The successor to Do Not Track is the Global Privacy Control, which companies are required to respect in several states, including California and Colorado. Support for GPC is already built into Firefox and Brave, but must be enabled in the privacy settings. Users of other browsers can get the benefits of the GPC opt-out using third party extensions like EFF's Privacy Badger.
Curious, do security researchers typically liaise with the FTC when vulnerabilities are discovered? This and your parent comment seem to imply a 'yes' but this doesn't seem like an obvious connection (to me at least). I would expect the first point of contact at DHS to flag this for other agencies' attention if they felt it was necessary. Should DHS feel territorial about this and be reluctant to contact outside agencies that's on them, not the researcher.
I wonder if many security researchers know to routinely shop their findings to multiple agencies independently. It doesn't seem like this is common knowledge.
DHS is a law enforcement agency, which regularly uses surveillance techniques, some of which exploit security flaws in devices and software. When you share information about security flaws with DHS, you're sharing them with ICE and the Secret Service.
The FTC, in contrast, is a consumer protection agency. They don't kick down doors and they don't arrest people.
And yes, many security researchers have shared their prepublication research with the FTC.
The FBI has been using malware since at least 2003 [1], probably a few years before that. Today, the FBI has a dedicated team, the Remote Operations Unit, based out of Quantico, which does nothing but hack into the computers and mobile phones of targets. According to one former top FBI official, among the team's many technical capabilities, is the ability to remotely enable a webcam without the indicator light turning on [2].
Although DOJ has been using malware for nearly fifteen years, it never sought a formal expansion of legal authority from Congress. There has never been a Congressional hearing, nor do DOJ/FBI officials ever talk explicitly about this capability.
The Rule 41 proposal before this advisory committee was the first ever opportunity for civil society groups, including my employer, the ACLU, to weigh in. We, along with several other groups, submitted comments and testified in person.
Our comments can be seen here [3,4]. Incidentally, it was while doing the research for our second comment that I discovered that the FBI had impersonated the Associated Press as part of a malware operation in 2007 [5].
Ultimately, the committee voted to approve the change to the rules requested by DOJ. In doing so, the committee dismissed the criticism from the civil society groups, by saying that we misunderstood the role of the committee, that the committee was not being asked to weigh in on the legality of the use of hacking by law enforcement, and that "[m]uch of the opposition [to the proposed rule change] reflected a misunderstanding of the scope of the proposal...The proposal addresses venue; it does not itself create authority for electronic searches or alter applicable statutory or constitutional requirements."
Thanks for writing this comment. It's deeply informative and useful.
Two things I want to call out, one minor and one more significant. The significant one first:
Your employer, in the response you linked to, wrote approvingly of Orin Kerr's proposed alternative language, which would enable the same sort of remote "hacking" with the new precondition that it be allowed only when it's impossible for the courts to ascertain the right district.
If ACLU is OK with that narrower language, is it safe to say that you disagree with your employer? Because your arguments strongly implicate Kerr's proposed language as well. Put simply: you appear to favor broad restrictions on DOJ's ability to coercively collect electronic evidence regardless of whether courts authorize it.
The minor objection I have to your comment is the link to WaPo about the FBI being able to record video from laptop cameras without lighting the LED. That's an unsourced anonymous claim that, by my reading, can't possibly be accurate as stated, since different laptops have different mechanisms and it is vanishingly unlikely that the FBI has defeated all of them. I'm prepared to be wrong about this, but expect that I'm not, and would like to know if you can provide any more evidence backing that extraordinary WaPo claim up.
1. My employer, the ACLU, filed two comments in the Rule 41 process.
The first, before public comments were even solicited, resulted in DOJ dropping one of their proposed changes to rule 41, which would have permitted the gov to piggyback from a hacked target's computer to a cloud account (such as Dropbox or Google), rather than the gov going to the cloud provider with a warrant.
While our first comment does indeed describe and quote from some alternative language proposed by Orin Kerr, I don't think it is fair to describe that as evidence of ACLU approval of hacking of users whose location cannot be determined. For example, in that comment, we note that:
[U]nder Professor Kerr’s language, the government would still be able to obtain warrants to use malware, zero-day exploits, and other techniques that raise serious constitutional and policy questions.
2. While some public interest groups and tech policy advocates are publicly (or, in some cases, privately) embracing the idea of giving law enforcement formal, regulated hacking powers, in a desperate attempt to push back against legislative pressure for crypto backdoors, I'm thankful that the ACLU has not done so. If the organization does at some point decide to come out in favor of law enforcement hacking, I strongly doubt my name will be on that document.
[I'll note, however, that one of the great perks that come with working for the ACLU is that it's perfectly OK to disagree with some of the organizations' official policy positions. I'm not forced to tow the company line publicly on issues in which I disagree.]
3. Just so all of my cards are on the table. I'm volunteering, unpaid, as an expert for the defense in several of the Playpen FBI watering hole cases. I am strongly opposed to bulk hacking, enough so to volunteer my time to helping to fight the FBI's use of this outrageous surveillance technique.
4. The FBI being able to remotely activate webcams without the light turning on is not an "unsourced anonymous claim".
From the Washington Post story, linked to in my comment above:
The FBI has been able to covertly activate a computer’s camera — without triggering the light that lets users know it is recording — for several years, and has used that technique mainly in terrorism cases or the most serious criminal investigations, said Marcus Thomas, former assistant director of the FBI’s Operational Technology Division in Quantico.
I'll ask again. Is it your belief that the claim in this article, that the FBI can defeat the LED indicator on every popular laptop camera, accurately describes reality?
I think that some webcam indicator lights are vulnerable to remote disabling. Although it is certainly possible that some are not, I and most other users have no way of knowing which lights are reliable, and which ones are vulnerable.
