All Bots Must Die: How a New Senate Bill to Combat Botnets Could Put Privacy at Risk

This post was co-authored by CDT summer intern Ian Williams. 

Viewers of HBO’s Game of Thrones will be familiar with the Army of the Dead, a horde of undead wights who are on a collision course with the land of the living.  Yet many viewers are likely unaware that their own personal computers may be part of another army of zombies, under the sway not of dark magic, but instead of malicious programs that allow hackers to connect a large number of individual computers and other networked devices (including smartphones, medical devices, and even security cameras) into a single network called a botnet.

In recent years the Department of Justice and the FBI have cast themselves in the role of Jon Snow, raising an army of government and private actors to take down botnets and the hackers behind them. While the government has used current legal tools against botnets, a new bill seeks to expand the government’s authority to disrupt botnets. The question is, how far will the government go with these new powers? As with the recent change to the Federal Rules of Criminal Procedure that would allow law enforcement to hack the victims of botnets, the proposal would give the DOJ and FBI the ability to access infected computers and potentially “clean” malware without the knowledge or consent of the owner.  This raises hard questions, both for cybersecurity and civil liberties.

There is no question that botnets, and other cyber-crimes, are enormously costly.  In 2014, the FBI estimated that the worldwide damage done by botnets up to that point had been nearly $110 billion. Like the Night King on Game of Thrones, hackers (sometimes called botmasters) can raise armies of zombie computers and then collect their users’ personal and financial data or use them as weapons against other computer systems in a distributed denial-of-service (DDoS) attack.

In 2014, the FBI estimated that the worldwide damage done by botnets up to that point had been nearly $110 billion.

In the past, the Department of Justice and the FBI have used injunctions (legally enforceable court orders compelling a party to do something or stop doing something) and temporary restraining orders to seize the servers used to manage them. Now, however, they claim current law is insufficient because it only permits them to seek court orders against botnets in cases involving certain types of active fraud and illegal wiretapping.

The Botnet Prevention Act

Senators Whitehouse (D-RI), Graham (R-SC), and Blumenthal (D-CT) introduced the Botnet Prevention Act in May, which (among other things) amends the portion of federal law (18 U.S.C. § 1345) that authorizes these injunctions. The bill would expand § 1345 by adding violations of a section of the Computer Fraud and Abuse Act (“CFAA”) that covers botnets (and more) to the list of offenses that trigger the DOJ’s ability to get an injunction.

More specifically, it would allow injunctions in all violations or attempted violations of subsection (a)(5) of the CFAA that result or could result in damage to 100 or more computers in a year, including any case involving the “impair[ment of] the availability or integrity of the protected computers without authorization,” or the “install[ation] or maintain[nance of] control over malicious software on the protected computers” that “caused or would cause damage” to the protected computers.

Under the CFAA, a “protected computer” includes any computer involved in interstate or foreign communication and commerce, a definition that has come to include any device connected to the internet (since almost anything you do online involves at least some interstate communication).

Given the legitimate danger posed by botnets, the casual observer might see this bill as a great idea.  The DOJ claims it needs this expanded authority to protect citizens from having their computers appropriated for illicit means.  On closer inspection, however, the devil (err…zombie?) really is in the details.

Buried deep within § 1345(b) is a single phrase that could open up a number of thorny issues when this injunctive authority is applied to botnets. The section not only allows the government to obtain a restraining order that stops someone from doing something nefarious, but also an order that directs someone to “take such other action, as is warranted to prevent a continuing and substantial injury . . . .” Just what does “such other action” mean in the context of botnets?  The answer is no one really knows, the legislation doesn’t say, and that’s a problem.

Is government just closing an open, insecure door?  

One example of the government using its current powers “in the wild” occurred in 2011. Using existing authority under § 1345(b), the DOJ and FBI shut down a botnet named “Coreflood.” Coreflood collected personal and financial information from infected computers, which was then used to steal funds. To shut Coreflood down, the government obtained a restraining order to first seize the servers that ran the botnet and then hook up a substitute server that sent signals to infected computers ordering them to stop running the Coreflood software.

