Texas judge denies FBI request to use Trojan to infiltrate unknown suspect's computer.
Jared Sperli stashed this in security
Pursuing criminal hacking groups is high on the FBI’s list of priorities—but the bureau is adopting some hacking techniques of its own. And a Texas judge isn’t happy about it.
On Monday, a judge denied an FBI request to install a spy Trojan on a computer in an unknown location in order to track down a suspected fraudster. The order rejecting the request revealed that the FBI wanted to use the surveillance tool to covertly infiltrate the computer and take photographs of its user through his or her webcam. The plan also included recording Internet activity, user location, email contents, chat messaging logs, photographs, documents, and passwords.
As the Wall Street Journal reported, Houston magistrate Judge Stephen Smith said that he could not approve the “extremely intrusive” tactic because the FBI did not know the location or identity of the suspect and could not guarantee the spy software would not end up targeting innocents. Smith wrote in a 13-page memorandum:
What if the Target Computer is located in a public library, an Internet café, or a workplace accessible to others? What if the computer is used by family or friends uninvolved in the illegal scheme? What if the counterfeit email address is used for legitimate reasons by others unconnected to the criminal conspiracy? What if the email address is accessed by more than one computer, or by a cell phone and other digital devices? There may well be sufficient answers to these questions, but the Government’s application does not supply them.
According to court documents, the FBI wanted to use the software to identify a person responsible for allegedly violating computer security laws and committing federal bank fraud and identity theft. A criminal is said to have infiltrated the email of a Texas man and later tried to steal a “sizable” amount of money from his bank by transferring it to a foreign account. But investigators apparently admitted that they did not know the physical location of the suspect, creating a major legal roadblock in gaining surveillance approval. There are rules in place that put territorial limits on magistrate judges’ authority, so that they can issue warrants only for their own districts—in this case, the Southern District of Texas. Smith made it clear in his refusal that he was particularly uncomfortable authorizing the feds to “hack a computer” that could have been based anywhere in the world.
Perhaps what is most interesting is the level of detail the memorandum discloses about the surveillance technology at the FBI’s disposal. Back in 2007, the bureau was revealedto be using a spyware that could infect computers and gather IP addresses, the last visited website address, and a range of other metadata. But the spy Trojan disclosed in the Houston documents is far more advanced, capable of copying content and turning a person’s webcam effectively into a surveillance camera. According to Smith:
[T]he Government’s data extraction software will activate the Target Computer’s built-in-camera and snap photographs sufficient to identify the persons using the computer. The Government couches its description of this technique in terms of “photo monitoring,” as opposed to video surveillance, but this is a distinction without a difference. In between snapping photographs, the Government will have real time access to the camera’s video feed.
Geez. The more we learn, the worse it sounds.