Modern field guide to security and privacy

Obscure legal change expands government hacking powers

A revision to the Federal Rules of Criminal Procedure allows law enforcement to hack suspects' computers regardless of jurisdiction. Civil liberties groups worry the change will harm individuals' privacy rights.

Zachary Fagenson/Reuters/File
The FBI removed computers from an office in Florida.

The FBI, Department of Homeland Security, and other US government authorities now require only the signature of a single judge to hack criminal suspects' computers and personal devices regardless of where they're located. 

The amendments to Rule 41 of the Federal Rules of Criminal Procedure are law enforcement's response to the growing pervasiveness and far-reaching nature of Digital Age crimes, which are often carried out in one location and affect countless individuals and computers located across the globe. 

But many privacy and civil liberties groups have vowed to challenge the change in Congress and in court, arguing that it gives federal authorities too much power to surveil computers and personal devices and will eventually harm individuals' privacy rights.

They're especially worried that changes to the rule make it easier for investigators to gain access to victimized computers up to 94 US jurisdictions, potentially opening innocent citizens up to legal scrutiny and surveillance. 

But backers of the changes insist the nature of cybercrime requires these kinds of procedures, especially when it comes to investigating the people who carry out botnet attacks, digital assaults that can involve thousands of infected computers.

"Today, the subjects that we're investigating could be anywhere," said Leo Taddeo, former head of the FBI’s cyber and special operations division in New York who now serves as chief security officer for cybersecurity firm Cryptzone. "And we don't know that until we conduct the type of investigation that the warrant will allow, which is a search. It just makes police work possible in the 21st century."

The US government already had the power to conduct warranted mass intrusions into suspects' computers using "remote access" software, or programs that authorities push out through the internet into a target's machine. But officials have complained they were often limited by the legal procedures in pursuing perpetrators of such internet crimes as distributing child pornography or criminals who carry out distributed denial of service, or DDoS, attacks. 

For instance, Justice Department officials pointed to a child pornography case that used digital surveillance techniques to unmask suspects involved in an underground child exploitation network. A single warrant sufficed for at least 48 of the prosecutions, but some federal courts threw out evidence gleaned from the remote probe because of the "lack of clear venue," Assistant Attorney General Peter Kadzik noted in a letter to Sen. Ron Wyden (D) of Oregon, one of the leading congressional opponents of the Rule 41 change.

Senator Wyden led an unsuccessful last-minute effort to stall the changes, asking Senate leaders to act on pending legislation that would block or delay the rule from taking effect.

"By sitting here and doing nothing, the Senate has given consent to this expansion of government hacking and surveillance," Wyden said in a statement. "Law-abiding Americans are going to ask what were you guys thinking when the FBI starts hacking victims of a botnet hack. Or when a mass hack goes awry and breaks their device, or an entire hospital system and puts lives at risk."

Privacy and digital rights groups such as the Electronic Frontier Foundation (EFF) reacted harshly to the amended criminal procedure, and have called for greater transparency into how the FBI and others plan on taking advantage of the change and for guidelines for government hacking.

"We don’t have any confidence whatsoever that the FBI is not going to mess it up and end up causing damage to the computers that they are searching," said Nate Cardozo, senior staff attorney at the EFF. "If the malware bricks your laptop," rendering it inoperable, "you have no recourse under the new rules."

And while Justice officials say Rule 41 updates do not make substantive changes to the FBI's hacking abilities, just procedural ones, Mr. Cardozo called that argument disingenuous. In his view, the FBI never before had the authority to search a victim’s computer without the person's consent.

The FBI and Justice declined to comment on security precautions for government searches under Rule 41. But department officials did say they will take reasonable steps to notify victims that a warranted search of their computer was conducted. 

Officials said current laws already green light searching a victim's computer without the victim's consent, however many rights groups disagree with their reading of the law. 

Mr. Taddeo, the former FBI agent, acknowledged the possibility that intrusion software could net the wrong people or the wrong information, but said the savagery of present-day online crime overshadows the hypothetical technological risks.

The "potential for harm from the misuse of the tool or misconfiguration of the tool is there and needs to be monitored. That's why we have a lot of protections in place," he said. But "you have to weigh the two interests and decide which one is more important, and right now, with the problem of child pornography, I think that outweighs the possibility that there is going to be a misconfiguration or an abuse."

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.