The US Supreme Court on Thursday approved a rule that allows US Judges to issue search warrants in any jurisdiction.
The ruling does have until December 1, 2016, to be modified or rejected. However, this is rarely exercised, especially considering it is an election year.
The US Justice Department has been pushing for this ruling since 2013 and described it as a minor modification to bring the criminal code into a modern era of technology. However, both Google and US civil liberties groups are saying that that this would expand police powers; allowing them to conduct mass hacks on computer networks.
In October of 2014, The American Civil Liberties Union (ACLU), argued that the,
“changes raised a myriad of technological, policy, and constitutional concerns., and that if Congress decide that remote access searches in the situations covered by the proposed amendment were to be permitted, the ACLU would recommend a set of restrictions to mitigate its concerns.”
Those restrictions were as follows:
- Require a Title III order for any remote access search that collects information on an ongoing basis or forces a target’s device to generate or collect new data (such as by turning on a computer’s webcam or microphone);
- Only permit the use of malware against specific and particularly described persons. Watering hole attacks, mainly when performed against sites that share computing resources with other innocent websites, present significant public policy and legal issues which make such attacks problematic;
- Require that the government make explicit in warrant applications that it intends to conduct a remote access search using malware and that it will exploit security vulnerabilities in the software on the target’s device to do so, and require the government to describe in detail how the malware will work, how many computers it will affect, how long it will remain installed on those computers, what code will stay on those computers indefinitely, the extent to which there may be irreversible changes or damage to devices, the degree to which insertion of the malware requires the assistance of a third party service provider, what impact there will be on the security of computers of targets and non-target third parties whether it is reasonably foreseeable that government malware could malfunction, target the wrong people, or fall into the wrong hands, what technical experts have been consulted prior to submission of the application, and the basis for the determinations made with regards to the issues above;
- Prohibit the impersonation of third parties by law enforcement agencies in their efforts to deliver malware to targets, unless those third parties provide informed consent in writing; Require that any assistance of a service provider in providing the malware be consensual or explicitly requested by the warrant; Require law enforcement malware to include identifying markings in the computer code, such that if the code is subsequently discovered by security researchers, they will know whom to contact if, for example, the malware malfunctions, spreads, or ends up on the computers of non-suspects;
- Prohibit the use by law enforcement of zero-day exploits in general-use software and hardware; and
- Prohibit the approval of warrants in which there is a reasonable likelihood that execution of the warrant will result in damage to third parties who are not the intended law enforcement target.
Democratic Senator Ron Wyden of Oregon thinks there will be, “Significant consequences for Americans’ privacy”. Widen went on to say that, “Under the proposed rules, the government would now be able to obtain a single warrant to access and search thousands or millions of computers at once; and the majority of the affected computers would belong to the victims, not the perpetrators, of a cybercrime”.
This hasn’t brought about as much media attention as the FBi’s efforts to have Apple (read Apples comments regarding that case here) unlock their smartphones. However, this ruling if passed, is equally as disturbing with respect to the additional broad powers of search that police would have .
The US government should proceed with caution This ruling would significantly expand the police's authority to conduct searches that raise troubling and wide-ranging constitutional, statutory, and policy questions.
The ruling could allow police to remotely search many people’s computers using a single warrant, often without particularly describing those computers or demonstrating probable cause as to their owners or users, and it’s my understanding that a warrant that does not particularly describe the place to be searched and things to be seized is normally invalid.
Civil liberties groups argue that authorizing the kinds of remote access searches that the government seeks to conduct, threatens to violate the Fourth Amendment’s particularity and probable cause requirements in several ways.
The problem with this ruling is is that if the police configures a website or server to deliver malware to the computer of every person who visits it (a watering hole attack), it will likely end up searching the computers of people who it cannot particularly identify or describe and as to whom it lacks probable cause - for example, members of the press, researchers, policymakers, and attorneys regularly visit websites associated with terrorist groups, cyber-criminals, and drug dealers.
If police were given authority to install malware to all visitors to these and other types of websites, the government would undoubtedly end up searching the computers of innocent people who are not engaged in any crime, who have a perfectly valid reason to have visited the site, and as to whom there is no probable cause.
A Justice Department spokesman said that this was necessary because criminals are, “anonymizing“ technologies to conceal there digital footprint from authorities.