The FBI's Quiet Plan to Begin Mass Hacking

Senator Ron Wyden delivered a speech on the floor of the Senate on Thursday calling for passage of a bill that would annul new rules for judges. These rules will give the FBI authority to hack millions of people's computers with a single search warrant, regardless of where the device is located.

The Stop Mass Hacking Act (S. 2952, H.R. 5321), which has bipartisan support, is composed of a single sentence:

"To prevent the proposed amendments to rule 41 
of the Federal Rules of Criminal Procedure from taking effect."

Wyden's bill attempts to stop the upcoming changes to Rule 41, set to take effect in less than 90 days.

The changes to Rule 41 would allow judges to grant warrants to search and seize electronic media located outside of their home districts when the location of the information is “concealed through technological means."

For instance, when a person is using Tor.

The broad search warrants allowable under these new rules will apply to people using Tor in any country—even if they are journalists, members of a legislature, or human rights activists. The FBI will be permitted to hack into a person’s computer or phone remotely and to search through and remove their data. The FBI will be able to introduce malware into computers. It will create vulnerabilities that will leave users exposed.

To quote a tweet from Daniel Shuman of the NGO Demand Progress, "Even if you like mass FBI hacking, shouldn't the Senate hold a hearing first before it automatically becomes law?"

We are at a critical point in the United States regarding surveillance law. Some public officials, like those at the US Department of Justice (the FBI is a department of DOJ), understand very well how surveillance technology works and the implications of the Rule 41 changes. But the judges who must approve these warrants under the new rules vary widely in their technical expertise and understanding of how these decisions affect the larger Constitutional issues of search and seizure. Rule 41 will allow savvy law enforcement officials to seek those judges who don't yet understand the tech.

Similarly, there are many members of Congress who don't yet understand either the technology or its impact on democratic institutions and values. Some understand that Tor and encryption are currently used by politicians, judges, and even the FBI to keep their communications private--but others do not. Some—but not all—know that privacy tools like Tor can help enforce the separation of powers by preventing one branch of government from spying on another. Some know that a back door for one good guy is eventually a back door for multiple bad guys. Many others do not.

So some US officials can take advantage of this ignorance in order to expand their power. And since the FBI works for the Department of Justice, and the Department of Justice works for the White House, Rule 41 gives new surveillance power to the Administrative branch of US government. New power over millions of people--that Congress never discussed or approved.

Why go through Congress, the reasoning goes, and risk public exposure, debate, and possible defeat, when law enforcement can tweak a rulebook and get the same new hacking power?

If you care about FBI mass hacking, urge Congress to pass the Stop Mass Hacking bill on social media with the hashtag #SMHAct (one of the better legislative hashtags).

If you are an American citizen, there is much more you can do. Here is a seemingly minor thing--but one that can have great impact. Call and leave a message with the Washington, DC, office of the US Senator from your state. Senators actually count these calls, and they influence their decisions--Perhaps they don't want to be voted out of office by the constituents they ignored.

Here is a list of Senators' phone numbers (calling is much more effective than email for this purpose): http://www.senate.gov/general/contact_information/senators_cfm.cfm?Orde…

Your call or voicemail can be very simple:

"My name is _____, I am Senator ____'s constituent in the state of ___, and I support the "Stop Mass Hacking Act." I ask Senator _____ to support The Stop Mass Hacking Act also and that it be considered during this work period. Thank you.”

You can also leave a thank you message with Senator Wyden's office--This gives Wyden more ballast to encourage his colleagues to support the bill).

If you make those calls or leave voicemails and you're on Twitter, tweet that you called your Senator using their Twitter handle and the #SMHAct hashtag. This amplifies the power of the phone call.

The Stop Mass Hacking Act has bipartisan support. Senator Steve Daines (R-Montana), along with Senator Rand Paul (R-Kentucky) Senators Tammy Baldwin (D-Wisconsin) and Jon Tester (D-Montana) are original co-sponsors of the Senate bill.

People listen to the Tor community on issues of anonymity technology. But the threat to anonymity can be just as destructive when it comes because of a small rule change--a bureaucratic sleight of hand---as when it comes through a attack on our software by a state intelligence agency. As Tor users, our threat model includes both, so our response as a community must also include both.

UPDATE: Phoning is by far most important. Then you can tweet to your Senator.

