In 2015, the FBI used a single warrant, issued by a single judge, to hack into and search more than 8,000 computers in 120 countries around the world. The government designed software to infiltrate computers and bypass security- and privacy-enhancing technologies their users had put in place in order to identify and prosecute those users for visiting particular websites.
This kind of bulk hacking flies in the face of our Fourth Amendment rights, which require that the government justify any search with individualized probable cause and a particularized warrant. The 8,000-computer warrant also violated the Federal Rules of Criminal Procedure that were in place at the time that it was issued.
This is not the first time that the government has relied on mass hacking in an investigation. And because it won’t be the last, criminal defendants must be armed with the tools to fight back. That is why the ACLU—along with the Electronic Frontier Foundation and the National Association of Criminal Defense Lawyers—released a guide for criminal defense attorneys today, which helps attorneys identify if secret government “malware”—that is, hostile computer code—was installed on a client’s computer, and outlines a range of potential legal challenges to such government bulk hacking. The guide explains what malware is, why it exists, and how the government uses it, then uses existing cases as a roadmap to offer legal arguments that criminal defense attorneys can use to seek suppression of evidence and dismissal of any case in which malware was used.
The guide focuses on the best known and most frequently litigated form of government bulk hacking: “watering hole” operations (so-called because the term derives from the concept of poisoning a watering hole where groups of animals drink). Through such operations, the government commandeers a website associated with criminal activity, continues to operate it, and uses the site to surreptitiously deliver malware to every computer—possibly thousands—that connects to the site. The government can deliver the malware through a link that a user clicks on, or by programming the malware to secretly install itself on a computer once a user visits a particular page. Unbeknownst to the user, the malware then takes partial control of his or her computer in order to search it and send identifying information, including the computer’s IP address, back to a law enforcement server.
The guide is important for criminal defendants and their attorneys, but it is also important for anyone who browses online anonymously through tools like Tor. To date, known government investigations using bulk hacking have focused on child pornography websites. But, as with all new technologies, the government’s use of malware will inevitably expand to other contexts and be used for increasingly intrusive searches. And even existing operations have swept up services used by dissidents and journalists—including Tormail, a now defunct anonymous email service.
We must be vigilant against government attempts to stretch the limits of the Constitution by deploying the newest technology against the least sympathetic individuals. Our Fourth Amendment right to be free from unreasonable searches applies regardless of the technology involved. That means that hacking always requires a warrant based on individual suspicion. This guide will help ensure this fundamental right is respected.