A federal magistrate judge has denied (PDF) a request from the FBI to install sophisticated surveillance software to track someone suspected of attempting to conduct a “sizeable wire transfer from [John Doe’s] local bank [in Texas] to a foreign bank account.”

Back in March 2013, the FBI asked the judge to grant a month-long “Rule 41 search and seizure warrant” of a suspect’s computer “at premises unknown” as a way to find out more about these possible violations of “federal bank fraud, identity theft and computer security laws.”

In an unusually public order published this week, Judge Stephen Smith slapped down the FBI on the grounds that the warrant request was overbroad and too invasive. In it, he gives a unique insight as to the government’s capabilities for sophisticated digital surveillance on potential targets. According to the judge’s description of the spyware, it sounds very similar to the RAT software that many miscreants use to spy on other Internet users without their knowledge. (Ars editor Nate Anderson detailed the practice last month.)

According to the 13-page order, the FBI wanted to “surreptitiously install data extraction software on the Target Computer. Once installed, the software has the capacity to search the computer’s hard drive, random access memory, and other storage media; to activate the computer’s built-in camera; to generate latitude and longitude coordinates for the computer’s location; and to transmit the extracted data to FBI agents within the district.”

Neither an FBI spokesperson, nor Craig M. Feazel—who represents the FBI in this case and is an assistant United States Attorney—responded to Ars’ request for comment. Many civil libertarians, though, have raised serious questions as to what the government is up to.

“Hacking should be something that is the last resort, not the first option,” Chris Soghoian, principal technologist at the ACLU's Speech Privacy and Technology Project, told Ars. “No one knows anything about [how the FBI’s software works]. We know from a [Freedom of Information Act request] that there was a [Computer and Internet Protocol Address Verifier software], but this seems to be much more sophisticated. This sounds like the kind of [spyware] stuff that Gamma is selling. As a general rule, we don’t think law enforcement should be in the hacking business. It’s sexy, but it’s terrifying.”

Soghoian also recalled that Germany’s own (and similar) “federal trojan” program has been revealed to have notable security flaws by the famed hacker group, the Chaos Computer Club.

"Little or no explanation"

According to the judge’s order (PDF), the FBI has no idea where the suspect actually is, but noted that the “IP address of the computer accessing Doe’s account resolves to a foreign country.”

While IP addresses can certainly be easily spoofed, assuming the suspect actually is outside the United States, that raises significant questions as to the appropriate use of such a warrant. The judge agreed, noting that the “government’s application does not satisfy any [existing territorial limits].”

Further, the judge cited the government’s failure to meet the Fourth Amendment’s requirement of “place to be searched, and the persons or things to be seized.”

...

The judge also berated the government for its failure to explain how precisely it would target the suspect’s computer, the suspect, and no one else.


What if the Target Computer is located in a public library, an Internet café, or a workplace accessible to others? What if the computer is used by family or friends uninvolved in the illegal scheme? What if the counterfeit e-mail address is used for legitimate reasons by others unconnected to the criminal conspiracy? What if the e-mail address is accessed by more than one computer, or by a cell phone and other digital devices? There may well be sufficient answers to these questions, but the Government’s application does not supply them.

Yeah, that Judge Smith

What’s also notable about this case, according to legal experts, is that it was issued by a Texas federal judge notorious for his outspoken views on making government surveillance more transparent. As we reported last year, Judge Smith estimated that tens of thousands of secret surveillance orders are issued by his fellow judges each year.

more: http://www.nbcnews.com/id/44105072/ns/us_news-crime_and_courts/t/pennsylvania-judge-gets-years-kids-cash-case/#.UX4C7aK87To

more: http://www.nbcnews.com/id/44105072/ns/us_news-crime_and_courts/t/pennsylvania-judge-gets-years-kids-cash-case/#.UX4C7aK87To

99.9% of the time. Stories like these are good examples of what is commonly called disinformation.

^ THAT ^

What amazes me the most is that they would actually ask for a warrant or permission... I didn't realize they actually try to follow the law when they want to get somebody.

"They" won't ask "that" judge next time...

There are literally thousands of judges willing to wipe their collective ass with the constitution and the tax-sucking, freedom hating government employees will flock to them.

^ THAT ^

Really? Disinfo? I read the article as the FBI wanting a rubber stamp search warrant to release their own spyware onto the internet with a federal judge's approval and the judge said no way. I doubt there's actually a suspect they are seeking but rather want court approval to release spyware and to start a precedent. Not sure what the disinfo would be there.


What amazes me the most is that they would actually ask for a warrant or permission... I didn't realize they actually try to follow the law when they want to get somebody.

Gotta get a federal judge to sign off on it to start a legal precedent for its use. VERY happy to see a judge with integrity still on the bench. It reminds me that we're not totally lost yet.

more: http://www.nbcnews.com/id/44105072/ns/us_news-crime_and_courts/t/pennsylvania-judge-gets-years-kids-cash-case/#.UX4C7aK87To

Link leads to the wrong article.


What amazes me the most is that they would actually ask for a warrant or permission... I didn't realize they actually try to follow the law when they want to get somebody.

They might ask for a warrant if they want to admit the data at trial, but for the investigation phase they have no incentive to seek a warrant.


“No one knows anything about how the FBI’s software works.

I know it crashes my computer every hour.

What amazes me the most is that they would actually ask for a warrant or permission... I didn't realize they actually try to follow the law when they want to get somebody.
n
As others have said, without a warrant the evidence is inadmissible. But when they're going on "fishing expeditions" it doesn't matter...? as long as they don't get caught. That's why the whole "Miranda for Boston bomber" debate is such a joke. Supposedly there's all this evidence that people believe he's already guilty and doesn't deserve rights right? Well then why would it matter if he was questioned without Miranda and he said something that couldn't later be used in court?

“No one knows anything about how the FBI’s software works."


lol. It just spontaneously appeared out of nowhere, I guess.

More on the Federal Trojan....


It is named scuinst.exe - after the official name of the federal Trojan which is "Skype Capture Unit." It carries five additional binaries and has the capability to monitor even more applications than originally thought - including the IE, Firefox and Opera browsers and chat, messaging and VoIP apps such as Low-Rate Voip, ICQ, Yahoo! Messenger and many more.

more here... http://www.net-security.org/malware_news.php?id=1882

... the 64-bit driver provided by the dropper is the fact that it's digitally signed. It must be, or the OS wouldn't load it. But the certificate is issued by Goose Cert, a CA that doesn't exist.

This would normally mean that the OS won't accept it, so the question that must be raised is "Does that mean that the Trojan is capable of installing the bogus certificate in the Trusted Root Certification Authorities store?"

I had thought viruses were only for people who go around recklessly installing random executables on their computers, but maybe not.

I'd like to see what the "lifetime costs" for all these agencies hiring 'agents' to spy on American citizens through their Webcams/PCs/smartphones. Betcha it's astronomical... part of that $80-90 Billion spent each year under "classified/national security" expenditures.

more: http://www.nbcnews.com/id/44105072/ns/us_news-crime_and_courts/t/pennsylvania-judge-gets-years-kids-cash-case/#.UX4C7aK87To

I hate how people at the ACLU use the "last resort" line. Hacking isn't a last resort OR a first option. It is a non-option. If the police can't get a warrant, they shouldn't go use trumped up justifications for probable cause to bust into someone's home as a "last resort". They shouldn't resort to it at all... Some things are off limits to law enforcement, like it or not, and I'll be damned if I'll even give them the option to use unconstitutional measures as a "last resort."