The Twitter accounts for US Senators are here: http://www.socialseer.com/resources/us-senator-twitter-accounts/ #SMHAct

-----
H.R.5321: https://www.congress.gov/bill/114th-congress/house-bill/5321
S.2952: https://www.congress.gov/bill/114th-congress/senate-bill/2952

kata

September 18, 2016

Permalink

The senate.gov link blocks Tor (and archive.org!) but it appears to be accessible via startpage.com proxy. I'll definitely be calling on the next business day. Would it be beneficial to call our congressmen as well?

> The senate.gov link blocks Tor

I noticed that months ago, and tried to post about it, but my post never appeared.

I should start keeping track of posts which are "accidently" deleted or never appear, because I am starting to see a pattern: the ones which embarrass the USG vanish under mysterious circumstances. Curious, wouldn't you say?

So I called my state senators, then when I called to thank Wyden, I asked his secretary what else I can do to help, e.g. calling congressmen. He said the biggest thing is raise awareness and encourage other people to call their state senators, but also call congressmen regarding the House of Representatives version of the bill (same name, but use the "H.R." bill number above). He said contact them the same way, look up the House rep for your district (on house.gov or your state's house site) and leave a message. I'm not sure how much pull House members have on federal topics, but it can't hurt.

So I called my local House rep and left a thank-you with Ted Poe's (proposer of the House version of the Stop Mass Hacking Act) secretary. The process is virtually identical to that of the Senate. In total that's 5 calls. I regret not mentioning the "NoGlobalWarrants.org" site (run by the EFF) in my messages, but hopefully other callers will do so.

Are there any channels we can watch for updates on this within the Senate and Congress? E.g. to look for any statements made about Rule 41 and the Stop Mass Hacking Act at the congressional meetings and the like?

In other words, can we observe any feedback that this is actually working? Given that the Tor Browser 6.0.5 release blog post came 4 days after this one, and has many orders of magnitude more comments already, I fear that a lot of users are reading this post under the illusion that everyone else is calling, so they think their call won't make a difference.

I am against the mass hacking act. That is bullshit. Benjamin Franklin said "revolution is healthy for any governing body, not just one man but the combined effort of all man with a common goal". Looks like a revolution is in order.

> Are there any channels we can watch for updates on this within the Senate and Congress? E.g. to look for any statements made about Rule 41 and the Stop Mass Hacking Act at the congressional meetings and the like?

thehill.com is a good Tor-friendly resource which has been covering this issue. Sometimes they post a notice (too often a few hours too late in my experience) about something happening in real time in a key Congressional meeting room, such as a "markup session" in which staffers and lobbyists put in all the loopholes which enable corruption to flourish and the wealthy to profit, and remove all any language which would actually empower the citizen to try to improve his/her lowly station. (Some might be surprised by how many staffers would not substantially disagree with this characterization of marathon 20 hour markup sessions.)

One bad practice which The Hill could easily fix: staffers want to know the bill numbers (e.g HR1234 or S567), but for some reason The Hill typically fails to mention these.

Unfortunately, only a professional lobbyist located in DC itself who is wandering the halls of the Capitol daily can really hope to track the progress of legislation.

If one finds some malware which is part of a FBI NIT on a computer but one doesn't realise that, and one removes/fixes it, has one committed a crime by impeding a federal criminal investigation?

kata

September 19, 2016

In reply to by Anonymous (not verified)

Permalink

I'm not sure what you're referring to with that. If it was in reply to my comment above, please use the "reply" button so it is easy for me and other users to tell. In any case, please quote the specific part of the comment or blog post that your comment pertains to. Without this information, I can't really make sense of your comment at all.

kata

September 19, 2016

Permalink

"The broad search warrants allowable under these new rules will apply to people using Tor in any country". This must be breaking some sort of international privacy laws, doesn't it? Europe has their own LEA's and I don't think they would grant the FBI "global" rights to hack into European Tor users computers!!! That if something is a severe breach of international privacy/telecommunications/ whatnot laws, right? And thus the FBI would be subject to legal action (as a defendant) at least in Europe.

kata

September 13, 2016

Permalink

Thank you for drawing attention to this important issue. I called my Senators but don't want to draw attention to myself via social media. I strongly encourage other US citizens to call their Congresspeople.

kata

September 19, 2016

Permalink

I simply cannot register the amount of abuse of power this will grant the FBI if a disaster such as this is allowed to pass. Land of the free, home of the terrified.

kata

September 20, 2016

Permalink

it's not mass hacking, it's not even mass cracking, it's the next step in digital tyranny: arbitrary seizure of electronics if they can't get what they want.

