Botnet Mitigations by the FBI, DOJ, and Microsoft Stop Cyber Attacks But May Trample on User Rights
Of all the software tools associated with cybercrime, botnets have perhaps the most widespread impact on commerce and on the operation of American businesses. The term “bot” has many meanings, but in criminal law it refers to a type of malicious software that infects a user’s computer and receives instructions from a criminal’s “command-and-control” server. Accordingly, the cyber-criminal can instruct the software to perform automated tasks such as sending requests, spam, or another malicious traffic. Criminals use “botnets”—networks of these infected computers—to target websites, servers, and other targets with disruptive requests, spam, and other unwanted traffic. In 2012, cyber-criminals specifically began targeting the U.S. financial industry, focusing on banks such as Wells Fargo or JP Morgan Chase and causing service disruptions. In total, botnets have caused an estimated damage of $9 billion in the U.S. and $110 billion globally.
In response the FBI, the DOJ, and Microsoft have used a process involving temporary restraining orders (TROs) and injunctions to take down many of these botnets. Firstly, the DOJ (partnered with the FBI) or Microsoft acquires an ex parte TRO and/or injunction for domains facilitating botnet traffic. Although the plaintiffs may identify several botnet operators, many defendants are listed as “John Does.” After obtaining the order, they then seize the infringing domains and direct the traffic to Microsoft/FBI servers. Finally, the plaintiffs will then send out a “curative file” to the infected computers in the botnet to stop malicious activity.
These organizations have taken measures to protect the privacy and security of the owners of the infected computers. In Microsoft’s legal memo supporting the Coreflood mitigation, for instance, the company asserted that it had evaluated and tested the “stop” command sent to malware on users computers to ensure it will “not cause any damage to the victim computers on which the Coreflood software is present, nor will it allow the Government to examine or copy the contents of the victim computers in any fashion.” Microsoft’s memorandum argued that sending the command to the malware on users’ computers would not violate the fourth amendment prohibition against seizures because it was at most “de minimis.” Few, if any, computer owners were likely to claim significant “possessory interests” in having or running malicious software on their computers.
However, in late June 2014, Microsoft filed for and received a temporary restraining order against No-IP.com, an online company that provides customers with static hostnames. As Microsoft noted, malware operators utilized nearly 18,472 No-IP subdomains to control and distribute malicious software. However, when Microsoft transferred domain name registries in accordance with the order, it cut off service to over 5,000,000 subdomains, servicing—in addition to the malware operators—legitimate customer websites and devices. Microsoft did eventually return most of the subdomains two days after the initial seizure, but that downtime could have seriously impacted users and businesses relying on those subdomains.
Microsoft has also received criticism for its take-down of another botnet, Citadel, which disrupted honeypot servers set up by botnet researchers. That disruption did not harm businesses and users unrelated to botnets or botnet research. Nonetheless, both the No-IP case and the disruptions associated with the Citadel take-down demonstrate the potential collateral damage of an unregulated mitigation.
In response to the success of these botnet mitigations, the Senate Judiciary committee has held a hearing to consider legislation that would facilitate botnet mitigation. Although the hearing produced many constructive suggestions for legislative reform, including a proposal by the DOJ, there is concern that the committee did not address the potential collateral damage incurred by innocent third-party users and organizations as a result of these mitigations. During the hearing, Online Trust Alliance Director Craig Spiezle pointed out three major considerations: “1) the risk of collateral damage to innocent third parties, 2) errors in identifying targets for mitigation and 3) respecting users’ privacy.” Any effective legislation facilitating the mitigation of botnets must address these issues.
In addition, effective legislation should also address the liability for private corporations engaged in mitigation as well as the possibility of redress for innocent third-parties affected. Microsoft and No-IP ultimately settled their dispute out of court. But it’s unclear whether the terms of the settlement between Microsoft and No-IP covers damage done to No-IP itself or its clients. Legislation facilitating the mitigation of botnets should clarify the rights of innocent third-parties—including both intermediaries such as No-IP and the end-users themselves—to damages due to a botnet mitigation. Accordingly, botnet legislation should also clarify the liability incurred by private organizations such as Microsoft in executing these botnet mitigations.
David G. Krone is a J.D. Candidate, ’16, at NYU School of Law.