A change to US search-and-seizure rules took effect Thursday, after repeated failures to block it in Congress, in what some lawmakers and privacy groups say could give the government unprecedented legal authority to hack into millions of computers belonging to innocent Americans.
Calling the change "one of the biggest mistakes in surveillance policy in years," Sen. Ron Wyden (D) of Oregon made a final push Wednesday from the Senate floor to block or delay implementation of the change. But his efforts were thwarted by Sen. John Cornyn (R) of Texas, the majority whip, meaning American judges will now be permitted to issue search warrants that give the FBI authority to access computers in any jurisdiction remotely.
"By sitting here and doing nothing, the Senate has given consent to this expansion of government hacking and surveillance," Senator Wyden said, vowing to introduce a bill to repeal the rule in the next Congress, as USA Today reported. "Law-abiding Americans are going to ask 'what were you guys thinking?' when the FBI starts hacking victims of a botnet hack. Or when a mass hack goes awry and breaks their device, or an entire hospital system and puts lives at risk."
Sen. Chris Coons (D) of Delaware and Sen. Steve Daines (R) of Montana joined Wyden in unsuccessfully seeking a bill to delay the change to Federal Criminal Rule of Procedure 41 – which was authorized last spring by the US Supreme Court – for at least three to six months so the lawmakers could study it further.
The US Department of Justice (DOJ), which requested the change, argued that it is necessary to keep pace with technological changes and so-called "botnets," which are groups of malware-infected computers that can be controlled remotely for criminal purposes. Under the previous procedural rules, FBI agents had been required to secure judicial approval for warrants in each district where an infected computer was located before lawfully hacking into those machines. With the revised rule, the agents could secure one warrant from one judge to lawfully search all infected machines if their real location has been hidden, or if the machines are located in five or more districts.
"So, if there are more than five computers in the US, or the world for that matter, that have malware they are all subject to search, seizure, and copying by federal police agencies if they can somehow fuzzily be related to a crime in their jurisdiction," Tor Ekeland, a defense attorney who works on federal computer crime cases, wrote in an op-ed for The Christian Science Monitor, urging the public to back attempts to block the rule:
This is true even where the computer owner is innocent of any wrongdoing and is not under investigation. Indeed, in the case of malicious software or botnets, computer owners may not even be aware of their device's participation. And given that some 30 percent of computers contain malware or are part of a botnet, suddenly the FBI has the ability to scan millions of computers.
The DOJ contends, however, that the Fourth Amendment protections on personal privacy remain fully intact because law enforcement will still be required to demonstrate to a judge that a particular search is warranted and lawful. The change addresses procedural matters of venue, not substantive matters of law, US Assistant Attorney General Leslie Caldwell wrote in a blog post this week.
"The amendments neither endorse particular searches as reasonable, nor do they in any way change the traditional constitutional, statutory, and prudential factors the department relies on to determine whether to seek a warrant. They simply identify the appropriate court to ask," Ms. Caldwell wrote.
In recent months, some judges have dismissed evidence gathered by the FBI as part of a large-scale child pornography sting on the grounds that the search warrants used in those cases exceeded their jurisdiction. Caldwell argued the change is necessary to combat "pedophiles who openly and brazenly discuss their plans to sexually assault children."
After hosting a discussion in October about the change, Stanford Law School privacy experts published an article earlier this month outlining points of consensus and disagreement about the change and its practical impact, to promote clarity in a matter of intense public debate.
"Most of our panelists, both those in favor and opposed to the rules change, agreed that current law does not adequately address situations where the government has probable cause to search but does not know the location of computers likely to contain evidence of a crime. Panelists tended to agree that this gap should be filled," Marshall Erwin and Jennifer Granick wrote.
But many panelists were concerned about the international implications of the change, they added, warning that American police investigations conducted under the new procedure could violate international law or treaties, or even "violate the principle of reciprocity because we might not want other countries remotely hacking our citizens in violation of the treaties we've established with those countries."
This report includes material from Reuters.