Obscure legal change expands government hacking powers
The FBI, Department of聽Homeland Security, and other US government authorities now require only the signature of a single judge to hack criminal suspects' computers and personal devices regardless of where they're located.聽
The amendments to Rule 41 of the Federal Rules of Criminal Procedure are law enforcement's response to the growing聽pervasiveness and far-reaching nature of Digital Age crimes, which are often carried out in one location and affect countless individuals and computers located across the globe.聽
But many privacy and civil liberties groups have vowed to challenge the change in Congress and in court, arguing that it gives聽federal authorities too much power to聽surveil computers and personal devices and will eventually harm individuals' privacy rights.
They're especially worried that聽changes聽to the rule make it easier for investigators to gain access to聽victimized computers up to 94 US聽jurisdictions, potentially opening innocent citizens up to legal scrutiny and surveillance.聽
But backers of the changes insist the nature of cybercrime requires these kinds of procedures, especially when it comes to investigating the people who carry out botnet attacks,聽digital assaults that can involve thousands of infected computers.
"Today, the subjects that we're investigating could be anywhere," said聽Leo Taddeo, former head聽of the FBI鈥檚 cyber and special operations division in New York who now serves as chief security officer for cybersecurity firm Cryptzone. "And we don't know that until we conduct the type of investigation that the warrant will allow, which is a search. It just makes police work possible in the 21st century."
The US government already had the power to conduct warranted mass intrusions into suspects' computers using "remote access" software, or programs that authorities push out through the internet into a target's machine.聽But officials have complained they were often limited by the legal procedures in pursuing perpetrators聽of such internet crimes as聽distributing聽child pornography or criminals who聽carry out distributed denial of service, or DDoS, attacks.聽
For instance,聽Justice聽Department officials pointed to a child pornography case that used digital surveillance techniques to unmask聽suspects聽involved in an underground child exploitation network. A single warrant sufficed for at least 48 of the prosecutions, but some federal courts threw out evidence gleaned from the remote probe because of the "lack of clear venue," Assistant Attorney General Peter Kadzik noted in a letter to Sen. Ron Wyden (D) of Oregon, one of the leading congressional opponents of the Rule 41 change.
Senator Wyden聽led an unsuccessful聽last-minute effort to stall the changes, asking Senate leaders to act on pending legislation that would block or delay the rule from taking effect.
"By sitting here and doing nothing, the Senate has given consent to this expansion of government hacking and surveillance," Wyden said in a statement. "Law-abiding Americans are going to ask what were you guys thinking when the FBI starts hacking victims of a botnet hack. Or when a mass hack goes awry and breaks their device, or an entire hospital system and puts lives at risk."
Privacy and digital rights groups such as the Electronic Frontier Foundation (EFF) reacted harshly to the amended criminal procedure, and have called for greater transparency into how the FBI and others plan on taking advantage of the change and for guidelines for government hacking.
"We don鈥檛 have any confidence whatsoever that the FBI is not going to mess it up and end up causing damage to the computers that they are searching," said聽Nate Cardozo, senior staff attorney at the EFF.聽"If the malware bricks your laptop," rendering it inoperable, "you have no recourse under the new rules."
And while Justice officials say聽Rule 41 updates do not make substantive changes to the FBI's hacking abilities, just procedural ones, Mr.聽Cardozo聽called that argument disingenuous. In his view, the FBI never before had the authority to search a victim鈥檚 computer without the person's consent.
The FBI and Justice declined to comment on security precautions for government searches under Rule 41. But department officials did say they will聽take reasonable steps to notify victims that a warranted search of their computer was conducted.聽
Officials said current聽laws already green light searching a victim's computer without the victim's consent, however many rights groups disagree with their reading of the law.聽
Mr.聽Taddeo, the former FBI agent,聽acknowledged the possibility that intrusion software could net the wrong people or the wrong information, but said the savagery of present-day online crime overshadows the hypothetical technological risks.
The "potential for harm from the misuse of the tool or misconfiguration of the tool is there and needs to be monitored. That's why we have a lot of protections in place," he said. But "you have to weigh the two interests and decide which one is more important, and right now, with the problem of child pornography, I think that outweighs the possibility that there is going to be a misconfiguration or an abuse."
