FBI, Federal Judge Agree Fighting Botnets Means Allowing The FBI To Remotely Install Software On People’s Computers
The ends aren't always supposed to justify the means. And a federal agency that already raised the hackles of defense lawyers around the nation during a CSAM investigation probably shouldn't be in this much of hurry to start sending out unsolicited software to unknowing recipients.
But that's the way things work now. As a result of the DOJ-propelled push to change Rule 41 jurisdiction limitations, the FBI is now able to infect computers anywhere in the United States using a single warrant. In the Playpen" case, the software was used to obtain information about users and devices visiting a seized (but still live) dark web CSAM site.
A couple of years later, the lack of jurisdiction limitations were used for something a bit more useful for even innocent computer users: the FBI secured a single warrant authorizing it to send its botnet-battling software to computers all over the nation, resulting in the disinfection of thousands of computers.
And while this all seems like a net positive for US computer users, the underlying facts are a bit more worrying: judges will allow the FBI to place its software on any user's computer at any time, provided it can convince a court the end result will be something other than a massive number of privacy violations.
It's inarguable that disrupting botnets is a public good. But is it inarguable that disruption should occur by any means necessary... or, at least, any means convenient. The disruption of another botnet has been achieved with the assistance of the FBI, a federal judge, and some government software deployed without notification to an unknown number of infected devices.
The FBI quietly wiped malicious programs from more than 700,000 computers around the world in recent days, the agency said Tuesday, part of an operation to take down a major component of the cybercrime ecosystem.
[...]
The FBI got a court's permission to proceed with the operation on Aug. 21, according to acopy of the warrant. Agents proceeded to hack into Qakbot's central computer infrastructure four days later, theFBI announced, and forced it to tell the computers in its botnet to stop listening to Qakbot.
An unnamed FBI source" added this:
Victims will not be notified that their devices had been fixed or that they had ever been compromised, he said.
All of that was accomplished with a five-page warrant [PDF] that doesn't have much to say about the probable cause compelling this invasion of users' computers. The warrant authorized the FBI to, in effect, search" every computer it sent its software to.
PROPERTY TO BE SEARCHED
This warrant applies to the electronic storage media contained in victim computers located in the United States onto which malicious cyber actors have installed, without authorization, the Qakbot malware, and which computers are in communication with the Qakbot botnet infrastructure.
What's not immediately clear is how the FBI determined which computers were infected. Instead, it seems to authorize an intrusion into all computers it could access, with infections determined following the mass search.
The warrant says remote access techniques may be used:"
To search the electronic storage media identified in Attachment A [PROPERTY TO BE SEARCHED, as shown above] and to seize or copy from those media any electronically stored information, such as encryption keys and server lists, used by the administrators of the Qakbot botnet to communicate with computers that are part of the Qakbot botnet infrastructure; and
To search the electronic storage media identified in Attachment A and to seize or copy from those media any electronically stored information, such as IP addresses and routing information, necessary to determine whether any digital device identified in Attachment A continues to be controlled by the Qakbot administrators after the seizure or copying of the electronically stored information identified in Paragraph 1.
At first glance, it might appear that the FBI limited its software deployment to known infected devices. But that's clearly not the case, as was noted earlier in the NBC report quoted above. Here are the facts again, given a bit more weight with the addition of the FBI's RAT warrant:
The FBI got a court's permission to proceed with the operation on Aug. 21, according to acopy of the warrant. Agents proceeded to hack into Qakbot's central computer infrastructure four days later, theFBI announced...
So, odds are the FBI didn't know which computers were infected when it deployed its remote access technique." That means it was given permission to target any device it could access via the internet, with controlling factors only appearing four days after it had already performed its search."
The only mitigating factor is the last paragraph of the approved warrant. And that's only mitigating if you believe the FBI would not use this opportunity to sniff around for others things it might be interested in.
This warrant does not authorize the seizure of any tangible property. Except as provided in the accompanying affidavit and in Paragraphs 1 and 2, this warrant does not authorize the seizure or copying of any content from the electronic storage media identified in Attachment A or the alteration of the functionality of the electronic storage media identified in Attachment A.
All this means is the court trusts the FBI not to abuse this access. And it forces all of us to operate by the same questionable standard, since the FBI has made it clear it is not willing, nor legally obligated, to inform computer users their computers were compromised by FBI software, however briefly or usefully.
Given that lack of disclosure, it's going to make it almost impossible to challenge evidence of other criminal activity that might have been obtained during this mass search. It also means users aren't able to double-check the FBI's work by ensuring their devices are free of either botnet infections or FBI software.
And there's a very good chance the FBI handled this all honestly and decently and actually performed a useful public service. The point is there are now court-accepted mechanisms in place that would easily allow the FBI to engage in activities that are more abusive of people's rights without worrying too much about judicial oversight and/or victims of questionable spyware deployments ever finding out they were targeted during FBI activities ostensibly meant to take down botnets.