As of yesterday, the FBI now enjoys a dramatically expanded ability to hack into your devices. In fact, with just one warrant from a cherry-picked magistrate judge, federal law enforcement can now hack into millions of devices.
You might have missed the shift. It happened without any congressional hearings or votes. And the president didn’t sign a thing.
This is all thanks to the Committee on the Federal Rules of Criminal Procedure and a little change to Rule 41.
Typically, in order for a federal agency like the FBI to receive new authority to conduct invasive operations, Congress first has to pass a law that grants it to them. This means both houses must vote to approve a bill and then the president must sign it.
But Rule 41 was significantly changed by this obscure committee run by the judiciary. Because rule changes like this are supposed to be procedural and not make substantive changes to government authority, they are designed to go into effect automatically so long as Congress doesn’t proactively pass a law to stop them.
Spoiler alert: That didn’t happen. And it was a big mistake.
There are several major problems here. Although the FBI has secretly been hacking for over a decade, they have no specific legal authority to do it. When Congress passed rules to allow law enforcement to conduct wiretaps, it came with recognition that the activity was incredibly invasive and was designed to protect the rights and privacy of innocent people. And hacking is potentially much, much more invasive than a wiretap.
However, Congress arguably just blessed FBI hacking on a massive scale without any consideration of the privacy rights of innocent people. And even worse – they did it through an obscure process that minimized public debate.
The change to the rule essentially has implicitly authorized the FBI to hack into your devices. Additionally, in a move that that technical experts argue is overly broad, unnecessary, and incredibly risky for digital security, the rule changes also increase magistrate judges’ authority to issue warrants in certain investigations under the oft-criticized Computer Fraud and Abuse Act. All this will give the FBI berth to secretly hack into and search the devices of innocent individuals, without their knowledge or consent, if the devices have been potentially infected by a botnet.
Not only do these changes encourage forum shopping – the practice of choosing jurisdictions friendly to your side of a case – but they also allow a single warrant issued by a single judge of the government’s choosing to potentially impact the privacy and security of millions of people globally.
The Department of Justice argues that we shouldn’t be concerned about what this rule change authorizes because the FBI has no plans to use its new authority improperly.
This ignores the fact that the FBI has already conducted improper hacking operations. After all, it’s been more than a decade since the FBI started hacking. These operations have targeted criminal fugitives, people who have made bomb threats, and users of child pornography websites, but they have also gone after people who are using services for innocent, legitimate communications.
For many years the FBI kept these operations mostly secret, and the little information that we had in those early years was only available thanks to Freedom of Information Act (FOIA) requests by journalists at Wired and tech advocates. These FOIA documents reveal that even then, FBI hacking had a broad scope. In fact, one document shows that agents were chastised for overusing the tools because the FBI thought that if they hacked too often, they wouldn’t be able to keep the hacking secret.
Fast forward to now. Today, the FBI is fighting court battles around the US because of a recent hacking operation — one that is central to understanding what changed for US surveillance this week. The FBI got a warrant from a single magistrate judge in Virginia that authorized the agency to essentially install malware on the computers of everyone that visited a specific website, in this case, a child pornography website. This malware allowed the FBI to collect information about every one of those computers. Based on evidence from searches through that single warrant, the agency is pursuing multiple cases around the country against people who visited the website.
But are these warrants valid? The rules for magistrate judges to issue warrants are largely laid out in the Federal Rules of Criminal Procedure. Rule 41 of these procedures requires that warrants be issued in the jurisdiction where the search is to occur, with very few exceptions.
In cases where a computer is searched, the jurisdiction would be where the computer is located. But here, the locations of the computers was not known (in fact some computers were located in jurisdictions not only in the US but all around the world). Therefore, defendants have argued that the magistrate ran afoul of Rule 41. Some courts have agreed, finding the warrant invalid. Some have rejected that argument and let the case move forward. Others have agreed the magistrate violated the rule, yet have allowed the warrant to stand, finding that it was a limited violation.
With these new changes, as of Thursday, the FBI now will never have to fight this fight again. It now has the procedural ability to get a warrant to hack – even though Congress has never actually given them specific authority to do so.
Most troubling, because Congress has failed to act, the FBI can, and will, argue the body has implicitly given its permission for this kind of hacking.
It is now more important than ever that Congress put consideration of FBI hacking authorities at the top of its 2017 agenda. If the FBI is going to engage in hacking operations, Congress must also put in place protection for the privacy and security of innocent people. That includes placing appropriate limits on when and how federal authorities conduct those operations, providing protections for non-targets, increasing transparency and accountability, defining what information can be obtained, and developing a process for disclosing vulnerabilities to the manufacturers of products and services.
Otherwise, these inadequately debated changes to Rule 41 will undermine our human rights, safety, and security.