Modern field guide to security and privacy
The FBI removed computers from an office in Florida.
Zachary Fagenson/Reuters/File | Caption

Obscure legal change expands government hacking powers

A revision to the Federal Rules of Criminal Procedure allows law enforcement to hack suspects' computers regardless of jurisdiction. Civil liberties groups worry the change will harm individuals' privacy rights.

The FBI, Department of Homeland Security, and other US government authorities now require only the signature of a single judge to hack criminal suspects' computers and personal devices regardless of where they're located. 

The amendments to Rule 41 of the Federal Rules of Criminal Procedure are law enforcement's response to the growing pervasiveness and far-reaching nature of Digital Age crimes, which are often carried out in one location and affect countless individuals and computers located across the globe. 

But many privacy and civil liberties groups have vowed to challenge the change in Congress and in court, arguing that it gives federal authorities too much power to surveil computers and personal devices and will eventually harm individuals' privacy rights.

They're especially worried that changes to the rule make it easier for investigators to gain access to victimized computers up to 94 US jurisdictions, potentially opening innocent citizens up to legal scrutiny and surveillance. 

But backers of the changes insist the nature of cybercrime requires these kinds of procedures, especially when it comes to investigating the people who carry out botnet attacks, digital assaults that can involve thousands of infected computers.

"Today, the subjects that we're investigating could be anywhere," said Leo Taddeo, former head of the FBI’s cyber and special operations division in New York who now serves as chief security officer for cybersecurity firm Cryptzone. "And we don't know that until we conduct the type of investigation that the warrant will allow, which is a search. It just makes police work possible in the 21st century."

The US government already had the power to conduct warranted mass intrusions into suspects' computers using "remote access" software, or programs that authorities push out through the internet into a target's machine. But officials have complained they were often limited by the legal procedures in pursuing perpetrators of such internet crimes as distributing child pornography or criminals who carry out distributed denial of service, or DDoS, attacks. 

For instance, Justice Department officials pointed to a child pornography case that used digital surveillance techniques to unmask suspects involved in an underground child exploitation network. A single warrant sufficed for at least 48 of the prosecutions, but some federal courts threw out evidence gleaned from the remote probe because of the "lack of clear venue," Assistant Attorney General Peter Kadzik noted in a letter to Sen. Ron Wyden (D) of Oregon, one of the leading congressional opponents of the Rule 41 change.

Senator Wyden led an unsuccessful last-minute effort to stall the changes, asking Senate leaders to act on pending legislation that would block or delay the rule from taking effect.

"By sitting here and doing nothing, the Senate has given consent to this expansion of government hacking and surveillance," Wyden said in a statement. "Law-abiding Americans are going to ask what were you guys thinking when the FBI starts hacking victims of a botnet hack. Or when a mass hack goes awry and breaks their device, or an entire hospital system and puts lives at risk."

Privacy and digital rights groups such as the Electronic Frontier Foundation (EFF) reacted harshly to the amended criminal procedure, and have called for greater transparency into how the FBI and others plan on taking advantage of the change and for guidelines for government hacking.

"We don’t have any confidence whatsoever that the FBI is not going to mess it up and end up causing damage to the computers that they are searching," said Nate Cardozo, senior staff attorney at the EFF. "If the malware bricks your laptop," rendering it inoperable, "you have no recourse under the new rules."

And while Justice officials say Rule 41 updates do not make substantive changes to the FBI's hacking abilities, just procedural ones, Mr. Cardozo called that argument disingenuous. In his view, the FBI never before had the authority to search a victim’s computer without the person's consent.

The FBI and Justice declined to comment on security precautions for government searches under Rule 41. But department officials did say they will take reasonable steps to notify victims that a warranted search of their computer was conducted. 

Officials said current laws already green light searching a victim's computer without the victim's consent, however many rights groups disagree with their reading of the law. 

Mr. Taddeo, the former FBI agent, acknowledged the possibility that intrusion software could net the wrong people or the wrong information, but said the savagery of present-day online crime overshadows the hypothetical technological risks.

The "potential for harm from the misuse of the tool or misconfiguration of the tool is there and needs to be monitored. That's why we have a lot of protections in place," he said. But "you have to weigh the two interests and decide which one is more important, and right now, with the problem of child pornography, I think that outweighs the possibility that there is going to be a misconfiguration or an abuse."