The incident came to light last week after the indictment of two Russians on charges of breaking into the networks of banks, Internet service providers and other companies. While the charges were somewhat routine, the methods the FBI used to nab the pair were novel and potentially worrisome, said security experts.
According to court documents filed in the case, the FBI and Department of Justice lured two suspected Russian hackers to Seattle with job offers at a fictitious security company. After monitoring the duo's connection to two servers in Russia, the FBI used the suspects' passwords to download incriminating data from those servers.
The tactic is likely to be challenged in court; if it is deemed lawful, the precedent could allow law enforcement and intelligence communities free rein to hack foreign computers. In addition, such a ruling could provide a legal loophole for other countries to break into U.S.-based computers in search of data that could aid their own investigations.
"It's extremely dangerous just to throw the door open--it will be a free-for-all," said Jennifer Granick, clinical director for the Stanford University Center for Internet and Society. "It won't just be individuals (hacking each other). It will be corporate espionage."
Although U.S. officials downplay the incident, some legal experts fear that this first publicly acknowledged government "hack" could spark a rash of indiscriminate, international hacking by individuals, foreign governments and corporations.
In this case, the FBI was determined to obtain the Russian-based information before it could be deleted.
On Nov. 10, FBI agents and officials from the Department of Justice nabbed two suspected Russian hackers after luring the duo to the United States with employment offers for a mythical security company, Invita.
Details of the case became public after the suspects were indicted early in April.
Welcome to Invita!
According to court filings, this is how the sting went down:
FBI agents requested that the two suspects--20-year-old Alexey Ivanov and 25-year-old Vasiliy Gorshkov--crack the security on "Invita's own computers."
During the hack, the FBI agents monitored the duo's activities with a "sniffer"--a program designed to trap all keystrokes made on a computer. When the suspects allegedly downloaded hacking tools from two servers in Russia using their usernames and passwords, the sniffer collected the tools needed to access the accounts.
Typically, U.S. law enforcement would wait on their counterparts in Russia to search the servers. Yet, while the United States has more than 25 mutual legal assistance treaties to aid law enforcement in capturing data in other countries, Russia has signed an agreement to help the U.S. in investigating only some crimes--and computer crimes are not among them.
Nevertheless, the Department of Justice did request assistance from Russian authorities, but without answer. After several unsuccessful attempts to get Russian authorities to cooperate, the FBI--with the help of a security expert--used the usernames and passwords to access the two servers.
Once in, investigators browsed through the directories on both servers and selected, then compressed, a large number of files. The agents then downloaded the 1.3GB file to their own computers.
Before they began to sift for evidence, the FBI did obtain a search warrant to look at the files.
Thought to be the first public acknowledgement of U.S. hacking-for-access, the tactics have set off alarm bells among cyber-savvy lawyers.
If a judge rules in favor of the FBI, the precedent will be clear, said Matthew Yarbrough, head of the Cyberlaw Section for Dallas-based law firm Fish & Richardson: The United States can pursue investigations of data in other countries, widening the boundaries of the investigation to cyberspace.
Yet, while the United States can hack servers in other countries, those countries could also return the favor, he said.
"Whenever you deal with international criminal problems, you have to be careful, because the rule is: Whatever we do to them, they can do to us," said Yarbrough, a former Department of Justice cybercrime prosecutor. "I don't think we want KGB agents--or whatever organization handles law enforcement now--to be hacking our servers to get evidence for their cases."
A hack attack?
A federal prosecutor involved in the case defended the FBI's actions.
"I wouldn't call it hacking," said Stephen Schroeder, assistant U.S. attorney for the Western District of Washington in Seattle and the lead prosecutor in the case against Gorshkov. "The implications of hacking go far beyond what we did."
However, the law enforcement community commonly uses "hacking" to describe the illegal activity of breaking into a computer, usually with some degree of skill. While little skill is needed to type in usernames and passwords, the Computer Fraud and Abuse Act of 1986 treats the unauthorized access of computers as the same crime as breaking into a computer without using passwords.
In most cases, law enforcement officers are exempted from any sort of prosecution under the act if the questionable activity has been authorized as part of their investigation. Furthermore, the FBI can violate the law--similar to their ability to break the speed limit--and still have any resulting evidence be admissible in court.
Yet, the key question among attorneys is whether such a waiver exists for so-called remote cross-border searches of computer data. One thing is certain: Not having to gain permission from the country in which a server resides speeds the process, said Schroeder.
"Normally, to get evidence we go through diplomatic channels, in writing, with pretty seals, and then it percolates down to law enforcement," he said. "Six months later we get our evidence."
In this case, he said, six months would have been too late. Indeed, six days after Ivanov and Gorshkov were arrested, someone changed one of Ivanov's passwords, according to the court papers.
War on hacking
"I don't think the basic thing--that they broke in--is debatable," said Stanford's Granick. "The ramifications? Now, they are debatable."
Currently, Gorshkov's lawyer, Kenneth Kanev, is attempting to block any use of the data from the Russian servers based on privacy and Fourth Amendment violations. However, because Ivanov and Gorshkov are not United States citizens and the data was kept in another country, some legal experts say it's likely the data will be admissible in court.
When reached at his office, Kanev refused to comment on the case.
In fact, a case from the United States' War on Drugs seems to support the search of a server in a foreign country. In 1986, Mexican police picked up the suspected leader of a narcotics ring and delivered him to the Mexico-United States border, where he was arrested by U.S. officials. Agents of the Drug Enforcement Agency and Mexican officials later searched the suspect's homes in Mexico without a warrant.
The U.S. Supreme Court ruled four years later that a search of a non-U.S. citizen's foreign residence is legal, and no search warrant is necessary.
That decision could influence a ruling in this case, but that may not be the only fallout. By deeming such actions legal, the United States could kick off a spate of similar cross-border hacking, said Patricia Bellia, assistant professor of law at Notre Dame University and a former Justice Department attorney.
"I do think that (countries) are going to continue to have an urge to get evidence like this," she said. "They are getting frustrated with their inability to get evidence."
And while U.S. law may deem the agents' actions legal, international law--the expectations of treatment that exist between countries--will, without a doubt, condemn them, she added.
"If Russia did this to us, we would object diplomatically," she said. The Embassy of Russia in Washington, D.C., would not comment on the case, nor on whether the country intended to lodge an international complaint against the United States for a violation of its sovereignty.
In a paper studying the legal ramifications of remote cross-border searches, Bellia concludes that current mutual legal assistance treaties and the Cybercrime Convention being drafted by the Council of Europe won't add much clarity to the issue. Both require that countries promise to aid foreign law enforcement in searching for evidence that may reside on servers in their territory.
However, arranging for such searches takes weeks or, more often, months. Neither allows law enforcement to react fast enough to prevent data from being deleted.
Still, without an immediate solution, constraint should be the rule, said Bellia.
"If we can do it, then everybody else can do it to us--that's a very disturbing notion," she said. "The United States is the repository of so much data; it is very dangerous to go down that road."