A government request to change federal court rules to make it easier to hack into computers during criminal investigations places a new twist in the debate over privacy rights versus fighting crime in the digital world.
The Justice Department is arguing for warrants that provide law enforcement with more flexibility in tracking down suspects using anonymizing tools, such as Tor, The Wall Street Journal reported.
The government is arguing that the number of criminals taking advantage of anonymization technologies is increasing, so law enforcement needs help in penetrating these cloaks for criminal activity. In essence, the government wants to obtain one warrant that allows it to hack one computer and use it as a springboard for searching systems it is connected to over the Internet.
For example, Tor scrambles governments' ability to identify people on the network by passing communications through many computers run by volunteers. To locate the system used by a suspect, the governments wants one warrant that would allow it to search many computers at the same time, as well as related storage, email and social media accounts.
While the government would break into computers using the same techniques as cybercriminals, such as sending carefully crafted email to get the recipient to click on a malicious attachment, the government avoids the word hacking and prefers such euphemisms as "network investigative tools" (NITs).
Authorizing law enforcement to cast such a wide net during criminal investigations concerns privacy advocates.
"We're obviously very worried about it because the government's 'network investigative tools' are really just invasive malware that should be used only in the most extreme of circumstances," Hanni Fakhoury, staff attorney for the Electronic Frontier Foundation, told CSOonline.
Giving the government to much flexibility threatens Americans' rights under the Fourth Amendment, which limits searches only to places where evidence is likely to be found, Fakhoury said. The DoJ proposal would allow "open-ended access to a whole host of information."
In addition, allowing the government to increase its use of exploits for software would hurt Internet security overall, since the malware used by law enforcement would eventually be discovered by cybercriminals.
"The more malware and exploits that are available on the market, the more everyone is exposed, regardless of whether they are criminals or not," Fakhoury said. "I would think it would be in the tech industry's best interest to be against this, as it leaves vulnerabilities exposed to the DoJ and malicious actors alike."
Al Pascual, analyst for security, risk and fraud at Javelin Strategy & Research, believes there is a middle ground. The courts could require greater specificity on what data is collected, from whom and in support of what charge, he said.
In addition, the DoJ could be required to reveal to the court the exact method it plans to use to snatch data, along with the steps being taken to minimize the gathering of information from uninvolved third parties. The government could also be required to say when and how that data would be destroyed.
"Transparency and data minimization are critical," Pascual said.
Denying law enforcement needed tools to catch criminals in the electronic world would damage society as much as going too far in compromising privacy rights.
"To deny law enforcement the ability to effectively hack criminals in the course of an investigation, because you believe that it violates privacy, would be tantamount to saying that police officers shouldn't carry firearms because you don't believe in violence," Pascual argued.
As an example of how criminals use Tor, the government submitted documents to the courts' rule-making body, called the U.S. Judicial Conference, describing an investigation of suspected child pornographers who visited a U.S. site on the network.
"In this case, law enforcement knew the physical location of the servers used to host the hidden service," the document said. "However, without use of a NIT, investigators could not identify the administrators or users of the hidden service."
While some judges have already granted warrants for hacking systems, one judge denied a government request, because of the current rules, The Journal reported.