For a long time, the FBI has been refining its ability to get inside your computer whenever it thinks you might be breaking the law. But this week a Texas judge put his foot down, denying the agency a search and seizure warrant that would have allowed them to break into an unknown suspect’s computer system and secretly install malware that steals data and monitors activities.
It’s a rare but not unprecedented situation that casts law enforcement in a light strikingly similar to the hackers it’s normally hell-bent on pursuing. After deploying the payload, the FBI would be able to record keystrokes, read emails, and even take pictures from an attached webcam for a period of 30 days — the last part being somewhat ironic, considering that the FBI has warned about the possibility of criminals using the same tactic.
FBI provided "little more than vague assurances" to protect privacy
In the Wall Street Journal, Jennifer Valentino-DeVries reports the "offensive" cybersecurity measures were being requested to pursue a case of fraud and identity theft that seemed to originate from a Texas bank account. The computer, according to the court documents, was targeted because it used an email address similar to the one on the account.
But Federal Magistrate judge Steven Smith said the FBI didn’t give any information on exactly how they’d be deploying the spyware, and provided "little more than vague assurances" that it would be able to minimize the amount of data collected from innocent people in the process. And since the identity of the suspect and the location of the computer are both unknown, there also existed the possibility that the FBI might be hacking an innocent stranger whose computer has already been compromised by the culprit.
Law enforcement's use of such tools is not without precedent. First discovered in 2001, a spyware package called Magic Lantern has been used by the FBI for remote monitoring, reportedly delivered as an email attachment. And in Germany, a flawed piece of spyware engineered by the German government that opened remote backdoor access was famously reverse-engineered and exposed in 2011 by the renowned hacker group Chaos Computer Club.
So under what circumstances can the FBI install malware on your computer? The US Department of Justice is still mum on the issue, but privacy advocates are hoping the judge’s recent decision means we’ll have answers soon.
FBI emails mention that "one might arguably not be required" to obtain a warrant to remotely install spyware
"I think what's unique now is that this is really one of the first times we've seen a federal judge publicly deny one of these requests," says Hanni Fakhoury, a staff attorney for the Electronic Frontier Foundation. Two years ago, the EFF obtained FBI emails discussing the use of a "web bug" called the "Computer and Internet Protocol Address Verifier" (CIPAV), which was notably used in 2007 to track down a Seattle teen who had issued bomb threats at a nearby high school. Those emails mention that "one might arguably not be required" to obtain a warrant to remotely install the spyware, citing a "trespasser exception."
Since then, an amended court opinion has suggested that warrants are indeed required for spyware deployment to take place. But being as how most of these government requests are kept under wraps, it will be difficult to know for certain until the Justice Department provides clear guidelines. For now, at least one judge has decided that while it's not outside the realm of possibility, the FBI's use of such invasive tactics needs to be much more focused to avoid endangering privacy.