The National Security Agency, too, is involved. The agency has budgeted tens of millions of dollars for an aggressive effort to scale its hacking operations and "own the net," a proposition that, as The Intercept reported, envisions indiscriminately infecting millions with malware that has the capability for remote video surveillance by webcam. The Department of Justice, for its part, expended considerable effort in 2014 making vague arguments in support of expansions in Federal Bureau of Investigation ability to use malware, like RATs, for domestic law enforcement.
There's a real threat of being watched and recorded where you live, and without your knowledge or consent. Anyone with or near a computer and its webcam is potentially at risk. While cautious browsing can make a difference when it comes to protecting yourself, for ratting victims, U.S. law, late as usual to the party, is lacking.
* * *
Despite repeated violations of privacy via webcam hacking, legal protections against RATs in the United States leave many behind. Theoretically available state-level protections vary widely from place to place, and federal law, as a privacy backstop, is inadequate.
There are counter-intuitive interpretations of aging electronic privacy statute passed before webcams were invented and a federal hacking law that offers a private individual the right to sue but imposes requirements on this right that exclude most victims of ratters. In the case of the government’s use of RATs against the public, the process is comically and characteristically opaque.
Simple changes to U.S. law and policy, though, can meaningfully improve the status quo and ensure that the public is protected. As one of the authors of a recent policy paper reviewing the legal, technological, and policy issues surrounding RATs, I've given a lot of thought to the problem and how we can fix it.
The federal government should clarify the definition of “interception” under Title I of the Electronic Communications Privacy Act (ECPA) and reconsider the damages requirement for private claims in the Computer Fraud and Abuse Act (CFAA) in light of the often non-economic nature of privacy harms. A victim’s suffering is often not financial but emotional.
On a constitutional and procedural level, we should require that law enforcement hacking include automatic transparency, ban government webcam hacking, and be exacting in applying the Fourth Amendment’s warrant requirements. Together, with political will and popular support behind them, change in these areas would empower the public to better respond to ratters—whether individuals or government agents—and improve the privacy of millions.
* * *
Electronic privacy law in the United States is guided by the overlap of the Federal Trade Commission, state law, criminal procedure, executive order, and federal statute. In the last category, few statutes have more potential than the ECPA. ECPA was passed in 1986 as an amendment to the federal Wiretap Act, and, among other things, generally forbids the interception of electronic communications without the consent of a party to that communication. It’s a rule that sounds fairly simple. But in applying the 28-year-old law—which Sen. Patrick Leahy noted in 2013 was "no longer suited" to contemporary threats—courts have turned to a technologically unwieldy metaphor of "flight" to determine which interceptions occur “contemporaneously” with a message’s transmission and thus are covered by the statute. This definitional jig has meant webcam hacking victims are uncovered, with courts reluctant to take the sensible step of including webcam RAT spying under the act’s auspices.