Sens. Ron Wyden (D) of Oregon and Rand Paul (R) Kentucky have introduced a critical piece of legislation to stop the largest expansion in US history of government search and seizure power.
Their bill, known as the Stopping Mass Hacking Act, would undo the Supreme Court's decision to rubber stamp a Justice Department request to significantly alter Federal Criminal Rule of Procedure 41. The change would give federal law enforcement agencies the conditional power to remotely hack, search, and seize millions of computers belonging to innocent users anywhere in the world.
If the bill Senators Wyden and Paul proposed isn't passed by December, blocking the court's decision, the government would start down a troubling path, raising significant Digital Age constitutional questions under the Fourth Amendment and the Constitution’s venue clauses.
Our constitutional framers simply didn't contemplate a world in which the government could simultaneously peer into the private lives of millions of people simply with the push of a button.
Under common law, a person's home is their castle, and therefore deserving of the highest form of protection against intrusive search and seizure by the government. In the Digital Age, computers have become our castles because searchers of these devices would reveal far more intimate knowledge about a person than a mere physical search of a house.
Currently, Rule 41 requires that the government make a request based on probable cause for a search warrant to a federal magistrate judge, or in lieu of that, a state court judge. These requests are generally limited to the geographical district where the federal court is located. There are some exceptions, such as in terrorism investigations.
The Department of Justice, somewhat under the radar, successfully lobbied the Supreme Court to change Rule 41, adding a new subsection so judges in any district "where activities related to a crime may have occurred" can issue warrants that allow federal police agencies to remotely access and search, seize, or copy "electronically stored information" if:
- The district where the media is has been concealed "through technological means;" or
- "[I]n an investigation of a violation of the Computer Fraud and Abuse Act 18 U.S.C. 1030(a)(5), the media are protected computers that have been damaged without authorization and are located in five or more districts."
That second point is equally as eyebrow raising as the first. My law firm regularly litigates federal criminal cases involving the Computer Fraud and Abuse Act (CFAA) such as the case involving Matthew Keys, who was sentenced to two years after convicted of aiding the hacktivist group Anonymous. We are now representing him on appeal to the Ninth Circuit Court of Appeals.
Based on my lengthy experience with these types of cases, the CFAA defines "damage" so broadly that using it as a springboard for such a dramatic expansion of the government’s search and seizure power is deeply problematic.
Under the CFAA, "damage" means "any impairment to the integrity or availability of data, a program, a system, or information." A judge can interpret that as even a mere slowdown in access to data on that computer. So, if there are more than five computers in the US, or the world for that matter, that have malware they are all subject to search, seizure, and copying by federal police agencies if they can somehow fuzzily be related to a crime in their jurisdiction.
This is true even where the computer owner is innocent of any wrongdoing and is not under investigation. Indeed, in the case of malicious software or botnets, computer owners may not even be aware of their device's participation. And given that some 30 percent of computers contain malware or are part of a botnet, suddenly the FBI has the ability to scan millions of computers.
A central argument made by the Justice Department during hearings about whether to approve the Rule 41 changes was that the judiciary would serve as a gatekeeper, and deny overbroad, unconstitutional, and abusive warrants.
We can't blindly trust the government to play this role, and history provides plenty of examples why – from its past treatment of Martin Luther King to the Drug Enforcement Agency's recent abuse of wiretap requests.
Our founders didn't subscribe to the "trust us" philosophy; that’s why we have the Bill of Rights. Law enforcement agencies can't be trusted with the sort of power that comes with changing Rule 41. That's why anyone who cares about limiting the government's power, and protecting their rights in the Digital Age, should vigorously support Wyden and Paul's effort to block this dangerous development.
Tor Ekeland is an attorney in New York City who represents defendants charged with federal computer crimes. Follow him on Twitter at TorEkelandPC.