DOJ Cellphone Privacy, Remote Hacking Lines Still Blurry  

Cellphone Privacy and Remote Hacking Policies Remain Blurry Areas

DOJ and civil liberties community don't yet see eye-to-eye on these issues.

LAS VEGAS — The government’s ability to access a citizen’s cellphone data, remotely search a computer or override certain privacy laws are evolving with the pace of technology, and where and how data is stored. But controversy remains, and even a Supreme Court ruling doesn’t give precise clarity into the future.

Take the Supreme Court case Carpenter v. United States. It questioned whether the government’s access into Timothy Carpenter’s historical cellphone location records from his wireless carrier without a warrant violated the Fourth Amendment. On June 22, the court ruled this was, indeed, a violation of the person’s “legitimate expectation of privacy in the record of his physical movements,” and said this requires a warrant.

In other words, citizens have the expectation of privacy of their physical movements.

And this was a significant decision, according to attorney Jennifer Granick, surveillance and cybersecurity counsel at the American Civil Liberties Union.

“Almost everything we do today is stored in the cloud," she said in an Aug. 8 panel at Black Hat. "And the government’s argument for years has been . . . if you have information that is in the hands of third parties, it’s not private, not protected by the Fourth Amendment."

According to Granick, the recognition that this information is protected by the Fourth Amendment has broader potential implications, further than just cellphone location data. Going forward, the question will be about the level of protection this information receives on a case-by-case basis, rather than on a type-of-information basis.

“This is the beginning of the end of the free-for-all that the government has enjoyed in the past decade or so,” Granick said.

But for Leonard Bailey, special counsel for national security at the Justice Department, it’s a bit more complex.

“The problem, I think, you’ll see is we’re not sure how to apply this decision,” he said, speaking on the panel with Granick. Is the case based on location information or cellphones, he asked, and will people come back to the decision with another piece of technology it could relate to?

“It’s where the ability to use [the decision] perspectively to condition law enforcement, investigators’ conduct, is not so great,” Bailey added, “because we’re not quite sure what the case actually means.”

To which Granick responded, “the downside of not knowing what the case means is get a warrant.”

Another area of controversy between the government and civil liberties community: government-mandated remote search of computers.

This refers to an amendment to Search and Seizure Rule 41 of the Federal Rules of Criminal Procedure, which took effect Dec. 1, 2016. Ultimately, the changes allow a judge to consider warrants for certain remote searches.

Rule 41 dictates how and when the government can get a warrant to search or seize property. Prior to the amendment, it required federal agents to file and obtain a warrant from the court in the district in which the search would take place.

But that’s difficult to do when an extortionist, for example, is using anonymizing technology and is threatening a company. Now, Bailey said federal agents can craft an email with an attachment once opened by the extortionist would conduct some activity on his or her computer to provide federal agents with information to help identify or track the extortionist. Otherwise, they wouldn’t know where the search were to happen.

The ability to obtain a warrant to conduct a remote search of a computer comes from this amendment. It allows federal agents to file for a warrant where the criminal conduct related to the offense was committed, rather than where the search will be conducted.

It also allows judges to issue warrants that allow federal law enforcement agencies to use remote access tools, such as proxy servers, to access computers outside the jurisdiction in which the warrant was granted. So, if the location is concealed through technological means, agents can apply for a search warrant and use the tools needed to discover where the suspect’s computer is.

And if the crime involves criminals hacking computers in five or more different judicial restrictions, the second part of the amendment allows federal agents to identify one judge to review the application for a search warrant for them all, rather than submitting separate warrants for each location. This is particularly helpful in global botnet takedown efforts, Bailey said.

Granick said the civil liberties community has many concerns over the Rule 41 changes. Underneath why the government has interest in these abilities is “the assumption . . . that the government should be doing remote searching of computers,” she said, “and if you think about that assumption, it glides over a lot of things.”

For those working as cyber and network defenders, Granick said this could mean facing the government as a well-financed and incentivized attacker on the network. She also raised concerns about the government using this ability to form vulnerabilities and exploits that could get lost, hacked and used against the world — like how the National Security Agency’s EternalBlue exploit and hacking tool was used to form WannaCry, Wired reported.

“The idea that remote searching are like a given or something we should definitely buy into, it doesn't make sense to me,” Granick said. “There are so many collateral problems that are associated with it.”

But Bailey questioned the reaction to such activities, saying federal agents can get a warrant to search someone’s house and have been able to do so for hundreds of years, “but somehow, a computer seems creepier to people than that,” he said.

That may be because of the type of sensitive information people keep on their devices, that they hold more personal information and tell more about a person than a house might, Granick explained. She added it takes one warrant to search thousands of computers, whereas it takes a couple of police officers to search a single house.

But if there’s one area the Justice Department has a strong view on, it’s the concept of hacking back.

“We are not fans of hackback,” Bailey said. The department’s problem with hacking back, aside from its illegality, is “we have difficulty with why it’s good policy,” he said.

Ultimately, Bailey said the department has struggled to find use cases that demonstrate a good, scalable reason to make hackback available to everyone as a matter of force, and doing so may actually result in a less secure cybersecurity environment.