IANAL but we sort of have that already with civil asset forfeiture, where they can seize anything, without a warrant, that they have probable cause (but not necessarily proof) was obtained as a result of (or used in furtherance of?) a crime. I think the difference here might be that CAF assets are simply new toys/money for the LEA, while those seized under this law (with a warrant, unconstitutional as that warrant may be) can also be used as evidence in a court of law. I'm just guessing at this, so anyone please correct me if I'm wrong.

US cops are already stopping pedestrians and seizing amounts ranging from 8 cents upward. The only purpose of this "asset forfeiture" is to terrorize people who live in poor neighborhoods (which are often drug-infested, but not everyone who lives in poor neighborhoods is a drug user and even fewer are involved in the drug business). The real crooks, Big Pharma and Big Bank executives, get their huge bonuses every year, and so it goes.

kata

September 20, 2016

Permalink

I am from spain, of course i will share this but, will it be legal to hack people from other countrys? Sorry if there are some mistakes, love what you do.

kata

September 21, 2016

Permalink

Suggest we all call back to point out that US judges are suppressing evidence obtained by FBI illicit intrusions into remote servers owned and operated by others:

http://arstechnica.com/tech-policy/2016/09/judge-child-porn-evidence-ob…
Judge: child porn evidence obtained via FBI’s Tor hack must be suppressed
Third judge rules that Playpen search warrant was invalid from the start.
Cyrus Farivar
21 Sep 2016

This is the kind of embarrassing comment USG cannot tolerate, so it uses zero-days/malware to illegally intrude into a remote server owned by someone else, and deletes comments.

If FBI gets its way, soon it will be hacking arstechnica.com and removing stories it dislikes. Taking people off the street for wearing backpacks. Carrying phones which use end-to-end encryption. Putting people in preventative detention camps, a possibility which is being seriously discussed inside USG, as confirmed by an inside source at the RAND corporation. See this ebook which critiques FBI/NCTC CVE programs on the grounds that the math shows they won't work, just as commentators have pointed out in this blog:

http://ismor.cds.cranfield.ac.uk/30th-symposium-2013/behavioural-indica…

This is an unclassified public document but the authors have clearly also been reading classified documents (not cited in the references of course).

If they really wanted to find out about this browser---Then they might actually here in this site. Its easy to find in the internet. So its really hard for us to cover now, if they do.

kata

September 21, 2016

Permalink

I understand the problem and what the solution is but does this also mean that using tor will become useless? I kind of get that impression from the text

kata

September 21, 2016

Permalink

Looks like comments are being deleted or censored here AGAIN.

Shari, what gives?

kata

September 14, 2016

Permalink

Does this include the possibility that the FBI hacks individuals outside of the US?

With a warrant signed by a judge under the new rules, yes! And if you don't like the idea of the US FBI hacking your computer, I would consider contacting the foreign office of your national government immediately--also get in touch with EDRi (www.EDRi.org) if you are in Europe, or your local privacy advocacy organization.

*If it is safe to do so*, follow up publicly so that people can see your views by posting on social media, blogging, writing an opinion piece or letter to the editor in your newspaper. You can also phone or email reporters to alert them to the situation. The US FBI collaborates with the US NSA, and the NSA collaborates with lots of countries. So your foreign office may not be totally against the idea of US interference or hacking. Thus, it's best to be public about your views if possible.

Here is an article about FBI/NSA/international collaboration: https://www.fbi.gov/news/testimony/the-fbis-role-in-cyber-security

#SMHAct and #Rule41 are good hash tags to use on social media.

