UK-based activist group Privacy International has highlighted the international ramifications mass hacking operations.
In February 2015, the FBI embarked on the largest known law enforcement hacking operation to date, targeting over 8,000 computers in 120 countries. Lawyers in the US have challenged the legality of the underlying warrant, arguing that the judge had no authority to greenlight searches outside of her district.
Now, activist and legal group Privacy International has filed a brief in a related case, pushing back against the global nature of the FBI's operation. As Privacy International notes, 83 percent of the computer infections were outside of the United States.
"Well-established international law prohibits the government from undertaking law enforcement functions in other countries, without those countries' consent, which the government did not seek here," the amicus brief signed by Privacy International's General Counsel Caroline Wilson Palow reads.
Specifically this case concerns the FBI's investigation into a dark web child pornography site called Playpen. When the FBI seized the site in 2015, instead of shutting it down the agency kept Playpen running for 13 days. During this time, the FBI deployed a network investigative technique (NIT)—a piece of malware—in an attempt to identify visitors to the site. This NIT relied on a "non-public" vulnerability for the Tor Browser, and grabbed a target's IP address, MAC address, and other basic system information.
The FBI ended up hacking over 8,000 computers across the world, including over 1,000 in the US. Although much attention has been paid to affected cases in the US, there has been relatively little focus on the international legal ramifications. (Motherboard reported the FBI hacked computers in Australia, Austria, Chile, Colombia, Denmark, Greece, and likely the UK, Turkey and Norway too.)
In its brief, Privacy International argues that much of the same concerns around affected cases in the US extends to those outside of the country—that at the time of the Playpen operation, Rule 41, which governs when judges can authorize searches, did not allow for searches outside of the judge's own district.
The group adds that these sort of international hacking operations, in which computers are targeted without the host country's permission, pose foreign relation risks. Such a move could lead to diplomatic conflict, or the possibility of breaking local laws. The brief points to a 2002 case, in which Russia's Federal Security Service (FSB) filed criminal charges against an FBI agent for remotely accessing and copying data from a Russian server. (Ahmed Ghappour, visiting assistant professor at UC Hastings College of Law, has made related arguments in a recent paper).
"How will other countries react to the FBI hacking in their jurisdictions without prior consent? Would the U.S. welcome hacking operations on a similar scale carried out on U.S. residents by other countries? Is the FBI violating the laws of foreign jurisdictions by hacking devices located in them?" Scarlet Kim, legal officer at Privacy International wrote in a statement.
However, things have shifted since the Playpen investigation. In December 2016, changes around remote searches came into effect. Today, US magistrate judges can sign global hacking warrants.