Houston magistrate Judge Stephen Smith rejected a rather vague Rule 41 search and seizure warrant application this week, and you should probably care about it.
As Judge Smith explained it, “the Government seeks a warrant to hack a computer suspected of criminal use.” As Slate describes it, the FBI wanted “to install a spy Trojan on a computer in an unknown location … to covertly infiltrate the computer and take photographs of its user through his or her webcam. The plan also included recording Internet activity, user location, email contents, chat messaging logs, photographs, documents, and passwords.”
The scoundrel that the FBI is trying to snare gained unauthorized access to a Texas John Doe's email account earlier this year, and used Doe's email address to access his local bank account. After Doe learned of the breach, and tried to secure his email account, another email account that was nearly identical to his was used to attempt a sizable wire transfer from Doe's bank account to a foreign bank account.
That's when the feds asked the judge to let them use spyware to catch the bad guy.
According to Judge Smith's order, the requested warrant targeted "a computer allegedly used to violate federal bank fraud, identity theft, and computer security laws. Unknown persons are said to have committed these crimes using a particular email account via an unknown computer at an unknown location. The search would be accomplished by surreptitiously installing software designed not only to extract certain stored electronic records but also to generate user photographs and location information over a 30-day period."
Judge Smith denied the Bureau's request, citing concerns that the targeted computer could be located anywhere in the world. (A magistrate judge only has authority to issue warrants that cover his assigned district.)
But the real concern here isn't jurisdiction, it's the kind of access FBI spyware could have if there wasn't a jurisdictional limitation. Slate notes:
Back in 2007, the bureau was revealed to be using a spyware that could infect computers and gather IP addresses, the last visited website address, and a range of other metadata. But the spy Trojan disclosed in the Houston documents is far more advanced, capable of copying content and turning a person's webcam effectively into a surveillance camera.
So the feds lost this round, but are there circumstances under which the FBI could get a warrant to use this type of spyware to collect evidence against a suspect? If the government is allowed to access this type of information, the future does not look promising for tech-savvy criminals.