Law enforcement often don't know where a suspect is located before they deploy malware, opening up a whole load of possible ramifications.
As crime continues to proliferate on the so-called dark web, law enforcement agencies are sometimes having to work outside of their jurisdiction. When a suspected criminal acts on the dark web, authorities are unlikely to know where in the world he or she is physically located. So if they then attempt to take action, they might be inadvertently carrying out an operation that crosses borders.
One researcher argues in a working paper that this raises serious concerns around national sovereignty, and could even lead to retaliation from affected countries or prosecution of investigators.
"Basically, it's like playing Russian Roulette with cross-border cyber operations," Ahmed Ghappour, visiting assistant professor at UC Hastings College of Law and author of the paper "Searching Places Unknown: Law Enforcement Jurisdiction on the Dark Web," told Motherboard in a phone call.
In response to dark web-related crime, law enforcement agencies have moved to more non-traditional means of identifying suspects, in some cases directly hacking criminals' computers to circumvent the protections given by the Tor anonymity network.
But, because it's largely impossible to know where a target computer is located before it's been hacked, the FBI and other bodies are sometimes breaking into computers overseas, without explicit consent of the host country. "At bottom, no country has consented to us hacking them, or hacking their citizens, in the same way that we haven't consented to another country to hack us," Ghappour said.
In a recent case, the FBI used a network investigative technique (NIT)—the agency's euphemism for a hacking tool—to identify visitors of child pornography site Playpen. When users clicked on specific forum threads, the NIT would grab their IP and MAC address, as well as other technical information about their system, and send it all to a US government facility.
"Some of these cyber operations might be landing in countries that we're in conflict with; that introduces a whole new set of problems"
One problem, in Ghappour's eyes, is that "rank and file" investigators are often left with the discretion to carry out operations that involve hacking computers abroad.
"They simply lack the information and competence to make decisions that are broader than the immediate needs of a criminal investigation," Ghappour added. This is not to say that FBI agents don't know what they're doing, technologically speaking, but that the ramifications could go beyond their own work. (Usually data sharing agreements, such as Mutual Legal Assistance Treaties (MLATs), which allow law enforcement to request data from overseas, are negotiated by the State Department and implemented by the Department of Justice's Office of International Affairs.)
Ghappour suggests possible ramifications from overseas hacking could include the prosecution of investigators for violating domestic laws of affected countries; he points to a 2002 case where Russia's Federal Security Service (FSB) filed charges against the FBI for remotely siphoning data from servers in Chelyabinsk. Ghappour writes that affected countries may also take counter-measures against the US, and that operations may result in diplomatic fallout.
"I think there's a significant risk," he said. "Some of these cyber operations might be landing in countries that we're in conflict with; that introduces a whole new set of problems."
He is also concerned that this sort of activity could establish norms, and allow other countries to hack suspects in the US without consent. Having US law enforcement taking these steps "doesn't put us in a good place to be doing this, or in a defensible position," Ghappour said. "If anything, this practice only normalizes other nations doing it to us," he added.
Indeed, in December 2014, an unnamed foreign law enforcement agency hacked a visitor of another child porn site. That user, it turned out, was in the US.
At the moment, public documents indicate that the majority of the information collected by the FBI's NITs, such as in the case of Playpen, is fairly limited, consisting mostly of IP addresses and other technical information. But as more invasive techniques are used, the chance of these risks will likely increase.
"If I was to actually control your computer to do something, like surveil you for a month, that also becomes a very questionable practice," Ghappour added.
In his paper, Ghappour lays out a set of possible solutions, such as explicitly limiting the types of crimes these tools can be used to combat or the sort of information they can collect, and shifting oversight of the operations to bodies of government such as the US Attorney General. Rather than waiting for a really problematic case to come up, perhaps it would be better to consider these solutions now.
"Nobody denies that the concepts of territoriality and sovereignty are changing in cyberspace. The question is, who should take the lead in that charge?" Ghappour asked. "Should it be led by the immediate needs of criminal investigation, or should be driven by diplomacy and higher echelons of government?"