Should you care if the FBI is spying on your browser history?
The battle over “browser spying” and “mass hacking” by law enforcement.
Does it matter if law enforcement gets a peek at what you’re searching online?
Privacy advocates say yes. They’re fighting to keep the FBI from getting more access to your browser history, plus stop what they call “mass hacking” by law enforcement.
Senator Ron Wyden (D-Ore.) launched another volley in the battle today at the BSides PDX information security conference in Portland, Oregon.
“I just hope that we can get the word out across America that this is a proposal to get access to people’s browsing history without any judicial oversight at all,” he told the crowd.
What you search
Your searches for the latest iPhone on Amazon or new cat GIFs may seem uninteresting.
But your browser history may show much more about you, information you might now want made public.
“The reality is that getting access to people’s web browsing history is almost like spying on their thoughts,” wrote Wyden and Sen. Martin Heinrich (D-N.M.) in Slate.
“Given what web browsing history can reveal, there is little information that could be more intimate,” they said. “If you know that a person is visiting the website of a mental health professional, or a substance-abuse support group, or a particular political organization, or a particular dating site, you know a tremendous amount of private and personal information about him or her.”
Without a warrant
This year, some senators have pushed to change laws so the FBI can use a tool called a Nation Security Letter to get Internet records like browser histories without a warrant.
Currently, the law allows the FBI to use National Security Letters only for phone records, according to Reuters.
FBI Director James Comey said that changing the scope of the National Security Letters is his top legislative priority this year, the Washington Post reported.
Not getting the data “affects our work in a very, very big and practical way,” he testified at a congressional committee hearing in February, according to the article.
Wyden said he helped stop the changes on National Security Letters laws this summer, but declared that the issue will rear its head again soon.
“In the next 90 days, there are going to be big decisions in my view,” Wyden said.
One of them, he said, is “whether the FBI is going to be able to get access to your browsing history without anything resembling court oversight.”
Another big decision coming soon, according to Wyden, will be on the “mass hacking” issue.
The U.S. Supreme Court has adopted a change to the little-known Rule 41 of the Federal Rules of Criminal Procedure.
The change would let law enforcement go to just one judge in one district to get a warrant to get inside computers located across the country.
Without the change, investigators would have to go to each jurisdiction—94 in all—to try to get warrants for computers used in a cross-country criminal enterprise, according to the Justice Department.
“Absent the amendments, the requirement to obtain up to 94 simultaneous search warrants may prevent investigators from taking needed action to liberate computers infected with malware,” Assistant Attorney General Leslie R. Caldwell of the Justice Department said in a post.
Rule 41 is part of the Federal Rules of Criminal Procedure as seen on the Cornell University Law School website.
Too much reach?
But Wyden said the rule change goes too far.
“The government is asking for the power to hack millions of Americans with one warrant from one judge—to find one criminal hacker,” Wyden said in Portland Friday.
It would be a “vast expansion” of government hacking, according to Wyden and two co-authors in an opinion piece in WIRED.
“Under a new set of rules, the FBI would have the authority to secretly use malware to hack into thousands or hundreds of thousands of computers that belong to innocent third parties and even crime victims,” they wrote. “The unintended consequences could be staggering.”
The Rue 41 change is set to become the law of the land on December 1, unless someone intervenes.
“If Congress does nothing, a new policy will take effect in less than two months that will make it easier than ever for the FBI to infiltrate, monitor, copy data from, inject malware into, and otherwise damage computers remotely,” wrote David Maass of the Electronic Frontier Foundation.
Privacy groups have launched a No Global Warrants campaign and petition to stop the changes to Rule 41.
Wyden and other senators from both sides of the aisle have introduced a bill called the “Stopping Mass Hacking Act” to prevent the Rule 41 amendment from going into effect.
Homepage of the No Global Warrants website, which encourages people to sign a petition against the Rule 41 change.
But supporters of the change say it’s needed, as criminals increase their use of technology.
Some examples, from the DOJ’s Caldwell: cases of child sexual exploitation, where the criminals may be hiding the location of their computers, or cases where a ‘botnet’ of hacked computers is holding thousands of other computers hostage.
Without a Rule 41 change, it’s legal chaos, said Susan Hennessy, a Brookings Fellow in National Security Law and former attorney at the National Security Agency.
“Let’s be entirely clear on this point: Without Rule 41 changes, investigators will be effectively banned from conducting the operations that can identify the physical locations of many individuals within the United States who consume and distribute child pornography and in many cases offer (from the safety of their masked IP address) detailed confessions on ongoing ‘hands on’ offenses against minor victims,” Hennessy wrote in Lawfare.
No “mass hacking”
Supporters say the change will not lead to the “mass hacking” that some opponents describe.
“This change would not permit indiscriminate surveillance of thousands of victim computers—that is against the law now and it would continue to be prohibited if the amendment goes into effect,” Caldwell said.
“These changes would ensure a court-supervised framework through which law enforcement can successfully investigate and prosecute these instances of cybercrime,” she added.
Less of both?
Congress will give law enforcement emergency powers when needed, Wyden said. But he believes law enforcement has been moving in the wrong direction over the past decade.
“Intelligence and law enforcement officials have chosen approaches that sweep up info from millions of innocent Americans instead of targeting terrorists and criminals,” Wyden said. “Those approaches are what has to end.”
Before the end of the year, you may see the battle heat up over these and other security issues.
“Americans are concerned about their security and concerned about their liberty. And we’re getting polices that are essentially offering less of both,” Wyden said at the information security conference.
He received applause, and at the end of his speech, a standing ovation.