The US Supreme Court has just amended a procedural rule, known as Rule 41, that would allow judges to issue warrants for the government to hack computers anywhere, even outside their jurisdictions or if those computers belong to innocent victims of criminal hacking.
The rule changes will go into effect on 1 December 2016, unless the US Congress passes legislation to reverse the rule changes.
At issue is how the government obtains a warrant to use so-called “network investigative techniques” (NIT) to remotely access computers as part of an investigation.
Under current procedural rules, a judge can only issue an NIT warrant for surveillance of computers within the judge’s jurisdiction.
The US Department of Justice requested the Rule 41 change because sometimes it’s not possible to know the physical location of a computer, such as when someone uses the anonymizing Tor network.
Rule 41 impacted a recent court case involving an investigation into a dark web child abuse imagery website called Playpen, in which a district court judge threw out evidence obtained by the FBI through an NIT warrant because it was issued by a judge outside the jurisdiction where the crime was committed.
With the Supreme Court’s changes to Rule 41, a judge could issue a warrant for federal law enforcement to use remote access to search computers or storage media located within or outside that district, if:
… the district where the media or information is located has been concealed through technological means …
Even more controversially, in the eyes of civil libertarians such as Senator Ron Wyden of Oregon, the rule changes would allow the government to remotely surveil computers that have been “damaged without authorization and are located in five or more districts.”
This rule change might help law enforcement to investigate criminal hacking by searching computers that are part of a “botnet” – networks of compromised computers that cybercriminals use to distribute malware, send spam or launch denial-of-service attacks on websites.
💡 LEARN MORE: How bots and botnets work
According to Wyden, the government could use this authority to “search thousands or millions of computers at once,” even when those computers belong to “the victims, not the perpetrators, of cybercrime.”
The rule changes also don’t specify that NIT warrants need to be restricted to searches of computers within the United States, according to Google’s legal director for law enforcement and information security, Richard Salgado.
The Open Technology Institute (OTI), a technology policy group supported by many foundations and internet companies including Yahoo, Netflix, Facebook, Uber and Google, is objecting to the rule changes on multiple grounds.
Perhaps most importantly, the OTI notes that Congress has never enacted legislation authorizing this kind of “government hacking.”:
Whatever euphemism the FBI uses to describe it – whether they call it a “remote access search” or a “network investigative technique” – what we’re talking about is government hacking, and this obscure rule change would authorize a whole lot more of it.
… Like wiretapping, hacking is uniquely invasive compared to regular searches and raises serious issues under our Fourth Amendment, which protects us from unreasonable searches. Unlike wiretapping, however, Congress has never authorized government hacking nor established protective rules for the road to ensure it’s not abused.
Wyden said he plans to introduce legislation that would reverse the Supreme Court’s changes to Rule 41.
Yet if the slow-moving Congress doesn’t enact legislation before the December deadline, privacy advocates say, Rule 41 will give law enforcement drastically expanded hacking powers without approval by legislators who represent the American public.
10 comments on “This rule change just made it easier for the government to hack you, wherever you are”
If one person/agency has a Rat in your system, anybody can use it.
Home security will become even more important.
Write protected drives might become more common…. at least it’s foolproof for everything, less sniffing/MitM . Watch out for BIOS and Firmware hacks.
Re: “Even more controversially, in the eyes of civil libertarians such as Senator Ron Wyden of Oregon, the rule changes would allow the government to remotely surveil computers that have been “damaged without authorization and are located in five or more districts.”
How the heck do these guys define the word “districts” John? Admittedly they don’t know where many computers are, so we’re not even talking about American districts.
Can you enlighten us?
I think “districts” refers to federal judicial districts in the US, like the District of Massachusetts, or the Eastern District of Virginia (the two districts involved in the Playpen case).
More about federal districts here: https://en.wikipedia.org/wiki/United_States_federal_judicial_district
Whether a US judge can authorize a warrant for a search outside the US, or the US government can legally search a computer outside the US with only a US judge’s approval, is an important question, but probably better asked of a scholar in international law.
John, it’s starting to look like my first article will be entitled something like:
“FBI Plans To Make Warrentless Searches Of Millions Of Computers With Malware”
And by now we all know that FBI misuse will include, but not be limited to:
* They’ll use the broadest definition of malware possible, even ad-ware as an excuse
* They’ll search every nook and cranny of said computer
* If our next President is like this this law will be used to target political foes
* Ergo, “Pick and Choose” warrentless prosecution
* A rouge agent once in could theoretically plant child porn or other incriminating evidence in any computer
* Since the FBI software leaves no sign of intrusion, it’s likely there would be no forensic evidence to prove other evidence was planted
Sound about right?
The old way of enacting a law, as provided for in the Constitution, was for Congress to pass it and for the President to sign it, or, if the President vetoes it, for Congress to override the veto.
The new way is so much faster and more convenient. The Supreme Court bypasses the Constitution, by decreeing a rule change, which requires action by Congress and the President to overturn.
The next time that you hear someone use the expression “legislating from the bench,” then you will know what the person means.
This is yet another example of what results from ever-expanding government. Congress and the courts don’t grow; the expansion is always in the executive branch. The balance of power is now so far out of balance that it might never be restored.
This is a case of government branches working in concert to curtail civil liberties. The FBI is in the executive branch, which abuses its power, but the judicial branch just gave it a sloppy wet kiss. And if the rule change stands, I’d say judicial power just grew to extend across the whole planet. The only branch of government actng with an interest in protecting the Constitutional rights of the people is the Congress, but it’s just one Senator who gives a crap and the rest of those legislator crooks will be too busy taking away our rights in other ways to care about this one rule. It’s we the people whose power is being stripped away.
welcome back George. Haven’t heard you tweet in awhile
And this works fine as long as you can trust law enforcement, but what happens when law enforcement also breaks the law?
How can you ensure that they would not misuse this law? I see very little difference between black hat hackers and law enforcement these days… What rights do they have to legally hack another computer outside of their own jurisdiction and laws of another country? Wouldn’t they also try to prosecute hackers from another country trying to hack US government computers? e.g. Gary McKinnon. What makes that wrong and the U.S. FBI right for doing exactly the same thing? If they corrupt the O.S. / weaken security deliberately on a foreign computer to enable surveillance and another hacker takes advantage of this, will they compensate that person if they are innocent? Will they even admit or accept liability? Can they guarantee that only they have access? What if that person lives in an oppressive regime and their hacking exposes them to their government – will they intervene and prevent them from being harmed?
This is a dangerous presidence to set.
Will Rule 41 increase incentive for personal use of cybersecurity tools?
It would be more comforting to watch the FBI take down the botnet.
Using evil for good is a slippery slope!