This post from EFF addresses your question in more detail:

https://www.eff.org/deeplinks/2016/08/illegal-playpen-story-rule-41-and…
The Playpen Story: Rule 41 and Global Hacking Warrants
Mark Rumold
26 Sep 2016

> The warrant the FBI used in the Playpen investigation—which resulted in the delivery of malware to over a thousand computers, located around the world—violated [the *current version* of] Rule 41, an important rule of federal criminal procedure. Although Rule 41 may seem obscure, it plays a vital role in limiting when federal law enforcement agencies can conduct lawful searches and seizures.
> ...
> This “territorial” restriction [in the current version of Rule 41] is an important one. It ensures that any search or seizure that is authorized has a sufficient nexus to the judicial district, and it helps guard against law enforcement “forum shopping”—where law enforcement is able to seek out sympathetic or unquestioning judges to obtain warrants, even if those warrants have little or no connection to the judicial district.
> ...
> As we’ve written about before, DOJ is pushing a change to Rule 41. The new Rule 41 would, for the first time, authorize magistrates to issue search warrants, like the Playpen warrant, when “technological means” like Tor or VPNs are obscuring the location of a computer, or when a computer is swept up in a "botnet." In these circumstances, law enforcement could remotely access, search, seize, or copy data on computers, no matter where the computers were located and without providing notice to the users being searched. That means the FBI could go to almost any federal magistrate judge and get a warrant authorizing the FBI to hack into a computer (or, as was the case in the Playpen investigation, thousands of computers), no matter where in the world those computers are located.
>
> Make no mistake: the changes to Rule 41 will result in many, many more warrants like the one used in the Playpen case. "Fine," you might say, "I'm not doing anything illegal online. The FBI won't have any interest in hacking into my computer." But, because the Rule 41 changes authorize hacking when a computer is part of a botnet, even innocent users caught up in a botnet could be unknowingly subjected to an FBI search.

It is far worse than that. It is appears a virtual certainty that come 1 Dec 2016 FBI will secretly seek and obtain from their most obliging magistrate judges orders targeting everyone who posts at blogs like this one.

Is this why Shari is apparently mulling shutting down this blog entirely? If we conclude that all visitors will be routinely attacked, those coming from the most oppressive countries could very well have their lives endangered if their own governments detect the telltale signature of FBI's NIT "phoning home" to Quantico.

Now that I think about it--- and I am horrified to say so--- maybe it *does* make sense to shut down the blog before 1 Dec 2016. A horrid prospect, but there are far too many unanswered questions about how FBI malware works and whether it would endanger visitors from countries where using Tor is virtually illegal.

Most appalling of all: even if TP moved outside the US before 1 Dec 2016, which would almost certainly be a very good idea, FBI will still be able to freely attack any visitor to the new blog.torproject.org, because under the new version of Rule 41 it will be free to hack any device anywhere in the world, regardless of the laws of any other nation.

I interpret your question to read: "Have the proposed changes to Rule 41 been blocked by the US Congress"?

Please recall that the proposed changes to Rule 41 will make it "legal", under the laws of the US, for FBI to use malware and malicious network activity to break into any computer anywhere in the world, possibly using what are in effect "Writs of Assistance" which can be issued by any magistrate judge (the lowest kind in the US court system).

FBI has demanded these changes for years, because they want to "legalize" actions targeting the Tor network which it has undertaken illegally for many years. The changes have already been approved by the US Supreme Court, so the only way left to stop them from coming into force is to persuade the US Congress to pass a bill blocking them.

So the answer is: the changes will take effect on 1 Dec 2016 *unless* the US Congress passes a bill (the Stop Mass Hacking Act sponsored by Sen. Wyden is the Senate version) to block these changes. There is still time to call members of Congress in order to urge them to take action.

kata

September 15, 2016

Permalink

abnormality on tails 2.6rc1 - after facebookcorewwwi chat to reporter: new circuit was build. never experienced such behaviour before. even facebook asked me if i want to send again.

kata

September 15, 2016

Permalink

Who the hell do America think they are creating laws permitting a US organization to cut across all National laws and plant backdoors on computers around the world. It is high time the Internet was controlled by an independent International body. Don't forget the internet was created by a Brit. not an American as most seem to think.

kata

September 25, 2016

Permalink

One Comment was made "Tor has to make the next step"
We in the Community are TOR so we all need to stand. Always Remember People are going to be "Policed" so far and then the People Stand up to them." That is the Answer.

kata

September 25, 2016

Permalink

That is good relating to stop terrorists communicating online or planning something bad.but to a normal law abiding citizen taking hacking into their privacy thats bad. the other part that also cyberstalking, criminals using the internet for the wrong and harmful reasons need to be taken down

kata

September 25, 2016

Permalink

[This is the kind of post which USG is likely to try to censor or remove]

