Dozens of people say they’ve received an email from Google informing them that the FBI has been sniffing around for information on their accounts. Now that a gag order has been lifted, the company is able to “disclose the receipt of the legal process” to any affected users, Google said.
That’s not entirely surprising: the gag orders that often accompany such requests keep organizations such as Google, Microsoft, Facebook and Apple from disclosing the order for a given period of time. Any email provider worth its salt nowadays issues transparency reports, and the biggest companies have called for increased transparency in government surveillance requests.
But these nondisclosure orders can be lifted, cybercrime lawyer Marcia Hoffman told Motherboard:
It looks to me like the court initially ordered Google not to disclose the existence of the info demand, so Google was legally prohibited from notifying the user. Then the nondisclosure order was lifted, so Google notified the user. There’s nothing unusual about that per se. It’s common when law enforcement is seeking info during an ongoing investigation and doesn’t want to tip off the target(s).
Who are the targets in the FBI’s inquiry – targets who can now be safely tipped off?
The emails lack specific details about whatever the FBI was investigating, though they did contain a case number that corresponded to a sealed case when Motherboard looked it up on PACER.
Some who received the letters posted screenshots in online forums. From one such:
Google received and responded to legal process issue by Federal Bureau of Investigation (Eastern District of Kentucky) compelling the release of information related to your Google account. A court order previously prevented Google from notifying you of the legal process. We are now permitted to disclose the receipt of the legal process to you.
Though the letters had scanty detail, some of the recipients have a hunch regarding what it’s all about.
In threads on Reddit, Twitter, and Hack Forums, conjecture is that the FBI was looking for information on people associated with LuminosityLink: an easy to use, remote access Trojan (RAT) that was selling for as little as $39.99.
Ever seen this?! 😒 pic.twitter.com/1xJO1rALTh
— Luca Bongiorni (@CyberAntani) August 30, 2018
…until, that is, it wasn’t. Europol snuffed out LuminosityLink in February, following a UK-led dragnet in September 2017 that involved over a dozen law enforcement agencies in Europe, Australia and North America that went after hackers linked to the tool.
In July, 21-year-old Kentuckian Colton Grubbs pleaded guilty to federal charges of creating, selling and providing technical support for the RAT to his customers, some of whom used it to gain unauthorized access to thousands of computers across 78 countries worldwide.
Some of those who received the notice from the newly ungagged Google said that they consider the mystery solved: they had purchased LuminosityLink, which may well have caught the attention of the FBI.
problem solved.
— Luca Bongiorni (@CyberAntani) August 30, 2018
I bough a copy of LL time ago for research pic.twitter.com/HTfIXTLpYf
Buying LuminosityLink doesn’t necessarily brand somebody a cybercrook. It had a split personality when it came to its marketing: it was sold as a legitimate tool for Windows admins to “manage a large amount of computers concurrently”. On the flip side, it was also a cheap, easy-to-use, multi-purpose pocket knife with a slew of malware tools you could flip out: a RAT that could be surreptitiously installed without a user being aware and which disabled anti-virus and anti-malware protection on targets’ computers before going to work switching on webcams to spy on video feeds; accessing and viewing documents, photographs, and other files; stealing passwords; and/or installing a keylogger to automatically record victims’ keystrokes.
Some bought it to do legitimate systems administration. Others say they bought it for research purposes. Their activities would only be illegal if they used the tool’s more nefarious capabilities.
While it’s not unusual for a gag order to be subsequently lifted, it is perhaps unusual for the FBI to try to track down every person who purchased software that may not be considered illegal, as one lawyer pointed out to Motherboard. Gabriel Ramsey, a lawyer with a specialty in cybersecurity and internet law, said that just buying a tool like LuminosityLink doesn’t determine guilt:
If one is just buying a tool that enables this kind of capability to remotely access a computer, you might be a good guy or you might be a bad guy. I can imagine a scenario where that kind of request reaches – for good or bad – accounts of both type of purchasers.
mike@gmail.com
That is such nonsense. Hey criminal, the police are looking for you. If that isn’t aiding and abetting, or at the least, yelling “5-0” for your criminal buddies, what is it?
Time for the USG to slap their hands and do it hard.
Markle Ditch
It’s more like, “Hey innocent until proven guilty citizen, your privacy is legally being breached. Thought you should know about it.”
Wilderness
“Their activities would only be illegal if they used the tool’s more nefarious capabilities.”
Exactly. We need to expand this truism to other areas. It’s not the tool that’s the problem, it’s people with malicious intent that are the problem.
Laurence Marks
> “It’s not the tool that’s the problem, it’s people with malicious intent that are the problem.”
That applies to handguns, too.
Steve
And so-called assault weapons, and other firearms.
Lateral
And the M2 Browning, M72 Light Anti-tank Weapon, FIM-92 Stinger, MQ-1 Predator… ?
They’re just tools too.
It may be the person that’s the problem, and not the tool, but the question is, surely “knowing that some people will turn legal tools against others, what’s the risk/reward we’re prepared to accept in trusting individuals we don’t know with these tools?”.
njorl
Am I reading too much into this, or is the story that, because some people bought a product that might be used for something bad, the FBI has been granted the right to read all their e mail, just in case there’s actually something truly incriminating in there?
luceastman
I have received such message from google and I am freaking out since I don’t have a clue. I use TeamViewer to control remotely my home computer for private use. Other than this I do not have anything I knowingly use for such purpose.
Should I contact the FBI? I have nothing to hide and am willing to collaborate or should I hire a lawyer?