Modern field guide to security and privacy

Opinion: Congress needs to check government hacking powers

Now that law enforcement has more leeway to hack computers and surveil suspects due to changes in criminal procedure, Congress needs oversee these powers to protect Americans' civil liberties and privacy.

Carlo Allegri/Reuters/File
A police officer silhouetted against the Apple Store logo in Manhattan.

In 2014, the Justice Department began pushing for legal changes to give law enforcement greater authority to hack into private computer systems.

Several leading senators attempted to stall the rule change so that Congress could have more time to study the complex issue, which could potentially impact millions of Americans. Their effort failed and the new rules took effect on Dec. 1.

While the rise of secure digital communications necessitates that law enforcement have additional authority to successfully investigate crimes and combat terrorism, expanding government hacking power needs to be done in a careful and deliberate manner. Given the scope and importance of these rules, Congress should oversee the changes to ensure they respect civil liberties, do not weaken cybersecurity, and achieve the desired results for law enforcement.

These changes – made to Rule 41 of the Federal Rules of Criminal Procedure that governs how federal criminal prosecutions are handled in the US – were intended to make it easier for the FBI to carry out complex computer investigations.

Previously, the FBI had to go to a magistrate judge in every judicial district where they would like to gain access to a computer and get a warrant for each machine. The new rules allow magistrate judges to grant federal agents a single search warrant for multiple computers in different locations, including computers outside their jurisdiction.

This change was designed to help law enforcement in two ways. First, if suspects in an online crime obscure their location, amended procedures allow federal agents to obtain a search warrant letting them attempt to remotely install malware on suspects' computers. Second, if a crime involves criminals hacking computers in five or more districts, the changes allow judges to issue a single warrant for all affected computers, regardless of where the computers are located. This change will help law enforcement to more efficiently combat botnets, a large network of computers remotely controlled by hackers.

There are several problems with the policy change – and government hacking more generally. Most botnets consist of malware-infected devices. When the government hacks into computers that are part of a botnet, they are typically accessing the systems of victims. Therefore, this change would allow law enforcement to gain lawful access to private data of ordinary citizens who have not willingly participated in any crime.

Given that the FBI estimated in 2014 that approximately 500 million computers are infected globally each year, the new procedure could affect millions of Americans. Without strong protections in place, this is the kind of ambiguous legal framework that could lead to increased surveillance, and should cause ordinary Americans great discomfort.

In addition, government hacking can create vulnerabilities that weaken the security of the systems they hack. For example, if law enforcement installs malware on a device to give themselves backdoor access, other attackers may later exploit this vulnerability. In addition, when hacking into a system, law enforcement can accidentally corrupt files on a system causing problems for other users.

Furthermore, because Rule 41 allows law enforcement to seek warrants for devices outside of the judicial district where they are located, it could lead to "forum shopping," in which law enforcement seeks warrants in districts where a judge is more likely to grant them. Usually, courts guard against this type of behavior by requiring strong jurisdictional claims. However, this protection no longer exists in cases involving five or more computers in different districts.

New rules for government hacking are necessary to enable law enforcement to tackle online crimes and stop terrorism in a networked age. Unfortunately, there has been little public debate by elected officials about how and when the government can engage in hacking.

Instead, amendments to Rule 41 came about through the federal judiciary's Advisory Committee on the Federal Rules of Criminal Procedure and were approved by the Supreme Court. This type of rule change is usually done for procedural updates, such as what holidays courts are closed on, not making substantial changes to how the government can access systems. 

Congress should have an open debate about these changes and establish fair and effective rules for government hacking, including by defining under what circumstances the private sector should provide technical assistance to law enforcement and creating strong accountability and transparency requirements.

These measures will ensure that law enforcement has the appropriate authority to pursue investigations while also protecting civil liberties and computer security. Congress should also explore how the United States can help set international standards for lawful government hacking to promote greater cooperation among law enforcement globally to better combat cybercrime.

Only by initiating a public debate in Congress on how and when the government can hack into private systems can the US set an example for the rest of the world on how to both protect security and privacy while ensuring law enforcement gets the tools it needs to keep up with investigations in the 21st century.

Alan McQuinn is a research analyst at the Information Technology and Innovation Foundation (ITIF), the leading US science and tech policy think tank. Follow Alan on Twitter @AlanMcQuinn.

Daniel Castro is ITIF’s vice president. Follow Daniel on Twitter @castrotech.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to Opinion: Congress needs to check government hacking powers
Read this article in
QR Code to Subscription page
Start your subscription today