[moderator: one post cited below quotes Bruce Scheier, who is on the Board of TP]

Two recent posts from EFF directly related to the topic of the blog post above:

https://www.eff.org/deeplinks/2016/09/digital-equivalent-rumor-should-n…
A Digital Rumor Should Never Lead to a Police Raid
Law Enforcement, Courts Need to Better Understand IP Addresses, Stop Misuse
Aaron Mackey
22 Sep 2016

> If police raided a home based only on an anonymous phone call claiming residents broke the law, it would be clearly unconstitutional. Yet EFF has found that police and courts are regularly conducting and approving raids based on the similar type of unreliable digital evidence: Internet Protocol (IP) address information.

https://www.eff.org/deeplinks/2016/09/playpen-story-some-fourth-amendme…
The Playpen Story: Some Fourth Amendment Basics and Law Enforcement Hacking
Mark Rumold
21 Sep 2016

> It’s an old legal adage: bad facts make bad law. And the bad facts present in the Playpen prosecutions—the alleged possession and distribution of child porn, coupled with technology unfamiliar to many judges—have resulted in a number of troubling decisions concerning the Fourth Amendment’s protections in the digital age.

It is important for US citizens to bear in mind that FBI routinely exploits the complicated structure of US "law enforcement" [sic] to evade restrictions on surveillance by "technical means". Several recent posts from ACLU on the topic of federal, state, county, and local LEA surveillance inside the USA:

https://www.aclu.org/report/community-control-over-police-surveillance-…
Community Control Over Police Surveillance: Technology 101

> The proliferation in local police departments’ use of surveillance technology, which in most places has occurred without any community input or control, presents significant threats to civil rights and civil liberties that disproportionately impact communities of color and low-income communities. The nationwide “Community Control Over Police Surveillance” effort is looking to change that through legislation mandating that local communities are given a meaningful opportunity to review and participate in all decisions about if and how surveillance technologies are acquired and used locally. Here is a list of costly and invasive surveillance technologies that might be recording you, your family, and your neighbors right now.

The white paper is here:

https://www.aclu.org/sites/default/files/field_document/tc2-technology1…
Technology 101

Among surveillance modalities not mentioned in the paper but currently under development:

o identification [sic] by "microbiome": yet another scientifically unvalidated forensic scheme in which a supposed "signature" from what bacteria are present on skin or in gut can be used to identify "suspects"; yes, you read that right, police want to start searching your home's sewer lines.

o forcible interrogation while hooked up the next generation of fMRI scanners (current scanners wont work right if a prisoner wriggles about); LEAs are even screaming for "stand-off" brain-wave scanners.

Both of these are mentioned in the recent PCAST white paper which shows that almost all of the so-called "forensic science" techniques beloved by FBI and other LEAs have never been scientifically validated, and even worse, most have been scientifically *invalidated*. FBI and DOJ have already announced they intend to ignore the report and to continue to use invalid "forensic science" methods. American tax dollars at work.

https://www.aclu.org/blog/speak-freely/let-there-be-light-cities-across…
Let There Be Light: Cities Across America Are Pushing Back Against Secret Surveillance by Police
Chad Marlow, Advocacy and Policy Counsel, ACLU
21 Sep 2016

> Think about how it feels when you are driving down a road, look in your rearview mirror, and notice a police car driving directly behind you. You tense up. You slow down. You try not to drift too much in your lane as you drive. One false move and those red flashing lights will switch on. Only after the police car drives past can you finally relax and exhale. As internationally renowned security technologist Bruce Schneier observed in his book "Data and Goliath," this is what surveillance feels like. But for many Americans who live in communities that are disproportionately targeted by police surveillance technologies, that feeling never goes away.

https://www.aclu.org/blog/free-future/police-use-social-media-surveilla…
Police Use of Social Media Surveillance Software is Escalating, and Activists are in the Digital Crosshairs
Nicole Ozer, Technology & Civil Liberties Policy Director, ACLU of Northern California
22 Sep 2016

> It goes without saying that speaking out against police violence or government overreach shouldn’t land you in a surveillance database. But it can, and it does. The ACLU of California has received thousands of pages of public records revealing that law enforcement agencies across the state are secretly acquiring social media spying software that can sweep activists into a web of digital surveillance.