The NIT Warrant
- October 20, 2017
- Clayton Rice, Q.C.
Privacy International is a non-profit, non-governmental organization established in 1990 and based in London. It defends the right to privacy and has litigated or intervened in cases implicating the right to privacy in the courts of the United Kingdom, the United States and Europe including the European Court of Human Rights.
On October 20, 2017, Privacy International filed an amicus curiae brief in US v Tippens pending in the United States Court of Appeals, Ninth Circuit, Case No. 17-30117. The appeal raises the extraterritorial reach of a warrant issued as part of a child pornography investigation in the United States that authorized the use of government malware targeting over 8,000 users in 120 countries including a satellite provider. (See: e.g., Cyrus Farivar. One warrant used to target thousands of child porn suspects in 120 countries. Ars Technica. November 23, 2016; and, Cyrus Farivar. To keep Tor hack source code secret, DOJ dismisses child porn case. Ars Technica. March 5, 2017)
1. What is NIT?
Network Investigative Technique (NIT) is a form of malware or hacking. Generally, malware refers to software that is intended to damage a computer system or to take partial control of its operation. NIT has been described as a “drive-by download” program designed to provide access to a computer that raises Fourth Amendment implications in the United States, Charter of Rights implications in Canada, and domestic and international jurisdiction issues. It goes to the heart of the Internet that I have discussed in previous posts to On The Wire. The Internet is international – and domestic laws based solely on geographical location make less sense in the digital world.
In March 2017 the American Civil Liberties Union, the Electronic Frontier Foundation and the National Association of Criminal Defense Lawyers published a guide to enable meaningful legal analysis. The 188 page report contains key legal arguments, grounded in the Fourth Amendment and US federal law, for defence attorneys to challenge evidence seized by government-installed computer malware. (See: Challenging Government Hacking In Criminal Cases. ACLU, EFF, NACDL (2017); and, Cyrus Farivar. To fight Tor hack prosecutions, activist groups offer up legal help. Ars Technica. March 30, 2017)
2. How does it work?
The Privacy International amicus brief begins with this observation, at p. 2: “The ‘network investigative technique’ (“NIT”) used by the government in this case is a novel, sophisticated and awesome power. In particular, it possesses the capability to search and seize data from connected devices located anywhere in the word.” The NIT comprises multiple processes involving the use of distinct components. These processes render the NIT a technique to (a) send an exploit to devices in bulk (b) deploy the exploit to compromise the security of those devices and (c) run a payload to perform actions on the devices. I will give you the following summary condensed from the brief without the citations.
- An exploit takes advantage of a security vulnerability – i.e., weakness or flaw – in a computer system or application. A physical world analogy to an exploit might be a trick to unlock a hotel safe unknown to the user such as by entering an override code. (p. 5)
- An exploit permits a payload to run by taking advantage of a security vulnerability in a computer system or application. The exploit opens a window in the owner’s house, believed to be locked but which can be removed from the frame, and lets in the payload. Payloads are sometimes characterized as malware. A malware’s payload is directly tied into the purpose behind the malware. Extending the hotel safe analogy above, the exploit could be a method for unlocking the safe while the payload could be any action taken once the safe is unlocked including copying or stealing its contents. (pp. 6-7)
- The first step of the NIT is to send an exploit to all devices visiting a targeted site; in this case a site called Playpen. In the normal course of operations, websites send content to visitors and a user’s computer downloads that content and uses it to display web pages. During the Tippens investigation, the FBI modified the code on the Playpen site itself so that when visitors requested content from the site, the content was augmented with additional computer instructions. A regular person just clicking around is not going to know there has been a new special code added to the web site. What the government described as “additional computer instructions” were instructions to send an exploit. The mode of delivery was bulk by nature as every visitor to the targeted website would receive the exploit. The bulk nature of this technique is why it is commonly called a “watering hole attack”. (pp. 6-7)
- Once the exploit has been sent to a device, it takes advantage of a vulnerability in the Tor Browser program. In narrow terms, the exploit operated to evade the security protections of the Tor Browser, which normally prevent websites from determining certain identifying information of visitors. More broadly, however, by circumventing the security protections of the Tor Browser, the exploit compromised the security of the devices themselves. (p. 10)
- Once the exploit has compromised the security of a device, the NIT runs a payload. Here, the payload was designed in part to locate certain information on the device to assist in identifying the user’s computer, its location and the user. The payload was further designed to copy and transmit that information from the device to the government. (p. 11)
3. Invalid Warrant
The amicus brief asserts that the NIT warrant was invalid because it authorized extraterritorial searches and seizures. This submission is set out, at pp. 15-6:
“The territorial constraints on the exercise of enforcement jurisdiction apply to remote searches and seizures of devices located abroad. As a general matter, the principle of ‘State sovereignty and international norms and principles that flow from sovereignty apply to the conduct by States of [information and communications technology]-related activities and to their jurisdiction over ICT infrastructure within their territory’…This principle is specifically applied to law enforcement in the digital context in the Council of Europe’s Convention on Cybercrime, which was ratified by the U.S. in 2006…Convention drafters, in considering digital searches and seizures, came to ‘the common understanding…that investigative activity of law enforcement authorities of a State Party in international communication networks or in computer systems located in the territory of another state may amount to a violation of territorial sovereignty of the state concerned, and therefore cannot be undertaken without prior consent of that state.”
The brief also highlights the risks associated with remote searches and seizures because digital incidents are ambiguous and opaque to public view, at p. 23:
“The government’s deployment of the NIT poses particular risks. If the FBI were to conduct a physical search or seizure abroad, the nature of the extraterritorial action would be clear from the outset. But in the digital realm, ‘incidents will probably involve a publicly ambiguous set of facts’ because ‘malicious computer code or action in cyberspace…are opaque to public view, technically very complex and likely to emerge piecemeal.’ As a result, other states may mischaracterize the NIT and similar techniques. Was the purpose of the hack to conduct surveillance, steal information, or interfere with political institutions? It may also be difficult to identify the actor behind the hack. Was it another state, hackers affiliated with that state, or a group of criminals? These uncertainties can potentially heighten the risk of diplomatic conflict.”
According to Professor Orin Kerr of George Washington University Law School there are a large number of cases that are “effectively identical” making their way to the appellate courts. In another amicus brief filed on October 20, 2017, the ACLU of Washington stated, at p. 2, that the NIT technique has been used in approximately 140 other criminal prosecutions. (See e.g. Tim Cushing. Judge Says FBI’s NIT Warrant Invalid, Points Out FBI Agent Knew It Was Invalid When He Requested It. TechDirt. April 7, 2017)