next that could end up having a lasting impact on our digital rights.

    While the FBI was running Playpen, it began sending malware to visitors of the site, exploiting (we believe) a vulnerability in Firefox bundled in the Tor browser. The government, in an effort to downplay the intrusiveness of its technique, euphemistically calls the malware it used a “NIT”—short for “Network Investigative Technique.” The NIT copied certain identifying information from a user’s computer and sent it back to the FBI in Alexandria, Virginia. Over a thousand computers, located around the world, were searched in this way.

    As far as we are aware, this is the most extensive use of malware a U.S. law enforcement agency has ever employed in a domestic criminal investigation. And, to top it all off, all of the hacking was done on the basis of a single warrant. (You can see our FAQ here for a bit more information about the investigation.)

    As it stands now, the government has arrested and charged hundreds of suspects as a result of the investigation. Now defendants are pushing back, challenging the tenuous legal basis for the FBI’s warrant and its refusal to disclose exactly how its malware operated. Some courts have upheld the FBI’s actions in dangerous decisions that, if ultimately upheld, threaten to undermine individuals’ constitutional privacy protections in personal computers.

    The federal courts have never dealt with a set of cases like this—both in terms of the volume of prosecutions arising from a single, identical set of facts and the legal and technical issues involved. For the past few months, we’ve been working to help educate judges and attorneys about the important issues at stake in these prosecutions. And to emphasize one thing: these cases are important. Not just for those accused, but for all us.

    There are very few rules that currently govern law enforcement hacking, and the decisions being generated in these cases will likely shape those rules for years to come. These cases raise serious questions related to the Fourth Amendment, Rule 41 (an important rule of criminal procedure, which the Department of Justice is in the process of trying to change), and the government’s obligation to disclose information to criminal defendants and about vulnerabilities in widely used software products. We’ll tackle each of these issues, and others, in our series of blog posts designed to explain the FBI’s takedown of Playpen matters for all of us.

    Source: Playpen: The Story of the FBI’s Unprecedented and Illegal Hacking Operation | Electronic Frontier Foundation