As such, I put a Band-Aid over my webcam.
Now if only I could figure out an equally easy way to reliably disable my laptop microphone without opening up the laptop and cutting the cable.
On most (if not all) Laptop Webcams the Light is not controlled by hardware, but by the Operating System
it is Trivial to create software to no turn on the light.
The Light is not considered by manufacturers to be a Security feature, or something to warn a user of someone other than the user is using the webcam, it is simply there to inform the user when their cam is active using normal "friendly" software, it is a convenience feature, not a security feature
Many commercial management and security software packages sold to schools, corporations, and individuals have the ability to turn on the webcam with out illuminating the light, this often billed as a "theft prevention" feature.
Several schools have gotten in trouble for using this feature to spy on students using school owned laptops
In short, they do not have to "defeat all of the laptops" they just have to right a program for windows, and get 99% of them, the capability is already in the OS, the harder part is installing it with out the user knowing, and hiding the process from the user... Disabling the LED is trivial
This statement isn't even really true of the old iSight cameras; they were attackable, but only by overwriting the firmware on the camera itself.
Is disabling the LED on a modern Macbook trivial? I'm genuinely asking. If so, can you provide a link demonstrating how? The ability to override the LED on the old iSight cameras was interesting enough that the paper demonstrating it got published at USENIX.
I was not aware that apple was the only manufactures of computers.... or Webcams.
I personally have never and will never own a Apple product, so I can not say what is true or not True in the Apple Space, I speak to the 90% of other computers running Windows Operating Systems
This isn't just about the district where the judge is based. There is also the bigger question of whether or not judges should be authorizing bulk hacking operations.
The three Tor watering hole operations (Freedom Hosting, Torpedo and Playpen) are the only cases we know of where DOJ has obtained a warrant from a single judge which it then used to conduct searches on hundreds or thousands of computers. DOJ did not seek new powers to conduct bulk searches/hacks from Congress, they just went ahead and got an ex-parte warrant from a judge. In the case of Freedom Hosting, it looks like they also screwed up and then hacked the computers of innocent people visiting other, non contraband sites, hosted on the same server.
I think that reasonable people can disagree about whether or not it makes sense to allow a judge to sign a warrant to hack a single computer in an unknown location which is probably outside of his or her district. Bulk hacks are very, very different, and a very new thing for our legal system.
I'm much less sanguine about bulk hacking than I am about targeted hacking, and so I'm sympathetic to this argument.
However, I'm compelled to point out that the courts routinely order searches on parties that turn out to be uninvolved with a case, or even to the wrong people already. The standard of accuracy here is much lower than you make it out to be.
I've researched this issue extensively, and I've not found a case before where a thousand people in the same place were searched pursuant to a single search warrant, let alone a thousand people or items located in different places around the country.
On the issue of courts authorizing the searching of wrong people, we don't know if the court in Freedom Hosting even knew that the government would deliver the malware to innocent people who were merely visiting other websites hosted from the same server as the contraband sites targeted by the warrant. We don't know this, because three years later, the freedom hosting search warrant is still sealed.
That fact should be alarming, and you should find that offensive...
If the courts are routinely signing search warrants on parties that are not involved in cases or criminal activity that highlights how much of a rubber stamp the warrant process as become, and how little "probable cause" means any more
Probable cause has become "Judge we want to search this place"
Why should I have a problem with "judge we want to search this place?"
The point of a search warrant isn't to establish guilt! It's merely to ensure that the search is connected to a legitimate investigation --- and legitimate dragnet investigations are common! --- and not as an instrument of harassment.
The purpose of the 4th amendment is to require the police to have a probable reason that a crime has been committed, AND to define what EXACTLY they are looking for, and where EXACTLY they are looking for it at
the fact that judges can sign warrants for all computers in the nation, or entire city blocks should be considered unconstitutional
That is a General Warrant something the Founders were very very very very much opposed to
> not as an instrument of harassment.
General Warrants, which is what is being talked about here, are infact a instrument of harassment
Rubber Stamping Warrants with out any actual probable cause is also a instrument of Harassment
If you believe having your door busted down by armed men at 3am because you tossed the loose leaf tea in the trash bin is not harassment than I shutter to thing what your definition would be
Does the bulk hacking have anything to do with these Rule 41 changes? Sounds like a judge could issue a warrant for a thousand computers under the existing rules.
The real issue seems to be what evidence you need to have probable cause to search a thousand computers. I'm willing to believe the standard being applied is too low, but the Rule 41 changes don't change that standard one way or the other.
Pay an award booking service to find you the best flights possible. There are several out there, and they know a lot more than you about how to find obscure flights/routing. it's worth the $150.
You say "Redphone? Whisper? and various other projects - while very cool - didn't achieve even as much popularity as GnuPG"
The Axolotl protocol that was created for Whisper System's TextSecure is now used, by default, by Cyanogenmod (10 million users) and the Android version of WhatsApp (more than 500 million installs from the play store).
I'd say Moxie's tech has been pretty widely adopted.
If you can't do it on desktop, you can't do it at all. Mainly because some of us have real work to do.
If the only "usable" implementation is on a hard-to-physically-secure mobile device that uses a tonne of different uncontrolled network access points a day -- that's not really an option now, is it?
I feel you're missing open whisper systems' target audience. If you've seen how regular people use computers, their phone is the most secure device a normal person owns. Not the most secure if you're worried about targeted attack, but the best place to put a dent in cheap dragnet surveillance :)
Even if you ignore Whatsapp and Cyanogenmod, you have 500,000 - 1,000,000 Textsecure installs according to the Play Store. That is on order of magnitude more than the GPG estimate of 50,000. In less than 20 years.
See: https://globalprivacycontrol.org/