Influencers oppose expanding federal hacking authorities
Nearly two-thirds of Passcode鈥檚 Influencers said US judges should not be able to issue search warrants for computers located outside their jurisdictions.
In late April, the Supreme Court听听a controversial change to Rule 41, a relatively obscure federal criminal procedural rule, that would allow US magistrate judges to grant law enforcement warrants to search computers outside their home districts.听
The Justice Department has long been pushing for this change as it grapples with the challenge of investigating Internet crimes that don鈥檛 conform to geographic borders: Agents, they say, should be able to search computers in multiple locations under a single warrant or even when they don鈥檛 know exactly where the device is physically located, without being vulnerable to legal challenge. Otherwise, law enforcement officials worry that criminals will be able to exploit digital tools such as the Tor anonymous browser to conceal their true locations and escape prosecution.
But a majority of security and privacy experts from across government and the private sector surveyed by Passcode worry the rule change may dramatically expand the FBI鈥檚 digital surveillance powers without much oversight or public debate, as even the lowest-ranking US judges couldconceivably grant the FBI the ability to hack computers anywhere in the country or even the听world.
鈥淎s with the recent encryption debate, remote hacking is not something that one court or magistrate judge should have to decide in isolation,鈥 said Abigail Slater, vice president of legal and regulatory policy at the Internet Association, a political lobbying organization for the Internet industry. 鈥淭he issue deserves a robust national听debate.鈥
Unless Congress acts upon the proposal, the rule change will automatically become law. Any bill proposed by the members of Congress who want to stop the rule changes, such as a proposal from听Sen. Ron Wyden (D) of Oregon, would need to clear both houses of Congress and get President Obama鈥檚 signature before the beginning of December to have any听impact.
Several Influencers worry the rule change could set a dangerous precedent that disregards differences in laws around the country 鈥 and the world. 鈥淛udges operate 鈥 or should operate 鈥 within their own jurisdictions, period,鈥 said one Influencer who chose to remain anonymous. 鈥淭he notion that a judge sitting somewhere in the US can issue a warrant for outside the US is not only contrary to international law but shows a contempt and disregard for the laws of other jurisdictions.鈥澨
Civil liberties groups and major technology organizations, another Influencer added, 鈥渁re right to question the constitutionality of this ruling. It is dangerous to allow any government carte blanche such liberal access to thousands and even millions of computers globally.鈥 To preserve the candor of their responses, Influencers have the option to answer the survey on the record or anonymously.
This issue has picked up steam since a district judge in Massachusetts ruled in April听that a warrant obtained by FBI investigators from a magistrate judge in Virginia听听outside that district found to have visited the child pornography site Playpen. It was hosted on Tor, the anonymous Web browser, which bounces users鈥 traffic among multiple servers to make it harder to track identifiable information.
Yet these kinds of federal criminal investigations can also ensnare foreign citizens: The FBI also hacked听听in Denmark, Greece, and Chile last year. Since the rule change could allow federal judges to issue search warrants for computers outside the US, other Influencers worried that other countries may take similar steps听鈥 raising a whole host of questions about whether there could be repercussions for American citizens.
鈥淎 related question is if a Chinese, Russian, EU, Saudi, Ecuadorian, or other judge can issue warrants for computers outside their jurisdiction. After all, what鈥檚 sauce for the goose is sauce for the gander,鈥 one Influencer said. 鈥淭hen this brings up the question of if there is such a thing as jurisdiction, if a judge can act anywhere.鈥
Or, as G眉nter Ollmann, chief security officer at Vectra Networks, a San Jose, Calif.-based cybersecurity company, said: 鈥淲ould the US be bound to honoring foreign governments the same jurisdictional incursion into US computers?鈥
Since cases surrounding Tor鈥檚 Web browser helped prompt the proposed rule change, other Influencers worry that expanding the government鈥檚 hacking authorities this way could jeopardize the rights or even safety of people, such as activists or journalists, who depend upon the service. 鈥淚f this ruling stands, magistrate judges could seize and search any devices outside their local authority if the target is using anonymity software such as Tor, which protect the privacy rights of many good people who require anonymity for good reasons,鈥 one Influencer听said.
