A new rule goes into effect Thursday that gives law enforcement the ability to hack millions of computers or smartphones at once with a single search warrant. But opponents of the controversial Rule 41 say they are committed to fight the government’s expanded powers.
“The most important thing is that the fight isn’t over yet. Congress has the ability to roll back the rule change even after it goes into effect,” said Rebecca Jeschke, digital rights analyst with the Electronic Frontier Foundation.
The EFF along with a bipartisan group of senators that included Sens. Ron Wyden (D-Ore.), Steve Daines (R-Mont.) and Chris Coons (D-Del) failed in a last-ditch effort Wednesday to prevent changes to Rule 41.
“It’s very disappointing Congress failed to act in time to stop Rule 41,” said Robyn Greene, policy counsel and government affairs lead at the New America’s Open Technology Institute. “But this is certainly not the end of the line when it comes to Rule 41.”
Implementation of Rule 41 makes it easier for law enforcement to track down cyber criminals who use tools such as Tor, botnets or malware to mask their true location. It allows law enforcement to request from judges a warrant that permits the use of remote access tools “to search electronic storage media and to seize or copy electronically stored information located within or outside that district.” Typically, a judge’s authority to authorize search warrants is limited by his or her jurisdiction.
Civil liberties groups such as the EFF, ACLU and Open Technology Institute had mounted a strong campaign urging lawmakers to consider the privacy implications of the rule. They voiced significant concerns about the rule changes and proposed several bills to Congress to stop or delay Rule 41 from going into effect. Bills included Stopping Mass Hacking Act (S. 2952, H.R. 5321), the Review the Rule Act (S.3475, H.R.6341), and the Stalling Damaging Mass Hacking Act (S. 3485).
According to Greene efforts to pass those bills will not stop. “One of the important things to remember is that just because the rule change was implemented today, Congress can act at any time to pass a law to either put a pause on the implementation of the rule change, amending the rule change or more importantly implement a legal framework that provides effective protection for Americans’ constitutional right to privacy and protection from government hacking.”
Rule 41 backers said the rule change was necessary to keep pace technologically with cyber criminals. They argued the rule was appropriate and unties law enforcement’s hands to track down elusive criminals.
Neema Guliani, ACLU legislative counsel, disagrees stating Rule 41 threatens privacy and security.
“Congress has held zero hearings on this issue and the Department of Justice has yet to respond to Congressional requests for information on its impacts. The ACLU is disappointed that Congress did not halt the rule change. However, there is still a need for Congress to provide oversight of hacking activities and put in place limits to protect privacy and security.”
The ACLU has argued that Rule 41’s authority to give the US government the ability to create and control hacking tools was particularly alarming because of the government’s spotty track record at designing its own malware securely.
Guliani and Greene are both pinning hopes on bipartisan congressional support for hearings to consider the ramifications of government cyber surveillance and hacking. “The FBI has been hacking for two decades now. It’s something that has raised concerns among both parties,” Greene said.
Greene added that there needs be clearer rules around government hacking; just as there are for wiretapping. “We know what the legal framework around wiretapping is. Now we need it for hacking; which is arguably more invasive, dangerous and still has no rules for the road.”
Opponents of Rule 41 say there needs to be a clear distinction between wiretapping, hacking and “regular” searches issued under the Fourth Amendment. They go on to argue that government hacking raises a host of serious risks to privacy and security that wiretapping doesn’t, including the risk that malware used by the government might spread to innocent people’s computers or cause unintended damage.
Debate over the limits of the government’s ability to snoop have have been a hot topic leading up to the implementation of Rule 41. In April, a federal judge threw out evidence in a child pornography case stating the FBI didn’t have a proper warrant to hack into a child porn site.
In that case the FBI quietly seized servers for a site called Playpen after a lengthy investigation. But instead of shutting it down, the FBI continued to run it and use it to collect the IP addresses of its users. In that case, the attorney of one user, a Massachusetts man, successfully argued that the warrant the FBI used to authorize the network investigative technique (NIT) was not valid. That’s because the warrant was issued in by a magistrate judge in Virginia and not in Massachusetts – outside of the judge’s jurisdiction.
Rule 41 allows judges to issue one search warrant across state lines to penetrate computers outside their jurisdiction.