The Supreme Court is moving to expand the FBI’s hacking authority with Criminal Rule 41, an amendment to federal criminal procedures that makes it easier for the FBI to access computers remotely when their locations are unknown.
Privacy watchdogs are blasting the proposed change saying it would allow the government to hack into phones and seize computers remotely. The change was issued by the Supreme Court last week and now heads to Congress, which has until Dec. 1 to either block or pass the provision.
The controversial Rule 41 attempts to make it easier for law enforcement to track down cyber criminals who use tools such as Tor, botnets or malware to mask their true location. Rule 41 allows law enforcement to request from judges a warrant that permits the use of remote access tools “to search electronic storage media and to seize or copy electronically stored information located within or outside that district.”
Typically, a judge’s authority to authorize search warrants is limited by his or her jurisdiction. Rule 41 allows judges to issue a search warrant across state lines to penetrate computers outside their jurisdiction or even outside the U.S.
“The government hacking into phones and seizing computers remotely? It’s not the plot of a dystopian blockbuster summer movie,” wrote Rainey Reitman, activism director for the Electronic Frontier Foundation in a bulletin late last week. “The change to Rule 41 isn’t merely a procedural update. It significantly expands the hacking capabilities of the United States government without any discussion or public debate by elected officials… (The rule) seeks to sidestep the legislative process while making sweeping sacrifices in our security.”
EFF along with privacy advocates Access Now are both fighting Rule 41 and submitted joint testimony to the Advisory Committee on Criminal Rules.
Amie Stepanovich, senior policy counsel with Access, said Rule 41’s authority to give the US government the ability to create and control botnets was particularly alarming because of the government’s spotty track record at designing its own malware securely.
Rule 41 backers say the rule change is necessary to keep pace technologically with cyber criminals. Nicholas Weaver, a senior staff researcher on computer security at the International Computer Science Institute in Berkeley, Ca. said the rule was appropriate and unties law enforcement’s hands to track down elusive criminals.
Another supporter of Rule 41 is the Department of Justice which submitted testimony last year that contends critics are mischaracterizing what Rule 41 allows. “The proposal addresses venue; it does not itself create authority for electronic searches or alter applicable statutory or constitutional requirements,” wrote DOJ attorney Rebecca Womeldorf to the Supreme Court.
Interest in Rule 41 has piqued recently as the limits of the government’s ability snoop have come under question. Last month, a federal judge threw out evidence in a child pornography case stating the FBI didn’t have a proper warrant to hack into a child porn site.
In that case the FBI quietly seized servers for a site called Playpen after a lengthy investigation. But instead of shutting it down, the FBI continued to run it and used Playpen to collect IP addresses of its users. In that case, a Massachusetts man’s attorney successfully argued that the warrant the FBI used to authorize the network investigative technique (NIT) was not valid. That’s because the warrant was issued in by a magistrate judge in Virginia and not in Massachusetts – outside of the judge’s jurisdiction.
“The court concludes that the NIT Warrant was issued without jurisdiction and thus was void,” Judge William G. Young wrote in his decision (PDF). “It follows that the resulting search was conducted as though there were no warrant at all.”
Rule 41 goes too far, according to Senator Ron Wyden, a Democrat from Oregon. In a statement issued last week he said, “Under the proposed rules, the government would now be able to obtain a single warrant to access and search thousands or millions of computers at once; and the vast majority of the affected computers would belong to the victims, not the perpetrators, of a cybercrime.” Wyden plans to introduce legislation to reverse the Rule 41 amendment.
Kevin Bankston, the head of New America’s Open Technology Institute, also expressed deep skepticism on the matter. In a statement issued last week saying there is a clear distinction between wiretapping, hacking and “regular” searches issued under the Fourth Amendment.
“Unlike wiretapping, however, Congress has never authorized government hacking nor established protective rules for the road to ensure it’s not abused,” Bankston wrote. “Government hacking also raises a host of new and serious risks to privacy and security that wiretapping doesn’t, including the risk that the malware used by the government might spread to innocent people’s computers or cause unintended damage.”