Wednesday, May 24, 2017

It's Not ‘Malware’ When We Have a Warrant, FBI Says

OFF THE WIRE
Joshua Kopstein

The government is trying to downplay the hacking code it used to identify thousands of anonymous Tor users under a single warrant.

The FBI has been in the hacking business for a long time, famously using malware to log suspects' keystrokes as early as the 1990s. But in the high-profile case surrounding a dark web child abuse site called Playpen, the Bureau is arguing that because it was authorized by a warrant, its computer intrusion code shouldn't be called "malware" at all.
In a testimony earlier this week in the case of US vs. Jay Michaud, FBI special agent Daniel Alfin argued that the hacking tool used to identify Michaud and thousands of other Playpen users—which the FBI euphemistically calls a "Network Investigative Technique" or "NIT"—isn't malware because it was authorized by a court and didn't damage the security of Michaud's computer.
"The NIT utilized in this investigation was court-authorized and made no changes to the security settings of the target computers to which it was deployed. As such, I do not believe it is appropriate to describe its operation as 'malicious,'" Alfin said. He added that he personally loaded the NIT onto one of his own machines and that "it did not make any changes to the security settings on my computer or otherwise render it more vulnerable to intrusion than it already was."
Malware is short for "malicious software," and has always been somewhat hard to define. But the government's interpretation defies its commonly understood meaning in computer security, which describes code that ssurreptitiously installs and runs on a device without the owner's consent. The FBI's NIT would certainly fit that description: it was quietly installed on the machine of anyone accessing the Playpen website, which was only available while using the anonymous Tor browser. Once implanted, the NIT returned the true IP addresses of the site's visitors. To send the NIT, the FBI seized control of the Playpen site, effectively facilitating the distribution of child abuse images for two weeks.

It may just be semantics, but the terminology could be crucial as momentum builds in the courts and Congress to limit the FBI's hacking powers. Earlier this week, Senator Ron Wyden (D-Ore.) announced the Stop Mass Hacking Act, a bill that would prevent the FBI from using a single warrant to install malware on thousands of computers whose locations are unknown, like it did in the Playpen case.

Judge Robert J. Bryan recently reversed his previous position on the FBI's use of the NIT, ruling that the government doesn't have to reveal the full exploit code while simultaneously saying that the government should face sanctions for its refusal to produce evidence. In response, the government argued on Friday that it should receive no sanctions at all for refusing to disclose the exploit, claiming that the defendant already has enough information about the NIT to build a defense.
FBI