This American decision does not directly impact Canadians, but it highlights a frightening trend toward giving law enforcement excessive and disproportionate powers in the cyber world. It also emphasizes why lawmakers in both countries need to get in front of privacy and search issues instead of leaving matters in the hands of courts that may apply outdated precedents due to poor understanding of modern technology.
As Mark Rumold of the Electronic Frontier Foundation wrote, “the decision underscores a broader trend in these cases: courts across the country, faced with unfamiliar technology and unsympathetic defendants, are issuing decisions that threaten everyone’s rights.”
This case involves pre-trial motions filed by a defendant charged with “access with intent to view child pornograpy” and “receipt of child pornography,” both in violation of US federal law. In these motions, the defendant sought to suppress evidence and compel the government to release the full source code to their Network Investigative Technique (NIT). Absolutely nobody has sympathy for this defendant, who is still awaiting trial, and if the allegations prove true, the defendant should not be allowed to escape justice by excluding evidence obtained using a legitimate search warrant.
FBI Special Agents appear to have been doing their job investigating the online sexual exploitation of children. According to court documents, the FBI became aware of Playpen, a child pornography site operating as a hidden Tor service. The FBI executed a search warrant, assumed control of the site, and obtained judicial authorization to deploy NIT on Playpen to identify users.
The details of NIT have not been fully disclosed, but it appears to exploit a vulnerability (likely in the Tor browser) and send information to the FBI including the user’s public IP address, a unique identifier, operating system and version, host name, active username, and MAC address. With this information, the FBI used a subpoena to obtain subscriber information associated with the IP address, and subsequently obtained a search warrant for the defendant’s home.
This case, and others flowing from the Playpen investigation, raise several questions. Is it appropriate for the FBI to take over and operate a child pornograpy site as part of an investigation? Is it acceptable for a judge to issue a single warrant that allows the hacking of an unlimited number of computers worldwide? Is NIT an investigate tool or malware? If the court had simply held that the warrants obtained by the FBI were valid, and the evidence was therefore admissible, this case would not have been nearly as significant.
But instead, the judge concluded that a warrant wasn’t necessary in the first place. The relevant part of the decision begins by citing other cases that noted situations in which a person’s reasonable expectation of privacy may be diminished such as “transmissions over the Internet or email that have already arrived at the recipient.” It cites cases involving work computers and other situations in which privacy expectations may be reduced if the user is advised that system administrators may monitor communications.
The decision then discusses the increasing in hacking, including a particularly harsh poke at Apple, “In the recent past, the world has experienced unparalleled hacks. For example, terrorists can no longer rely on Apple to protect their electronically stored private data, as it has been publicly reported that the government can find alternative ways to unlock Apple users’ iPhones.” It surveys the Ashley Madison, the Panama Papers, other hacks, and concludes that hacking resembles the broken blinds in Carter:
“Just as Justice Breyer wrote in concurrence that a police officer who peers through broken blinds does not violate anyone’s Fourth Amendment rights…FBI agents who exploit a vulnerability in an online network do not violate the Fourth Amendment. Just as the area into which the officer in Carter peered – an apartment – usually is afforded Fourth Amendment protection, a computer afforded Fourth Amendment protection in other circumstances is not protected from government actors who take advantage of an easily broken system to peer into a user’s computer. People who traverse the Internet ordinarily understand the risk associated with doing so. Thus, the deployment of the NIT to capture identifying information found on [the] defendant’s computer does not represent a search under the Fourth Amendment, and no warrant was needed.”
There is an obvious flaw in the judge’s logic. Exploiting a vulnerability, essentially hacking the defendant’s computer, is not the same as peering through broken blinds. It is more like an officer breaking or bending the binds first. The front door of almost every home contains vulnerabilities. These are well known and YouTube videos of the exploits are commonly available. Locks can be picked, bypassed, or forced open with a minimal amount of training. These techniques require far less skill than developing and implementing exploit code, and like hacking another person’s computer, using these techniques to break in constitutes a crime.
Claiming that the presence of security vulnerabilities in a personal computer eliminates the owner’s expectation of privacy is as ridiculous as claiming that a person has no expectation of privacy in their own home simply because their front door lock can be picked. The ramifications of allowing law enforcement to intrude into either without a warrant are chilling. Evidence obtained with a legitimate warrant should be considered at trial, but the judge went too far when he ruled that the defendant did not possess a reasonable expectation of privacy.
Have a security question you’d like answered in a future column? Email firstname.lastname@example.org
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…