Newly published court filings shed light on the magnitude of the FBI's mass hacking campaign related to the high-profile child pornography Playpen case. The bureau hacked into computers across 120 countries and obtained 8,000 IP addresses, with a single warrant, according to transcripts from a recent hearing in a related case.
The revelations come as the US government gears up for major changes to mass hacking authorisation policies, which would allow magistrate judges to grant law authorities permission to mass hack computers located in any part of the world. Current laws under America's Rule 41 prohibit such authorisations, but expansion of the law, expected to come into effect on 1 December, may arm agencies such as the FBI with additional hacking powers.
"We have never, in our nation's history as far as I can tell, seen a warrant so utterly sweeping," federal public defender Colin Fieman, legal representative of several defendants in the affected cases, said in a hearing at the end of October, according to the transcript.
Earlier in the year, documents related to the Playpen case revealed that the FBI had hacked into over 1,000 computers, by deploying its malware called NIT (network investigative technique), with just one warrant. It was later uncovered that the FBI also hacked into computers in countries including Australia, Austria, Chile, Colombia, Denmark, Greece, and likely the UK, Turkey, and Norway. New court filings also reveal that the FBI hacked into a "satellite provider".
"The fact that a single magistrate judge could authorise the FBI to hack 8,000 people in 120 countries is truly terrifying," Christopher Soghoian, principal technologist at the American Civil Liberties Union (ACLU) told Motherboard.
Rule 41 changes and impact
Privacy activists and cybersecurity experts have in the past, raised concerns about the anticipated changes to Rule 41. However, The US Department of Justice (DOJ) recently published a blog post justifying the necessity for further expansion and changes to Rule 41.
"We believe technology should not create a lawless zone merely because a procedural rule has not kept up with the times," wrote Assistant Attorney General Leslie R Caldwell of the Criminal Division.
Once the changes come into effect, magistrate judges will be authorised to grant comprehensive warrants, such as the one used by the FBI in the Playpen case.
Ahmed Ghappour, visiting assistant professor at UC Hastings College of Law, and author of the paper "Searching Places Unknown: Law Enforcement Jurisdiction on the Dark Web", said the changes to the law will "give rank and file law enforcement officers way too much discretion to conduct hacking techniques within and outside the United States".
Soghoian added: "With the changes to Rule 41, this is probably the new normal. We should expect to see future operations of this scale conducted not just by the FBI, but by other federal, state and local law enforcement agencies, and we should expect to see foreign law enforcement agencies hacking individuals in the United States, too."