Still, a 39 percent minority of Influencers said that judges should be able to issue hacking warrants beyond their jurisdiction 鈥 especially since it鈥檚 not always easy to track the location of criminals on the Web. 鈥淚n the Internet age, the location of computers can鈥檛 always be determined with certainty,鈥 said Stewart Baker, a partner at the Washington-based law firm Steptoe & Johnson. 鈥淲e shouldn鈥檛 give criminals safe haven from search just because of uncertainty about their location.鈥
Ultimately, given the ability of criminals and child pornographers to use Tor and other hidden services to keep their cover, 鈥渢his interpretation of the law is a requirement when we live in a digitally connected world, where bad things happen under cover of anonymized traffic,鈥 said Jeffrey Carr, president and CEO of Taia听Global.
Hackers are smart enough, adds Jenny Durkan, a Seattle-based attorney at the law firm Quinn Emanuel, 鈥渢o set up shop in places they cannot be touched, to erase drives if they think they are detected or otherwise avoid being caught. Investigations must be able to gather this kind of evidence, using modern capabilities.鈥
Since the Internet itself is 鈥渂orderless,鈥 others said, the law must keep up. 鈥淢any of the same activists who claim the Internet is 鈥榖orderless鈥 will take the opposite position when it comes to judges, keeping them limited to their own jurisdiction,鈥 said Jason Healey, senior researcher at Columbia University鈥檚 School of International and Public Affairs. 鈥淗opefully this will empower the most digitally smart听judges.鈥
However, Mr. Healey wants to be sure US judges do not misuse their new powers. 鈥淲e need to keep watch to see if law enforcement does indeed rely on these digitally aware judges, or actually [turns to] the digital dummies in order to assert more听power.鈥
What do you think?听听of the Passcode Influencers Poll.
Who are the Passcode Influencers? For a full list, check out our听
Comments:
NO
鈥淭his question can鈥檛 be answered separately from the broader question of whether or not US judges should be able to issue hacking warrants (or 鈥榬emote access search鈥 or 鈥榥etwork investigative technique鈥 warrants) at all, and if so, under what procedures. That鈥檚 a question that has never been publicly asked or answered by policymakers. Therefore my answer is no 鈥 US judges shouldn鈥檛 be able to issue extraterritorial hacking warrants, until Congress and/or higher courts actually consider the very difficult constitutional and policy questions that surround the practice of government hacking, a practice that raises even more unique privacy and security concerns than wiretapping does but unlike wiretapping lacks any clear Fourth Amendment or statutory framework to control those risks. And even if we conclude that courts should be able to issue extraterritorial hacking warrants, it should be Congress making that decision, not an obscure judicial advisory committee via a change to the federal rules of criminal procedure. This is not a merely procedural question but represents a substantive change in law that requires sustained investigation and debate by our elected lawmakers.鈥澨鈥 Kevin Bankston, Open Technology Institute
鈥淚 think this question answers itself. 鈥極utside their jurisdiction鈥 pretty much says it all. Judges can issue all the warrants they want for stuff outside their jurisdiction but don鈥檛 expect anyone to obey them and good luck enforcing them.鈥澨鈥 Space Rogue, aka Cris Thomas, Tenable Network Security
鈥淭he entire rationale for judicial jurisdiction is predicated upon demarcation amongst judicial districts. Undermining this independence will create an untold array of problems that harm the foundation undergirding rule of law.鈥澨鈥 Sascha Meinrath, X-Lab
鈥淟aw enforcement agencies have never sought or received hacking authority from Congress. The rule 41 changes are an attempt to sneak through an expansion of authority.鈥澨鈥 Christopher Soghoian, American Civil Liberties Union
鈥淯ntil a uniform set of standards is established for the collection of digital information, such extra-jurisdictional actions run a significant risk 听of setting precedents that may conflict or preclude the development of more universal standards.鈥澨鈥 Influencer
鈥淩emote access searches, conducted via government hacking, is dangerous, especially without specific legislative safeguards. Despite this, the questions inherent to remote access searches and government hacking have never received a proper public debate or discussion. Absent that debate, the Department of Justice should not be able to grant themselves that authority.鈥澨鈥 Amie Stepanovich, Access
鈥淐ivil liberties groups and major technology organizations are right to question the constitutionality of this ruling. It is dangerous to allow any government carte blanche such liberal access to thousands and even millions of computers globally. Under Rule 41 there were limitations. If this ruling stands, magistrate judges could seize and search any devices outside their local authority if the target is using anonymity software such as Tor, which protect the privacy rights of many good people who require anonymity for good reasons.鈥澨鈥 Influencer
