Underground markets on the Dark Web, like the now defunct Silk Road, offer a great deal of anonymity to those managing the illegal commerce sites. The reason: Evidence residing on cloud-based marketplace platforms is difficult at best to locate, and retrieving it might entail hacking servers located in foreign countries.
To shutter illegitimate cloud-based marketplaces that are affecting American citizens, US law-enforcement agencies often use Network Investigative Techniques (NIT), otherwise known as sanctioned hacking.
Put simply, hacking becomes sanctioned when law-enforcement agencies obtain search warrants. “Currently there are two types of warrants used for criminal searches,” writes Special Agent John M. Cauthen in an October 2014 FBI blog post. “The first is the traditional search warrant under FED. R. EVID. P. 41, which covers a search of a particular location. The second is the search warrant under 18. U. S. C. §2703 where the court may issue a warrant for records held by cloud providers.”
Cauthen offers as an example an investigation in which search warrants for data on a computer in the US unearthed a direct link to a server in a foreign country. FBI agents downloaded incriminating data from that server, and the courts ruled the data could be introduced in court.
However, Cauthen cautions, “Investigators should be aware that executing an international search without permission of the host country could cause other problems.”
Cauthen may be referring to United States v. Gorshkov (PDF), where authorities in a foreign country charged a US investigator with hacking, and requested the investigator be extradited for trial. US authorities have not complied. It does not take much to see where this sort of activity could escalate into an international incident.
SEE: Digital forensics: The smart person’s guide (TechRepublic)
The practical reality
“The practical reality of the underlying technologies makes it inevitable that foreign-located computers will be subject to remote searches and seizures,” writes Ahmed Ghappour, visiting assistant professor at the University of California’s Hastings College of the Law, in his March 2016 research paper Searching Places Unknown: Law Enforcement Jurisdiction on the Dark Web. “The result may well be the greatest extraterritorial expansion of enforcement jurisdiction in U.S. law-enforcement history.”
Ghappour feels the expanded reach of US law-enforcement agencies into foreign countries needs to be regulated so government-sanctioned hacking does not have a negative impact on US foreign relations and/or national security. “Rather than wait for political fallout as a precondition for government intervention, a more forward-looking approach would re-allocate decision-making to institutions better suited to identify and balance foreign relations risks against the law enforcement benefits of using cross-border NITs,” suggests Ghappour.
SEE: Special report: Cyberwar and the future of cybersecurity (free ebook) (TechRepublic)
How to proceed
To get started, Ghappour believes the following regulatory questions need to be addressed by the powers that be:
- What policy preferences should be set (using direct and indirect government intervention) to mitigate the immediate risks caused by the failure of the existing rules?
- Which institutions should set these preferences, and calibrate them within a complex and unpredictable global cybersecurity landscape?
- How should the policy preferences be implemented and enforced, considering the comparative institutional failures of the existing system?
In Ghappour’s opinion, the Executive Branch is best suited to assume responsibility and provide policy for sanctioned hacking, ensuring that it is predictable, objectively applied, democratically legitimate, and in the public’s best interest. To make his case, Ghappour writes, “Executive agencies such as the Department of Justice arguably have superior systematic access to information and expertise on both foreign relations and technology–whether through its own subject matter experts or access to other executive agencies that specialize in foreign policy, intelligence gathering, and technology capabilities.”
SEE: Cybersecurity in President Trump’s America: The first 100 days (TechRepublic)
Not mincing words, Ghappour mentions Congress and the Justice System are slow and non-uniform in their decision making. “While the courts can examine changing issues on a case-by-case basis, their system of precedent and jurisdictional limitation slows the generation of decision rules that have a uniform national application,” he explains. “For its part, Congress hasn’t passed a comprehensive electronic surveillance law in over 30 years, and is ‘notoriously sluggish’ when it comes to enacting surveillance statutes.”
Next, Ghappour suggests it is paramount to review and answer the following questions every time a foreign intervention is being planned:
- What hacking techniques should be authorized?
- Who should be targeted?
- What crimes should trigger use of hacking techniques?
In conclusion, Ghappour does not consider his voice to be the only one raising concerns about overreach by US law-enforcement agencies in their quest to squelch digital crime, mentioning that the Rule 41 Subcommittee has received more than 50 written comments since its inception in 2014, adding, “The extraterritorial aspect of law enforcement hacking operations has drawn sharp public criticism by a wide array of commentators, academics, civil liberties organizations, and technology corporations.”
All countries, including the US, claim sovereignty over physical borders, and it works. The trick, it seems, will be applying autonomy to digital borders.