The FBI hacked into more than 8,000 computers in 120 countries during an investigation into a child pornography website with just one warrant, a court hearing transcript has shown. It represents the largest known law enforcement hacking campaign to date.
The hacking centers around an FBI investigation in February 2015, in which the bureau seized the Playpen child pornography website and ran it from a government server for 13 days. It used a piece of malware known as a network investigative technique (NIT) to break into the computer of anyone who visited certain child pornography threads on the website. It then sent the suspects’ IP addresses back to the FBI.
Over the past year, Motherboard has found that the FBI hacked computers in Australia, Austria, Chile, Colombia, Denmark, Greece, and likely the UK, Turkey, and Norway during the investigation.
However, the new transcript from a related case shows that the bureau’s campaign was far larger than previously believed, and that the FBI actually hacked into more than 8,000 computers in 120 different countries.
“The fact that a single magistrate judge could authorize the FBI to hack 8,000 people in 120 countries is truly terrifying,” Christopher Soghoian, a principal technologist at the American Civil Liberties Union (ACLU) who has testified for the defense in Playpen cases, told Motherboard.
The hacking campaign is believed to be the largest ever to be conducted by law enforcement officials.
“We have never, in our nation’s history as far as I can tell, seen a warrant so utterly sweeping,” federal public defender Colin Fieman said in a hearing at the end of October, according to the transcript. The attorney is representing several defendants connected to the child pornography investigation.
It appears, however, that the magistrate judge did not actually have jurisdiction to issue such a sweeping warrant. According to a filing from the Department of Justice, 14 court decisions have found that the warrant granted by Judge Theresa C. Buchanan in the Eastern District of Virginia was not properly issued under Rule 41 of the Federal Rules of Criminal Procedure, which determines how search warrants can be authorized.
Courts in four cases have decided to throw out all evidence obtained by malware in the operation due to the violation.
Despite the hurdles being faced by the FBI in the Playpen investigation, the bureau could soon have undisputed freedom when it comes to using single warrants to conduct similar probes. Changes to Rule 41 are likely to take effect on December 1, meaning judges will be given more power to issue warrants exactly as Judge Buchanan did.
Many have expressed concern that the changes will give law enforcement too much power to hack internet users both inside and outside the US, with Soghoian saying the technique is “probably the new normal.”
“We should expect to see future operations of this scale conducted not just by the FBI, but by other federal, state and local law enforcement agencies, and we should expect to see foreign law enforcement agencies hacking individuals in the United States, too,” he added.
The Department of Justice defended the changes to Rule 41 in a Monday blog post.
“We believe technology should not create a lawless zone merely because a procedural rule has not kept up with the times,” Assistant Attorney General Leslie R. Caldwell of the Criminal Division wrote in the post.
Although such mass hacking techniques are believed to have so far been limited to child pornography investigations, critics are concerned US authorities will use the changes to Rule 41 to expand the practice to other crimes.