Modern field guide to security and privacy

Opinion: Like it or not, government hackers gonna hack

Congress just implicitly blessed FBI hacking on a massive scale without any consideration of the privacy rights of innocent people. And even worse, they did it through an obscure process that minimized public debate.

Joshua Roberts
FBI Director James Comey testifies before a House Judiciary Committee hearing on "Oversight of the Federal Bureau of Investigation" on Capitol Hill.

As of yesterday, the FBI now enjoys a dramatically expanded ability to hack into your devices. In fact, with just one warrant from a cherry-picked magistrate judge, federal law enforcement can now hack into millions of devices.

You might have missed the shift. It happened without any congressional hearings or votes. And the president didn’t sign a thing.

This is all thanks to the Committee on the Federal Rules of Criminal Procedure and a little change to Rule 41.

Typically, in order for a federal agency like the FBI to receive new authority to conduct invasive operations, Congress first has to pass a law that grants it to them. This means both houses must vote to approve a bill and then the president must sign it.

But Rule 41 was significantly changed by this obscure committee run by the judiciary. Because rule changes like this are supposed to be procedural and not make substantive changes to government authority, they are designed to go into effect automatically so long as Congress doesn’t proactively pass a law to stop them.

Spoiler alert: That didn’t happen. And it was a big mistake.

There are several major problems here. Although the FBI has secretly been hacking for over a decade, they have no specific legal authority to do it. When Congress passed rules to allow law enforcement to conduct wiretaps, it came with recognition that the activity was incredibly invasive and was designed to protect the rights and privacy of innocent people. And hacking is potentially much, much more invasive than a wiretap.

However, Congress arguably just blessed FBI hacking on a massive scale without any consideration of the privacy rights of innocent people. And even worse – they did it through an obscure process that minimized public debate.

The change to the rule essentially has implicitly authorized the FBI to hack into your devices. Additionally, in a move that that technical experts argue is overly broad, unnecessary, and incredibly risky for digital security, the rule changes also increase magistrate judges’ authority to issue warrants in certain investigations under the oft-criticized Computer Fraud and Abuse Act. All this will give the FBI berth to secretly hack into and search the devices of innocent individuals, without their knowledge or consent, if the devices have been potentially infected by a botnet. 

Not only do these changes encourage forum shopping – the practice of choosing jurisdictions friendly to your side of a case – but they also allow a single warrant issued by a single judge of the government’s choosing to potentially impact the privacy and security of millions of people globally.

The Department of Justice argues that we shouldn’t be concerned about what this rule change authorizes because the FBI has no plans to use its new authority improperly.

This ignores the fact that the FBI has already conducted improper hacking operations. After all, it’s been more than a decade since the FBI started hacking. These operations have targeted criminal fugitives, people who have made bomb threats, and users of child pornography websites, but they have also gone after people who are using services for innocent, legitimate communications.

For many years the FBI kept these operations mostly secret, and the little information that we had in those early years was only available thanks to Freedom of Information Act (FOIA) requests by journalists at Wired and tech advocates. These FOIA documents reveal that even then, FBI hacking had a broad scope. In fact, one document shows that agents were chastised for overusing the tools because the FBI thought that if they hacked too often, they wouldn’t be able to keep the hacking secret.

Fast forward to now. Today, the FBI is fighting court battles around the US because of a recent hacking operation — one that is central to understanding what changed for US surveillance this week. The FBI got a warrant from a single magistrate judge in Virginia that authorized the agency to essentially install malware on the computers of everyone that visited a specific website, in this case, a child pornography website. This malware allowed the FBI to collect information about every one of those computers. Based on evidence from searches through that single warrant, the agency is pursuing multiple cases around the country against people who visited the website.

But are these warrants valid? The rules for magistrate judges to issue warrants are largely laid out in the Federal Rules of Criminal Procedure. Rule 41 of these procedures requires that warrants be issued in the jurisdiction where the search is to occur, with very few exceptions.

In cases where a computer is searched, the jurisdiction would be where the computer is located. But here, the locations of the computers was not known (in fact some computers were located in jurisdictions not only in the US but all around the world). Therefore, defendants have argued that the magistrate ran afoul of Rule 41. Some courts have agreed, finding the warrant invalid. Some have rejected that argument and let the case move forward. Others have agreed the magistrate violated the rule, yet have allowed the warrant to stand, finding that it was a limited violation.

With these new changes, as of Thursday, the FBI now will never have to fight this fight again. It now has the procedural ability to get a warrant to hack – even though Congress has never actually given them specific authority to do so.

Most troubling, because Congress has failed to act, the FBI can, and will, argue the body has implicitly given its permission for this kind of hacking. 

It is now more important than ever that Congress put consideration of FBI hacking authorities at the top of its 2017 agenda. If the FBI is going to engage in hacking operations, Congress must also put in place protection for the privacy and security of innocent people. That includes placing appropriate limits on when and how federal authorities conduct those operations, providing protections for non-targets, increasing transparency and accountability, defining what information can be obtained, and developing a process for disclosing vulnerabilities to the manufacturers of products and services.

Otherwise, these inadequately debated changes to Rule 41 will undermine our human rights, safety, and security.

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Opinion: Like it or not, government hackers gonna hack
Read this article in
https://www.csmonitor.com/World/Passcode/2016/1202/Opinion-Like-it-or-not-government-hackers-gonna-hack
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe