FBI Says Why Get a Warrant When You Have Kash
FBI Says Why Get a Warrant When You Have Kash
In a Senate hearing last week, FBI director Kash Patel said the bureau is buying data that can be used to track Americans. The risk that the federal government could abuse purchased data was previously theoretical but now feels more immediate. Lawmakers should act to protect Americans' civil liberties.
When asked specifically about buying location data, Patel said the bureau purchases information "that's consistent with the Constitution and the laws under the Electronic Communications Privacy Act, and it has led to some valuable intelligence for us."
We have seen U.S. local law enforcement agencies using this kind of data to track people, but this is new for the FBI. In 2023, the bureau's director at the time, Christopher Wray, said it had once used commercial location data in a national security pilot program but had no further plans to use it.
We've written about this kind of data before, and how useful it can be for tracking, identifying, and even harassing people, so if the FBI didn't get valuable intelligence from it, we'd question the agency's competence.
Commercially available information is at least as valuable as cell phone location data. It can be derived from many different sources and can be used to build a person's pattern of life. The government needs a warrant to get cell phone location data from telecommunications companies, but buying data to surveil people is fine. No need to bother a magistrate.
During last week's hearing, Senate Intelligence Committee Chair Tom Cotton (R-Ark.), defended the FBI's use of commercially available location data, saying that "if any other person can buy it, and the FBI can buy it, and it helps them locate a depraved child molester or savage cartel leader, I would certainly hope the FBI is doing anything it can to keep Americans safe."
However, the government already recognizes that this data comes with risks. In 2024, President Biden took steps to mitigate national security risks and issued an executive order to limit the sale of bulk sensitive personal data to America's adversaries. At the time, a White House official said, "Bad actors can use this data to track Americans including military service members, pry into their personal lives, and pass that data on to other data brokers and foreign intelligence services. This data can enable intrusive surveillance, scams, blackmail, and other violations of privacy."
Government agencies do sometimes need intrusive powers, but these shouldn't be granted unconditionally. It's a balancing act. The more intrusive the power, the more it should come with checks and balances such as, say, strong oversight and requiring warrants.
When it comes to foreign intelligence agencies and commercially available location data, good policy coupled with robust oversight would strike the right balance. Documented policies would allow lawmakers to see why the data is being used, and how Americans' rights are being protected. An oversight body would then reassure Congress that the policy was being implemented properly.
The FBI's focus, however, is domestic, and it also has coercive powers that it can use on Americans. So when it comes to taking advantage of purchased data, a different balance needs to be struck. Since this information can be as intrusive as cell phone data, it should have the same warrant requirements.
It's entirely possible that the FBI is using this data in a reasonable and proportionate way and is not infringing on Americans' civil liberties. But how would Congress know? Director Patel did not expand on how the bureau was using the data or on how it was protecting the rights of Americans. And the Trump administration does not appear all that invested in strong independent oversight.
There is already a bipartisan bill, the Government Surveillance Reform Act, that aims to address this. Among other things, it would require the federal government to get a warrant to buy sensitive data about Americans. This is particularly important for the agencies that have coercive domestic powers: With great power comes great paperwork.
MARA: Make American Routers … Again?
This week, the Federal Communications Commission (FCC) effectively banned the import of new consumer router models produced outside the U.S. At first glance, this looks like a security initiative, but at its core it’s more an attempt to reshore consumer router manufacturing.
Routers already approved by the FCC can continue to be sold, but new models must receive a Conditional Approval exemption from the departments of Defense or Homeland Security before the FCC will authorize them for use in the U.S.
In its fact sheet, the FCC cited an interagency determination that foreign-made consumer routers "pose unacceptable risks to the national security of the United States or the safety and security of United States persons."
The determination notes that Chinese state-sponsored telecommunications hacking group Salt Typhoon compromises routers; the Cybersecurity and Infrastructure Security Agency has referred to edge devices, like routers, as the "attack-vector of choice"; and botnets are often created from compromised foreign-produced routers.
It's not wrong in the sense that cheap, poorly secured routers are a point of vulnerability. But from a security perspective, focusing on where the device is made is more than a bit weird.
The underlying problem here is that consumers and internet service providers want cheap, fast, and reliable routers, over necessarily secure ones. Without changing the incentives for manufacturers, it doesn't really matter where they are made. You'll still get vulnerable products.
Unfortunately, it doesn't seem likely that the process spelled out by the FCC will result in more secure routers, just ones that are built in the good ol' U.S. of A.
To apply for a Conditional Approval to import new consumer routers into the country, companies will have to provide certain information. This includes details about corporate structure including foreign government ownership, where the router is made and components are sourced from, and, here is the kicker, "a detailed, time-bound plan to establish or expand manufacturing in the United States."
Entirely missing is any need to provide a detailed, time-bound plan to make devices more secure.
Ensuring a reliable and sovereign supply chain is one element of holistically securing consumer-grade routers, but it is not what we'd call low-hanging fruit. We'd have started with efforts to encourage manufacturers to adopt secure-by-design practices and implement the National Institute of Standards and Technology's advice. Quick wins could be had by assessing router security and linking tariff levels to results, so poor security results in higher tariffs. That would improve product security quick smart.
As it is, moving the production of consumer routers to America won't make them more secure, just more expensive.
Trump Cyber Strategy: Help Us Pummel Our Adversaries
The Trump administration's approach to harnessing the U.S. private sector is becoming clear. Rather than unleashing firms to be pirates, it wants them to be the government's eyes and ears in cyberspace.
Last week, at an event at Auburn University's McCrary Institute, National Cyber Director Sean Cairncross spoke of "the ability of our private sector to illuminate the battlefield from what they're seeing, to inform and share information so that the [U.S. government] can respond to get ahead of things."
So … just another information-sharing public-private partnership then?
The history of cybersecurity policy is littered with moderately successful public-private partnerships where the incentives of both parties did not quite align. For many of those initiatives, companies hoped that the government would share secrets that they could use to protect themselves. In reality, however, protecting the private sector from hackers is not a top intelligence priority for the government, and sharing is tricky because of classification issues.
The new approach doesn't quite match the rhetoric of the recently released Trump Cyber Strategy, which spoke of "unleash[ing] the private sector by creating incentives to identify and disrupt adversary networks."
But even with the private sector relegated to a supporting role, we are optimistic. There is the potential for better alignment because the government wants to punish bad actors with information and support from the private sector. Capability and intent are better aligned.
We expect good things.
Three Reasons to Be Cheerful This Week:
- Four distributed denial-of-service botnets disrupted: The U.S. Department of Justice announced that an international effort disrupted the Internet of Things botnets Aisuru, Kimwolf, JackSkid, and Mossad. The effort involved authorities from Canada and Germany, who targeted individuals operating the botnets, and court-authorized domain seizures that were carried out by the Defense Criminal Investigative Service (DCIS) from the Department of Defense. The Justice Department says the goal of the operation was to stop the botnets from being able to launch future attacks.
- Japan's cabinet gives active cyber defense a green light: Last week, Japan's cabinet approved active cyber defense operations. We don't expect any immediate sea change but approve of the move. It makes sense for governments to actively try to shape the environment rather than being passive victims of cybercrime and espionage.
- Germany takes zero-day VERY seriously: System administrators from affected companies received late-night, in-person visits from German police to warn them of a critical vulnerability in Windchill and FlexPLM, a product life cycle management solution. It's good to see someone taking software bugs that seriously, although we wonder if the door knocking couldn't have waited till morning.
Risky Biz Talks
In our latest "Between Two Nerds" discussion, Tom Uren and The Grugq discuss how Google just keeps on finding iOS exploit kits. Is iPhone security busted? And why are Russian state hackers after crypto?
From Risky Bulletin:
The Intellexa CEO is big mad!!! The CEO of a major spyware vendor says he is being scapegoated by the Greek government and is willing to testify and spill the beans on their illegal surveillance operations.
Intellexa CEO Tal Dilian is mad after a Greek court sentenced him, his wife, and two executives to more than 126 years in prison last month on generic charges of "violating the confidentiality of telephone communications."
The sentence is related to a major Greek political scandal known in Greece as Predatorgate, which this newsletter first covered back in December 2024.
GitHub is starting to have a real malware problem: GitHub is slowly becoming a very dangerous website as more and more threat actors are starting to use it to host and distribute malware disguised as legitimate software repositories.
What started as an infrequent sighting in early 2024 is now at the center of an increasing number of information security and malware reports.
The tactic is usually the same. A threat actor would take a legitimate repository, add malware to the files—typically an infostealer or a remote access trojan—and then upload the boobytrapped repository back on GitHub.
AWS kills bucketsquatting: Amazon Web Services rolled out a new security feature March 12 that will help customers prevent a type of attack known as S3 Bucket Namesquatting, or Bucketsquatting.
The attack was first described by cloud engineer Ian Mckay in 2019. It happens when an attacker abuses the predictable naming conventions in AWS bucket names to register buckets that have expired or have been deleted by their original owners.
If traffic still flows to the old buckets, this allows attackers to collect data from internal networks or public-facing apps, leading to serious security incidents.
.jpg?sfvrsn=8c32a88a_5)
