Nmedia - Fotolia
A new federal court ruling has found the FBI's investigative use of hacking violates the Fourth Amendment, but not all courts agree, so experts are unsure if a precedent has been set.
A number of cases arose from the FBI's use of its Network Investigative Technique (NIT) to hack thousands of computers, which had accessed a deep web site hosting child pornography via the anonymous Tor network. The question is whether law enforcement hacking constitutes search as defined by the Fourth Amendment, because the FBI only had one warrant issued in Virginia to cover thousands of computers from various locations.
David Alan Ezra, senior district judge for the United States District Court for the Western District of Texas, San Antonio Division, ruled using malware to hack someone's computer does indeed fall under the definition of search.
"Here, the NIT placed code on Mr. [Jeffrey Jerry] Torres' computer without his permission, causing it to transmit his IP address and other identifying data to the government," Ezra wrote in his ruling. "That Mr. Torres did not have a reasonable expectation of privacy in his IP address is of no import. This was unquestionably a 'search' for Fourth Amendment purposes."
Other recent court rulings have gone the other way and determined law enforcement hacking does not require a warrant because people do not have a reasonable expectation of privacy in their computers.
Amie Stepanovich, U.S. policy manager at Access Now, based in New York, said there's a long way to go before this issue is resolved in court.
"Several judges right now are considering cases stemming from a single warrant issued in Virginia to allow the Federal Bureau of Investigation to essentially insert malware on any computer that visited a specific website," Stepanovich told SearchSecurity. "The jurisdictional splits being created by these cases are likely to be appealed and may even make it up to the Supreme Court on any one or more of the issues that are being challenged -- from jurisdiction to constitutionality."
Ezra said Congress needed to clarify the issue.
"The instant NIT warrant has brought to light the need for congressional clarification regarding a magistrate's authority to issue a warrant in the internet age, where the location of criminal activity is obscured through the use of sophisticated systems of servers designed to mask a user's identity," Ezra wrote.
Riana Pfefferkorn, cryptography fellow at the Stanford Center for Internet and Society, said the issue could be resolved by Congress first with the decision on "a pending change to Rule 41 of the Federal Rules of Criminal Procedure, which governs the issuance of search and seizure warrants by federal judges."
"The rule change would expressly authorize law enforcement to get 'a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information,'" Pfefferkorn told SearchSecurity.
The change to Rule 41 has been approved by the Supreme Court, but Pfefferkorn said it faces opposition in Congress. "Sen. Ron Wyden has introduced a bill that would stop this change from going into effect, which it will on Dec. 1, unless Congress acts to stop it. If it does go into effect, the Texas court's ruling will be superfluous because the revised rule expressly authorizes government hacking like this and says it is a search."
Stepanovich said Congress needs to go beyond just deciding on the changes to Rule 41.
"These changes to Rule 41 will ostensibly remove procedural hurdles to government hacking, but, unless stopped, [they] will also provide evidence to argue for congressional approval of invasive hacking operations that Congress has never authorized," Stepanovich said. "Congress should block these changes and instead hold hearings on the extent that hacking should be permissible by law enforcement entities, and if they choose to authorize it, should pass a law doing so and providing substantial protections and safeguards."
Find out about the Tor vulnerability the FBI was asked to disclose.
Get info on the Stingray rules requiring a warrant to track mobile phones.