鈥淣o. U.S. judges shouldn鈥檛 be mucking around in foreign affairs.鈥澨鈥 Influencer
鈥淚t should be an acceptable practice for the sole purpose of locating a computer so that the appropriate compulsory process can be obtained from the jurisdiction where it is determined to be located.鈥澨鈥 Influencer
听
YES
鈥淭he ugly truth: In a borderless world, it is logically equivalent to say that (1) you are outside all jurisdictions, and (2) that you are inside all jurisdictions. 听The former is a world without accountability. 听The latter is a one-world juristocracy. 听The only way to preserve the status quo ante of limited jurisdictional reach is total attributability of all cyber actions, i.e., zero anonymity.鈥澨鈥 Dan Geer, In-Q-Tel
鈥淯nlike current policy, there should be a presumption of using the Mutual Legal Assistance process, with broader warrants only where that cooperative process has been exhausted.鈥澨鈥 Peter Swire, Georgia Institute of Technology
鈥淭he question as posed is a bit overly broad. Enabling judges to issue search warrants for any device outside their jurisdiction as a default seems like a bad idea (jurisdiction exists for a reason), but in the specific case where the device can鈥檛 be located, it may make sense to have a limited exception permitting issuance by (for example) the DC court or a court with jurisdiction over a victim. The process would need safeguards to limit the consequences of an unintentional international search and prevent forum shopping. The difficulty of locating networked devices means that not having such an exception creates an oddly perverse incentive by rewarding criminals that can conceal the location of their devices.鈥澨鈥 Influencer
鈥淭he FBI鈥檚 lamentable anti cyber-crime efforts, stymied by their own lack of resources but bolstered by their insistence on being the pre-eminent cyber investigative organ, protect all but the most high-profile or embarrassing cyber criminals. This bill would facilitate a true effort by local, county and state law enforcement to pursue and capture cyber criminals, and introduce risk into the highly lucrative world of cyber crime.鈥澨鈥 Nick Selby, Street Cred Software
鈥淛udges have already been doing this for years. 听Remote e-discovery is quite common. 听In those cases, if a court has jurisdiction over a party and that party has access to data anywhere, the party has always been obligated to comply. 听That said, foreign laws should be taken into account more than they have been in the past (e.g., Microsoft data in Ireland).鈥澨鈥 Influencer
鈥淟aw enforcement may need to access an Internet connected computer to perform a reasonable search with probable cause even though they are unsure of the computer鈥檚 precise location. There needs to be a procedure for a warrant to be issued in that circumstance. 听听The more interesting change that is being proposed to federal criminal procedures would allow law enforcement to use a single warrant to access large numbers of computers located in different jurisdictions that have been 鈥榙amaged without authorization,鈥 such as in the case of a botnet. There are times when government authority may be useful to protect the Internet from botnets. For example, a large distributed denial of service botnet with a peer-to-peer command and control channel that couldn鈥檛 be shut down could pose a significant threat to the stability of the Internet. With lawful authority, it might be possible to disable the nodes of such a botnet so that they no longer posed a threat. However, any anti-botnet operation that tampers with the computers of innocent victims needs to be executed with great caution. Overzealous anti-botnet operations have negatively impacted the rights of innocent users in the past. Careful oversight of these kinds of operations is needed to ensure that third party interests are given the consideration they deserve, and the rule change being proposed here does not provide for that sort of oversight mechanism.鈥澨鈥 Tom Cross, Drawbridge Networks
鈥淲hen a crime is committed over the Internet and the search of the data can be performed over the Internet then the concept of location becomes less meaningful for a criminal investigation.鈥澨鈥 Influencer
鈥淢y answer of 鈥榶es鈥 is based on assumption that such power would only be used for circumstances where the location is technically indeterminable, not a carte blanche for forum shopping.鈥澨鈥 Influencer
鈥淗ackers are smart enough to set up shop in places they cannot be touched, to erase drives if they think they are detected or otherwise avoid being caught. 听Cyber criminals are a significant threat to our personal privacy, our national security and our economy. Investigations must be able to gather this kind of evidence, using modern capabilities. 听Constitutional rights and personal privacy must be protected. But this happens not by letting bad guys go, but by judges exercising strict oversight of the both the issuance and execution of search warrants. 听Courts already have deep experience in balancing these interests. 听There are many measures courts can take to protect the interests of innocent third parties.鈥澨鈥 Jenny Durkan, Quinn Emanuel
What do you think?听听of the Passcode Influencers Poll.
听
