The US Supreme Court has just amended a procedural rule, known as Rule 41, that would allow judges to issue warrants for the government to hack computers anywhere, even outside their jurisdictions or if those computers belong to innocent victims of criminal hacking.
The rule changes will go into effect on 1 December 2016, unless the US Congress passes legislation to reverse the rule changes.
At issue is how the government obtains a warrant to use so-called “network investigative techniques” (NIT) to remotely access computers as part of an investigation.
Under current procedural rules, a judge can only issue an NIT warrant for surveillance of computers within the judge’s jurisdiction.
The US Department of Justice requested the Rule 41 change because sometimes it’s not possible to know the physical location of a computer, such as when someone uses the anonymizing Tor network.
Rule 41 impacted a recent court case involving an investigation into a dark web child abuse imagery website called Playpen, in which a district court judge threw out evidence obtained by the FBI through an NIT warrant because it was issued by a judge outside the jurisdiction where the crime was committed.
With the Supreme Court’s changes to Rule 41, a judge could issue a warrant for federal law enforcement to use remote access to search computers or storage media located within or outside that district, if:
… the district where the media or information is located has been concealed through technological means …
Even more controversially, in the eyes of civil libertarians such as Senator Ron Wyden of Oregon, the rule changes would allow the government to remotely surveil computers that have been “damaged without authorization and are located in five or more districts.”
This rule change might help law enforcement to investigate criminal hacking by searching computers that are part of a “botnet” – networks of compromised computers that cybercriminals use to distribute malware, send spam or launch denial-of-service attacks on websites.
💡 LEARN MORE: How bots and botnets work
According to Wyden, the government could use this authority to “search thousands or millions of computers at once,” even when those computers belong to “the victims, not the perpetrators, of cybercrime.”
The rule changes also don’t specify that NIT warrants need to be restricted to searches of computers within the United States, according to Google’s legal director for law enforcement and information security, Richard Salgado.
The Open Technology Institute (OTI), a technology policy group supported by many foundations and internet companies including Yahoo, Netflix, Facebook, Uber and Google, is objecting to the rule changes on multiple grounds.
Perhaps most importantly, the OTI notes that Congress has never enacted legislation authorizing this kind of “government hacking.”:
Whatever euphemism the FBI uses to describe it – whether they call it a “remote access search” or a “network investigative technique” – what we’re talking about is government hacking, and this obscure rule change would authorize a whole lot more of it.
… Like wiretapping, hacking is uniquely invasive compared to regular searches and raises serious issues under our Fourth Amendment, which protects us from unreasonable searches. Unlike wiretapping, however, Congress has never authorized government hacking nor established protective rules for the road to ensure it’s not abused.
Wyden said he plans to introduce legislation that would reverse the Supreme Court’s changes to Rule 41.
Yet if the slow-moving Congress doesn’t enact legislation before the December deadline, privacy advocates say, Rule 41 will give law enforcement drastically expanded hacking powers without approval by legislators who represent the American public.