The Graham-Whitehouse bill would authorize the government to engage in shutdowns like Coreflood in a much wider array of cases.  Again, at first blush, this may seem non-controversial.  And, with informed consent by the user, and legal recourse for users whose data or systems are harmed by the shutdown, some concerns may be ameliorated.  But there are still difficult questions that arise when the government seeks to remotely remove malware from zombie computers with, or without, the permission of the computer’s owner.

The first issue is legal.  The court hearing the Coreflood case accepted the government’s argument that the “community caretaker” doctrine allowed the transmission of the shutdown order, as the action was “totally divorced from the detection, investigation, or acquisition of evidence relating to the violation of a criminal statute.” At the time, the government likened its actions to a police officer who, while responding to a break-in, finds the door to a house open or ajar and then closes it to secure the premises.

But, when applied to the digital realm, the government’s hypothetical breaks down. In order to scrub private computers for malware, the government would, by necessity, have to search the computer and its contents for the malware.  Once the door is ajar, rather than closing it, the police would actually “walk in” to the computer.  And anything they find in “plain view” can be used as evidence of a crime.  Nothing in the current version of the bill would prevent such a search or collection, giving the government the potential means to search countless computers of victims of the botnet (not the perpetrators) without a warrant.  Put another way, the proper analogy isn’t closing an open door, it’s opening that door to search the house for a broken window.

Additionally, the “community caretaker” doctrine is itself controversial.  A relative of the “exigent circumstances” exception to the Fourth Amendment’s warrant requirement, the doctrine has been used expansively in the past to permit warrantless searches for criminal evidence.  There is also an open question as to whether the doctrine applies solely to automobiles, or can be extended to homes.  The Coreflood case aside, to broadly stretch the doctrine to apply to remote computer searches would be a radical and unprecedented move.

Is notice sufficient?

The second issue is whether this expanded authority would authorize “cleaning” operations without prior notice to the victim.  In the Coreflood case, after first identifying as many victims as possible, the FBI, to its credit, sought their written permission to remove the software from their computer by transmitting an uninstall order via a substitute server.  Notice is key to limiting any collateral damage from a shutdown.

Notice in the case of botnet victims, however, is difficult. As CDT noted in its comments on the Rule 41 change mentioned above, potentially as many as a third of computers in the United States are infected with some form of malware.  And, botnets are extremely hard to clean up, especially when you depend on victims to voluntarily submit their computers for cleaning.  Given this reality, unless notice is required by statute, law enforcement would have an incentive to dispense with notice in the much wider array of shutdowns permitted under the Graham-Whitehouse bill.

Scammers could take advantage of cybersecurity notices

Even with notice and informed consent, shutdown operations still raise practical cybersecurity concerns. That is, were shutdowns to become commonplace, one could see a world where scammers use shutdown notices to actually propagate a botnet. Cyber criminals could, for instance, use phishing attacks involving official looking emails to trick victims into giving them access to their computers.

Likewise, while corporations and individuals with the means and knowledge to do so may choose to remove malware on their own, or may be able to assess the risks of a government shutdown, what happens to small businesses and individuals lacking in technical savvy? When presented with a notice from the FBI, will they even stop to consider the dangers of allowing the government to remove software from their computer?  Under the Graham-Whitehouse bill, these small businesses and individuals would have no recourse were a shutdown operation to damage their systems or data.  They would be unable to sue the government (because of something called sovereign immunity) and their service provider would likewise be exempt from suit under the law.

Additionally, if the government becomes more zealous in its takedowns of botnets, it runs the risk of sparking a digital arms race.  Botnet creators would begin to hide programs deeper within an infected system or add dangerous “dead man triggers” that damage or destroy data on infected computers if the program detects an effort to remove the malware, or if the command-and-control server fails to communicate with the computer in a certain amount of time.

