Congress must act on new FBI hacking powers

Kade Crockford, BridgeTower Media Newswires

On Dec. 1, the federal government enacted the most significant (publicly disclosed) expansion of government surveillance authorities since the passage of the FISA Amendments Act, or FAA, of 2008, which put Congress’ stamp of approval on the Bush administration’s warrantless wiretapping program.

But unlike the FAA, which was fiercely debated and ultimately approved in the last months of George W. Bush’s presidency, Congress never authorized this latest expansion of surveillance powers. As a result, most Americans probably don’t even know it happened.

The changes that went into effect on Dec. 1 were to Rule 41 of the Federal Rules of Criminal Procedure, which outlines the search warrant regime for federal courts across the country.

The altered language allows for digital general warrants, permits judges to authorize government hacking and electronic searches outside of their jurisdictions, relaxes disclosure requirements, and puts at risk the digital security of potentially millions of people across the United States and the world.

The Committee on the Federal Rules of Criminal Procedure changed the rule in response to a long lobbying campaign by the FBI — and in spite of warnings issued by civil libertarians and internet security experts.

Rule changes are supposed to be procedural and not significantly alter government authorities. But the alterations to Rule 41 are not just bureaucratic tinkering. Instead, they fundamentally reformulate the government’s ability to use hacking as an investigative tactic.

The Obama Department of Justice has said it needs these new authorities in order to adequately investigate crimes with a digital flavor. The use of Dark Web and anonymizing technologies has interfered with investigations, officials have claimed, and the only way to break through is to grant government technicians the power to hack or install malware on suspect computers — sometimes thousands or millions of computers at a time, even when government officials don’t know who owns or operates them, or where in the world they physically sit.

The prior rule guarded against forum shopping by generally allowing judges to authorize warrants only within their physical jurisdictions. Now, prosecutors can apply for hacking warrants to courts they know to be friendly to government claims. A single hacking warrant signed by a judge in Washington, D.C. could be used to install malware on computers in New York, Seattle, Boston, Hong Kong and beyond.

The rule changes raise serious internet security and Fourth Amendment concerns. As Sen. Ron Wyden, D-Oregon, has warned, the changes “allow the government to search millions of computers with the warrant of a single judge.”

If that reads to you like a general warrant, you’re right: It’s precisely the kind of Royalist scourge the Fourth Amendment to the U.S. Constitution was designed to prevent.

And the new rule won’t only impact people suspected of crimes. Technology experts say victims, not just perpetrators, of ‘botnet’ attacks may also be targeted by FBI malware and “remote searches” under the modified authorities.

Remember the mass internet outage in October, when thousands of Internet of Things devices across the world were hacked and weaponized to carry out distributed denial of service, or DDoS, attacks on popular websites like Twitter.com and NewYorkTimes.com? Under the new Rule 41, the victims of botnet attacks like that one could be hacked along with the perpetrators, making victims of hacks vulnerable to further intrusions.

Unfortunately, these hacking victims may never learn that the government compromised the integrity of their computers. That’s because the modifications to Rule 41 alter the notification requirement, replacing the prior standard with weak language mandating only that officials make “reasonable efforts” to notify targets that the government hacked into or remotely searched their devices.

It’s likely that in many cases the government won’t even know the identities of many of the people its agents hack. That’s a serious problem not only for due process, but also for digital security. If government hackers install malware on someone’s computer to allow them to look around inside, they may open (and never close) a backdoor that other, non-U.S. government hackers can easily exploit.

In other words, the FBI’s new authority could very well wind up hurting, instead of advancing, U.S. cybersecurity.

Given the serious security threats posed by these enhanced surveillance authorities and weakened civil liberties protections, you’d think the changes to Rule 41 would have been a subject of hot debate, perhaps even during the recent presidential election. But there’s been almost no discussion of the changes in the major media, and only a few leaders in Congress — most notably Sen. Wyden — have tried to do anything to stop them.

Perhaps there’s been so little discussion about the modifications to Rule 41 because the phrase “rule change” sounds relatively benign, or because most Americans aren’t familiar with the justice system to begin with. But the changes, made by rules committees and never approved by elected officials, have vast implications for privacy, security, due process and government transparency in the digital 21st century.

Now that the rule changes have gone into effect, Congress must swiftly act to place limits on the federal government’s authority to hack into computers around the world.

Such legislation should govern how and when officials may use hacking as an investigative technique, require robust transparency reporting and mandated disclosure to targets, and create a process to ensure technology companies stay abreast of security holes in their systems.

Details like these matter where technology meets the law. When little-known rules committees grant law enforcement vast new surveillance authorities without congressional action or public debate, those details get ignored.
We may not yet fully understand how disastrous the consequences of this dysfunction could be.

Congress should act quickly to make sure we don’t have to find out.

—————

Kade Crockford is director of the Technology for Liberty Project at the ACLU of Massachusetts.