Judge rejects FBI's bid to hack computer of suspect in attempted cyberheist
Warrant request too broad, fails to meet 4th amendment standards
A federal court in Houston has rejected an FBI request for a warrant to hack into the computer of a suspect in an attempted cyberheist.
In, a sometimes testy, 13-page ruling earlier this week, U.S. Magistrate Judge Stephen Smith of the U.S. District Court for the Southern District of Texas characterized the government's request as overly intrusive and infringing on Fourth Amendment protections against unreasonable search.
The FBI in March sought a warrant to search a computer situated at a location unknown to them and belonging to an unknown suspect. In its request, the FBI sought a warrant that would allow investigators to surreptitiously install software capable of extracting information from the target computer, identify its location and also take photos of those who used the system.
The computer in question belonged to a suspect who had attempted to steal money from the online bank account of a Texas resident. An investigation showed that the IP address of the computer used in the attack was from a foreign country. Both the location of the computer and the identity of its owner are unknown.
The FBI's application for a search warrant sought permission to install the spying software on the target computer to collect information and to monitor activity on the computer over a 30-day period.
In its application, the FBI described its software as capable of searching through the computer's hard drive, memory and storage. The software would secretly activate the computer's built-in camera, take video and photos of people using it, generate latitude and longitude coordinates of its location and send all the information back to the investigators, the FBI said in its warrant application.
The specific information that the FBI was seeking from the target computer included records of IP addresses used, records of browsing activity, firewall logs, caches, cookies, bookmarks and terms entered into search engines. The FBI said that it would also use the software to try and identify the computer's owner and the individual who used it at the time of the attempted cyberheist.
Video and still images captured through the surreptitious use of the computer's built-in camera would be used to identify the suspect and also his or her location, the FBI application said
The magistrate judge rejected the application for several reasons.
The search for which the FBI is seeking authorization involves both a search for the computer and of the computer, Smith noted in his ruling. Neither of the searches would take place within the territorial jurisdiction of the court, he said. "Contrary to the current metaphor used by Internet Service Providers, digital information is not actually stored in the clouds; it resides on a computer or some other form of electronic media that has a physical location," he wrote.
The FBI's search will not take place in the "airy nothing of cyberspace" but rather in a physical space in specific location. Since the government does not know where the computer is located, its warrant request does not meet the territorial limits rule of the statute under which the warrant is being sought, Smith said.
The government's warrant request also offers few specifics on how it would search for the target computer and ensure that only the suspect or suspects in the attempted cyberheist would be monitored, he said. Those involved in cybercrime often spoof IP addresses, so it is possible the target computer belongs to an innocent victim.
Similarly, the computer used by the suspect, could also be used by others who were not involved in any illicit activity, the judge said. "What if the target computer is located in a public library, an Internet caf or a workplace accessible to others?"
The judge also rejected the FBI's assertion that investigators would use the built-in camera only to do "photo monitoring" of the suspect as opposed to video surveillance. It's a distinction without a difference, the judge maintained.
"In between snapping photographs, the government will have real time access to the camera's video feed. That amounts to video surveillance."
The government failed to show what other methods it might use or why it needs to resort to video surveillance to track down the suspect, the judge said. There is nothing in the warrant to show how the government will avoid monitoring innocent users or collecting data about them from the target computer. As a result the government has failed to meet Fourth Amendment standards for video surveillance, he said.
This article, Judge rejects FBI's bid to hack computer of suspect in attempted cyberheist, was originally published at Computerworld.com.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is email@example.com.
Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.