As the universe of connected devices grows, the potential not only for infection by botnets, but for collateral damage from attempts to clean them up, grows as well.

These practical cybersecurity concerns are not hypothetical.  In the past, attempts to deal with malware distribution unilaterally have led to collateral damage.  In 2014, in an attempt to take control of subdomains used to distribute and control malware, Microsoft secured a temporary restraining order and rendered 1.8 million websites and devices unreachable by their owners.  While the sites and devices were eventually returned to their owners’ control, No-IP, the hosting company involved, insisted the entire situation could have been more easily resolved if Microsoft had enlisted their help, rather than going directly to court and unilaterally taking control of the subdomains.  All of the owners of these websites suffered damage because they were unreachable for a period of time, yet none were compensated.

In the same case, Microsoft’s takedown also interfered with the work of security researchers who were trying to better understand the botnet in question. It is not hard to imagine similar situations occurring were the government to begin broadly cleaning infected systems without permission or coordination with the research community. Such disruptions could prove to be a major setback to important security research that mitigates the risk of botnets generally.

Also, with particularly sensitive systems and devices like hospital networks and medical equipment becoming frequent targets of malicious hacking, what happens if the government attempts to clean a device (such as an infusion pump controlling a patient’s medication) without permission? What if a botnet has infested a computer controlling some key piece of infrastructure?  As the universe of connected devices grows, the potential not only for infection by botnets, but for collateral damage from attempts to clean them up, grows as well.

The Fourth Amendment and government access to personal computers

As with the government’s invocation of the community caretaker doctrine, botnet shutdowns implicate the Fourth Amendment, and the basic American value of the right to be left alone absent some suspicion of wrongdoing.  Some have argued that such an action would not violate the Fourth Amendment, provided no information is returned to law enforcement. This would require restraint and careful action on the part of government agencies, and considering the recent and continuing debate over FBI access to personal data, there are plenty of reasons for companies and private individuals to be wary of allowing government agents into their computers, even with notice and permission.  Indeed, the FBI takes the position that once is has obtained access to data lawfully, it can access the data in criminal investigations without such access constituting a Fourth Amendment “search” triggering the need for a search warrant.

Additionally, even when its motives are pure, the government still cannot sidestep the Fourth Amendment when it comes to your physical property. Federal agents are not allowed to search a file cabinet in your home or a personal diary on your nightstand without a warrant approved by a judge. Why should the contents of your computer be any different?  Our computers (and tablets, smartphones, etc.) have become the central repositories of our personal lives.  They hold our memories, our secrets, and often the thoughts we would never share with others.  To violate the sanctity of that privacy without a warrant runs counter to all ideals of individual privacy and the ability to decide what is personal and what is public.

Other ways forward

There are options short of wholesale cleaning operations.  Some have suggested the establishment of a public-private partnership to warn individuals when their system is infected, an idea that has been implemented with some success in Japan.  Another potential solution can be seen in Finland, which encourages security professionals to zealously protect their networks and requires ISPs to educate their subscribers on how to protect themselves.

Before a law enforcement agency like the FBI is given vast new authority to break into computers of innocent users to combat cybersecurity threats, it is important that civilian solutions like these be considered, given their success abroad.

As it stands today, the Botnet Prevention Act has yet to be considered in the Senate, and has not been introduced in the House. That means there is plenty of time for sorely needed discussion and debate around more protective approaches to botnet takedowns.

Unlike Game of Throne’s undead villains, there are no special swords or obsidian daggers with which to slay botnets and their shuffling hordes of zombie computers. Instead of a dramatic battle, we have to have a conversation, one that includes government, civil society, security researchers, and technology companies. While not nearly as cinematic, it is only through careful discussion, compromise, and cooperation that we will be able to slay the monsters beyond the (fire)wall.