Over the years, we haven’t shied away from highlighting the threat to our privacy that our hyper-connected world poses.
Whether it’s Big Brother spying on your smartphone, Google treating your personal data as its own, or Apple proposing a plan to automatically scan your iPhone or iPad for child pornography, both Uncle Sam and Big Tech have a limitless appetite for your personal data. And despite efforts by some companies to limit data collection, there are few effective limits on how you’re tracked online.
What’s more, it’s perfectly legal for federal investigators to hack your smartphone, network, or smart device. We were reminded of that fact last Wednesday, when the FBI announced it had removed malicious software planted by Russian hackers from thousands of routers and firewall appliances in recent weeks.
At first glance, that might appear to be good news. After all, who wants software that could be converted into a cyberweapon on their network, smartphone, or PC? Or potentially be used as ransomware?
It was only when we read the details of how the FBI accomplished this task that we began to question the implications of its success. The media accounts of the “malware” takedown state that with “secret court orders,” the FBI penetrated domestic corporate networks to remove it, in some cases without the company’s knowledge.
Let that sink in for a moment. A federal court approved having the FBI hack into corporate computer networks, in some cases without the company’s knowledge or approval. And that action begs the question we haven’t seen anyone else asking: under what circumstances can the FBI or other government agencies hack your smartphone, PC, or network to perform some action, presumably for the “common good?”
We’ll start with the “secret court orders,” which are no longer secret since redacted versions of both orders have now been published. The orders were granted pursuant to an affidavit by an FBI Special Agent whose name has been redacted.
The affidavit describes the FBI’s efforts to investigate computer intrusions made by a group known as “Sandworm,” allegedly composed of members of Russian military intelligence. They request permission for the FBI to electronically connect to the malware in the compromised devices, retrieve data from it, remove it, and block remote access to the devices unless their owners request that such access be restored.
In both cases, the FBI acted under Section 41(b)(1) of the Federal Rules of Criminal Procedure (FRCP), which authorizes a federal magistrate “to issue a warrant to search for and seize a person or property” within the district in which the judge has jurisdiction.
Remarkably, Section 41(b)(1) is not the most far-reaching procedural rule giving Big Brother the authority to hack into computers. Even more expansive hacking authority came into effect in 2016, when the Supreme Court approved a new rule in the FRCP; Section 41(b)(6). This rule gives a magistrate judge the authority to issue a warrant:
…to use remote access to search electronic storage media and to seize or copy electronically stored information located within or outside that district if:
(A) the district where the media or information is located has been concealed through technological means; or
(B) in an investigation of a violation of 18 USC §1030(a)(5), the media are protected computers that have been damaged without authorization and are located in five or more districts (emphasis added).
The Code section referred to in the new rule pertains to “Fraud and related activity in connection with computers.” And it presents a real danger. The “technological means” the rules pertain to refer to virtual private networks (VPNs) that allow users to hide their locations.
VPNs also provide two other crucial advantages, since they:
Prevent your ISP from seeing which sites you’re visiting.
Prevent a hacker from snooping on the same Wi-Fi network you’re using to capture sensitive data, such as logon details to financial accounts.
Thus, as we pointed out six years ago, before the new rule took affect:
If you don’t use a VPN, it’s open season for hackers on your PC or smartphone. And if you do use a VPN, it’s open season for the FBI.
That may sound like hyperbole, but it’s hardly an exaggeration. Indeed, after the Supreme Court approved the new rules, a bill called the Stopping Mass Hacking Act was introduced in the Senate, although it didn’t pass. One of its sponsors, Senator Rand Paul (R.-Kentucky), wrote of the revisions to Rule 41:
The Fourth Amendment wisely rejected general warrants and requires individualized suspicion before the government can forcibly search private information. I fear this rule change will make it easier for the government to search innocent Americans’ computers and undermine the requirement for individual suspicion.
An article from the University of Richmond School of Law gave us further details of how the new rules could be misused:
Rule 41, governing searches and seizures, now permits magistrate judges to authorize agents—under a single warrant—to “remotely access,” and simultaneously search, copy, and seize information from an infinite number of unknown electronic devices in multiple districts anywhere in the country. The unlimited jurisdiction provision is triggered when a device’s location is obscured through “technological means,” or if agents are investigating computer crimes in five or more districts—regardless of whether the locations of the innumerable search targets are known.
So yes, we suppose that the FBI’s announcement that it didn’t use the most expansive authority of Rule 41 to prevent the Russian military from carrying out cyberattacks is good news. But that success only emphasizes the fact that when it comes to Uncle Sam, it’s open season on internet privacy.
But all hope is not lost. Even if Rule 41 gives Big Brother carte blanche to rummage through your PC, network, or smart device, a VPN can make it much more difficult for them to do so. And even if government investigators manage to penetrate your VPN, if it’s properly configured, it can be extraordinarily effective to protect your privacy from anyone else.
For instance, if you’ve made negative comments or product reviews online that may be regarded as derogatory, the target of those comments or reviews may want to sue you for libel. To do so, they’ll issue a subpoena to your ISP ordering it to verify your identity based on the IP address that posted the content they found objectionable. But if you used a VPN when you were writing those comments or reviews, the would-be plaintiff won’t even know which ISP to subpoena, because an analysis of the connection to the website where you wrote it will reveal only the connection to your VPN.
Similarly, police may take interest in your internet browsing habits and serve your ISP with a warrant demanding disclosure of the websites you’ve visited. But if you use a VPN, your ISP won’t be able to track this data, even if it’s ordered to do so.
The VPN we use here at Nestmann is ExpressVPN. There are others worth considering, but we’ve made the decision to deploy ExpressVPN company wide.
Finally, as we’ve reminded readers many times, maintaining internet privacy is something you have to do for yourself. Big Tech and Big Brother won’t do it for you.