[csoghoian]

The FBI has been using malware since at least 2003 [1], probably a few years before that. Today, the FBI has a dedicated team, the Remote Operations Unit, based out of Quantico, which does nothing but hack into the computers and mobile phones of targets. According to one former top FBI official, among the team's many technical capabilities, is the ability to remotely enable a webcam without the indicator light turning on [2].

Although DOJ has been using malware for nearly fifteen years, it never sought a formal expansion of legal authority from Congress. There has never been a Congressional hearing, nor do DOJ/FBI officials ever talk explicitly about this capability.

The Rule 41 proposal before this advisory committee was the first ever opportunity for civil society groups, including my employer, the ACLU, to weigh in. We, along with several other groups, submitted comments and testified in person.

Our comments can be seen here [3,4]. Incidentally, it was while doing the research for our second comment that I discovered that the FBI had impersonated the Associated Press as part of a malware operation in 2007 [5].

Ultimately, the committee voted to approve the change to the rules requested by DOJ. In doing so, the committee dismissed the criticism from the civil society groups, by saying that we misunderstood the role of the committee, that the committee was not being asked to weigh in on the legality of the use of hacking by law enforcement, and that "[m]uch of the opposition [to the proposed rule change] reflected a misunderstanding of the scope of the proposal...The proposal addresses venue; it does not itself create authority for electronic searches or alter applicable statutory or constitutional requirements."

[1] http://www.nytimes.com/2016/04/14/technology/fbi-tried-to-de...

[2] https://www.washingtonpost.com/business/technology/2013/12/0...

[3] https://www.aclu.org/sites/default/files/assets/aclu_comment...

[4] https://www.aclu.org/files/assets/aclu_comment_on_remote_acc...

[5] http://bigstory.ap.org/article/23f882720e564b918d83abb18cd5d...

[tptacek]

Thanks for writing this comment. It's deeply informative and useful.

Two things I want to call out, one minor and one more significant. The significant one first:

Your employer, in the response you linked to, wrote approvingly of Orin Kerr's proposed alternative language, which would enable the same sort of remote "hacking" with the new precondition that it be allowed only when it's impossible for the courts to ascertain the right district.

If ACLU is OK with that narrower language, is it safe to say that you disagree with your employer? Because your arguments strongly implicate Kerr's proposed language as well. Put simply: you appear to favor broad restrictions on DOJ's ability to coercively collect electronic evidence regardless of whether courts authorize it.

The minor objection I have to your comment is the link to WaPo about the FBI being able to record video from laptop cameras without lighting the LED. That's an unsourced anonymous claim that, by my reading, can't possibly be accurate as stated, since different laptops have different mechanisms and it is vanishingly unlikely that the FBI has defeated all of them. I'm prepared to be wrong about this, but expect that I'm not, and would like to know if you can provide any more evidence backing that extraordinary WaPo claim up.

[csoghoian]

1. My employer, the ACLU, filed two comments in the Rule 41 process.

The first, before public comments were even solicited, resulted in DOJ dropping one of their proposed changes to rule 41, which would have permitted the gov to piggyback from a hacked target's computer to a cloud account (such as Dropbox or Google), rather than the gov going to the cloud provider with a warrant.

While our first comment does indeed describe and quote from some alternative language proposed by Orin Kerr, I don't think it is fair to describe that as evidence of ACLU approval of hacking of users whose location cannot be determined. For example, in that comment, we note that:

[U]nder Professor Kerr’s language, the government would still be able to obtain warrants to use malware, zero-day exploits, and other techniques that raise serious constitutional and policy questions.

2. While some public interest groups and tech policy advocates are publicly (or, in some cases, privately) embracing the idea of giving law enforcement formal, regulated hacking powers, in a desperate attempt to push back against legislative pressure for crypto backdoors, I'm thankful that the ACLU has not done so. If the organization does at some point decide to come out in favor of law enforcement hacking, I strongly doubt my name will be on that document.

[I'll note, however, that one of the great perks that come with working for the ACLU is that it's perfectly OK to disagree with some of the organizations' official policy positions. I'm not forced to tow the company line publicly on issues in which I disagree.]

3. Just so all of my cards are on the table. I'm volunteering, unpaid, as an expert for the defense in several of the Playpen FBI watering hole cases. I am strongly opposed to bulk hacking, enough so to volunteer my time to helping to fight the FBI's use of this outrageous surveillance technique.

4. The FBI being able to remotely activate webcams without the light turning on is not an "unsourced anonymous claim".

From the Washington Post story, linked to in my comment above:

The FBI has been able to covertly activate a computer’s camera — without triggering the light that lets users know it is recording — for several years, and has used that technique mainly in terrorism cases or the most serious criminal investigations, said Marcus Thomas, former assistant director of the FBI’s Operational Technology Division in Quantico.

[tptacek]

I'll ask again. Is it your belief that the claim in this article, that the FBI can defeat the LED indicator on every popular laptop camera, accurately describes reality?

[csoghoian]

I think that some webcam indicator lights are vulnerable to remote disabling. Although it is certainly possible that some are not, I and most other users have no way of knowing which lights are reliable, and which ones are vulnerable.

As such, I put a Band-Aid over my webcam.

Now if only I could figure out an equally easy way to reliably disable my laptop microphone without opening up the laptop and cutting the cable.

[the_ancient]

On most (if not all) Laptop Webcams the Light is not controlled by hardware, but by the Operating System

it is Trivial to create software to no turn on the light.

The Light is not considered by manufacturers to be a Security feature, or something to warn a user of someone other than the user is using the webcam, it is simply there to inform the user when their cam is active using normal "friendly" software, it is a convenience feature, not a security feature

Many commercial management and security software packages sold to schools, corporations, and individuals have the ability to turn on the webcam with out illuminating the light, this often billed as a "theft prevention" feature.

Several schools have gotten in trouble for using this feature to spy on students using school owned laptops

In short, they do not have to "defeat all of the laptops" they just have to right a program for windows, and get 99% of them, the capability is already in the OS, the harder part is installing it with out the user knowing, and hiding the process from the user... Disabling the LED is trivial

[tptacek]

This statement isn't even really true of the old iSight cameras; they were attackable, but only by overwriting the firmware on the camera itself.

Is disabling the LED on a modern Macbook trivial? I'm genuinely asking. If so, can you provide a link demonstrating how? The ability to override the LED on the old iSight cameras was interesting enough that the paper demonstrating it got published at USENIX.

[the_ancient]

I was not aware that apple was the only manufactures of computers.... or Webcams.

I personally have never and will never own a Apple product, so I can not say what is true or not True in the Apple Space, I speak to the 90% of other computers running Windows Operating Systems

[tptacek]

Do we perhaps have different definitions of "most if not all"?

[the_ancient]

By Laptops I mean PC not MAC...

MAC's are better left to the history books