Modern field guide to security and privacy
A police officer silhouetted against the Apple Store logo in Manhattan.
Carlo Allegri/Reuters/File | Caption

Opinion: Congress needs to check government hacking powers

Now that law enforcement has more leeway to hack computers and surveil suspects due to changes in criminal procedure, Congress needs oversee these powers to protect Americans' civil liberties and privacy.

In 2014, the Justice Department began pushing for legal changes to give law enforcement greater authority to hack into private computer systems.

Several leading senators attempted to stall the rule change so that Congress could have more time to study the complex issue, which could potentially impact millions of Americans. Their effort failed and the new rules took effect on Dec. 1.

While the rise of secure digital communications necessitates that law enforcement have additional authority to successfully investigate crimes and combat terrorism, expanding government hacking power needs to be done in a careful and deliberate manner. Given the scope and importance of these rules, Congress should oversee the changes to ensure they respect civil liberties, do not weaken cybersecurity, and achieve the desired results for law enforcement.

These changes – made to Rule 41 of the Federal Rules of Criminal Procedure that governs how federal criminal prosecutions are handled in the US – were intended to make it easier for the FBI to carry out complex computer investigations.

Previously, the FBI had to go to a magistrate judge in every judicial district where they would like to gain access to a computer and get a warrant for each machine. The new rules allow magistrate judges to grant federal agents a single search warrant for multiple computers in different locations, including computers outside their jurisdiction.

This change was designed to help law enforcement in two ways. First, if suspects in an online crime obscure their location, amended procedures allow federal agents to obtain a search warrant letting them attempt to remotely install malware on suspects' computers. Second, if a crime involves criminals hacking computers in five or more districts, the changes allow judges to issue a single warrant for all affected computers, regardless of where the computers are located. This change will help law enforcement to more efficiently combat botnets, a large network of computers remotely controlled by hackers.

There are several problems with the policy change – and government hacking more generally. Most botnets consist of malware-infected devices. When the government hacks into computers that are part of a botnet, they are typically accessing the systems of victims. Therefore, this change would allow law enforcement to gain lawful access to private data of ordinary citizens who have not willingly participated in any crime.

Given that the FBI estimated in 2014 that approximately 500 million computers are infected globally each year, the new procedure could affect millions of Americans. Without strong protections in place, this is the kind of ambiguous legal framework that could lead to increased surveillance, and should cause ordinary Americans great discomfort.

In addition, government hacking can create vulnerabilities that weaken the security of the systems they hack. For example, if law enforcement installs malware on a device to give themselves backdoor access, other attackers may later exploit this vulnerability. In addition, when hacking into a system, law enforcement can accidentally corrupt files on a system causing problems for other users.

Furthermore, because Rule 41 allows law enforcement to seek warrants for devices outside of the judicial district where they are located, it could lead to "forum shopping," in which law enforcement seeks warrants in districts where a judge is more likely to grant them. Usually, courts guard against this type of behavior by requiring strong jurisdictional claims. However, this protection no longer exists in cases involving five or more computers in different districts.

New rules for government hacking are necessary to enable law enforcement to tackle online crimes and stop terrorism in a networked age. Unfortunately, there has been little public debate by elected officials about how and when the government can engage in hacking.

Instead, amendments to Rule 41 came about through the federal judiciary's Advisory Committee on the Federal Rules of Criminal Procedure and were approved by the Supreme Court. This type of rule change is usually done for procedural updates, such as what holidays courts are closed on, not making substantial changes to how the government can access systems. 

Congress should have an open debate about these changes and establish fair and effective rules for government hacking, including by defining under what circumstances the private sector should provide technical assistance to law enforcement and creating strong accountability and transparency requirements.

These measures will ensure that law enforcement has the appropriate authority to pursue investigations while also protecting civil liberties and computer security. Congress should also explore how the United States can help set international standards for lawful government hacking to promote greater cooperation among law enforcement globally to better combat cybercrime.

Only by initiating a public debate in Congress on how and when the government can hack into private systems can the US set an example for the rest of the world on how to both protect security and privacy while ensuring law enforcement gets the tools it needs to keep up with investigations in the 21st century.

Alan McQuinn is a research analyst at the Information Technology and Innovation Foundation (ITIF), the leading US science and tech policy think tank. Follow Alan on Twitter @AlanMcQuinn.

Daniel Castro is ITIF’s vice president. Follow Daniel on Twitter @castrotech.