The Department of Justice is countering a growing chorus of privacy advocates who are against a rule change that will greatly expand law enforcement’s ability to hack into computers located around the world. In a blog post to the DoJ website late Monday, Assistant Attorney General Leslie Caldwell argued law enforcement must not be stymied in child porn and ransomware investigations by being forced to obtain dozens of warrants to search complex botnets and Tor to find the bad guys.
At issue are amendments to Rule 41 of the Federal Rules of Criminal Procedure that are being debated in Congress. The amendment is set to take effect on Dec. 1 unless Congress passes an injunction against the change. The rule change is coming to head today with a planned protest against Rule 41 by groups such as the Electronic Frontier Foundation.
The EFF and privacy watchdogs are blasting the proposed change saying it would allow the government to hack into phones and seize computers remotely. They say Rule 41 is an affront to the Fourth Amendment.
“Law enforcement will increase their exploitation of security vulnerabilities in common software products, meaning vulnerabilities that could affect millions will be left open instead of patched,” wrote the EFF in a policy statement against Rule 41.
The DoJ counters the amendment doesn’t change traditional Fourth Amendment protections and procedures requiring the government establish probable cause. “Rather, the amendments would merely ensure that at least one court is available to consider whether a particular warrant application comports with the Fourth Amendment,” Caldwell said in the DoJ post.
Caldwell said the amendments would apply only in two narrow instances. One, when agents are investigating child porn rings and there is a need to hunt down criminals uploading videos using anonymizing services. Second, when – for example – an investigation into ransomware attacks leveraging botnets spread across many different judicial districts might otherwise require up to 94 separate warrant applications.
“Absent the amendments, the requirement to obtain up to 94 simultaneous search warrants may prevent investigators from taking needed action to liberate computers infected with malware,” Caldwell wrote. “This change would not permit indiscriminate surveillance of thousands of victim computers—that is against the law now and it would continue to be prohibited if the amendment goes into effect,” she wrote.
The debate over Rule 41 changes dates back to 2015 when the FBI, while investigating a child pornography website, took over the site in question and infected thousands of computers around the globe with malware in an effort to locate users who were using anonymizing technology such as the Tor browser or VPN services that masked a user’s location.
Since then, the FBI has come under close scrutiny for its apparent lack of appropriate search warrants. In May, a federal judge ruled key evidence against a Vancouver teacher charged with possession of child pornography could not be admissible because of the FBI’s refusal to share details about a network investigative technique it used to gather evidence.
EFF along with privacy advocates Access Now are fighting Rule 41 and submitted joint testimony to the Advisory Committee on Criminal Rules. They warn changes to Rule 41 will lead to forum shopping where law enforcement will seek “government-friendly magistrate judges to sign off on warrants with a loose connection to the judicial district,” the EFF argues.
Kevin Bankston, the head of New America’s Open Technology Institute, also expressed deep skepticism regarding changes to Rule 41. In a statement issued against Rule 41, Bankston said there are clear distinctions between wiretapping, hacking and “regular” searches issued under the Fourth Amendment.
“Unlike wiretapping, however, Congress has never authorized government hacking nor established protective rules for the road to ensure it’s not abused,” Bankston wrote. “Government hacking also raises a host of new and serious risks to privacy and security that wiretapping doesn’t, including the risk that the malware used by the government might spread to innocent people’s computers or cause unintended damage.”
The change was issued by the Supreme Court in April and now heads to Congress, which has until Dec. 1 to either block or pass the provision.