Will Congress ever vote on the “The Stop Mass Hacking Act”?

Capitol Hill building

With the clock ticking, and only 75 days left, opponents of the U.S. government’s proposed liberalization of “mass government hacking” are turning up the heat. So far, though, they haven’t even gotten hearings from a Congress that’s a bit preoccupied with other matters (e.g., getting re-elected).

The issue: a few obscure paragraphs of proposed revisions to “Rule 41 of the Federal Rules of Criminal Procedure.” In Politico‘s words, these revisions:

…would let judges grant electronic search warrants for devices whose locations aren’t known, and permit them to authorize remote searches of devices not in their jurisdiction.

The current Rule 41 already allows law enforcement to request electronic search warrants or the right to remotely hack into devices. The catch: they must get the warrant from a judge in the jurisdiction where the search will occur… i.e., where the computer(s) are.

That’s a problem for the government if somebody’s using something like Tor to hide their location.

It’s also a problem for the government when the computers are everywhere. For example: when they’re investigating a ransomware-spreading botnet that’s captured computers scattered through 94 different court districts, each needing a separate warrant.

In such circumstances, the revised rule would let the government ask for a single warrant that could be executed anywhere in the U.S.

Opponents have been arguing for several months that it’s a step way too far – many of them as members of the No Global Warrants coalition of public interest groups, privacy tool providers, and Internet companies. Among their arguments:

  • “This would invite law enforcement to seek warrants authorizing them to hack thousands of computers at once—[likely a] direct violation of the Fourth Amendment.”
  • “It would also take the unprecedented step of allowing a court to issue a warrant to hack into the computers of innocent Internet users who are themselves victims of a botnet.”
  • The government could now “shop” for a sympathetic judge known for lenient standards.

The U.S. government set out the case for the rule change, and why you shouldn’t worry about it, in a blog post in June, stating:

The amendments would not authorize the government to undertake any search or seizure or use any remote search technique, whether inside or outside the United States, that is not already permitted under current law.  The use of remote searches is not new and warrants for remote searches are currently issued under Rule 41.  In addition, most courts already permit the search of multiple computers pursuant to a single warrant so long as necessary legal requirements are met.

The amendments, they say, apply in two narrow circumstances:

  • Where a suspect has used technology to hide a computer’s location
  • If the crime involves criminals hacking computers in five or more judicial districts

For example, Assistant Attorney General Leslie R. Caldwell points to a recent investigation of child sexual abuse in which some judges “ordered the suppression of evidence based solely on the lack of clear venue in the current version of the rule.”

We reported on all this in late April when the U.S. Supreme Court first proposed the rule, which will automatically go into effect on 1 December 2016 unless halted by Congress.

Then, in May, tech-savvy Democrat Ron Wyden and libertarian Republican Rand Paul proposed The Stop Mass Hacking Act (S. 2952, H.R. 5321). It’s basically one sentence: “To prevent the proposed amendments to rule 41 of the Federal Rules of Criminal Procedure from taking effect.”

The Wyden-Paul bill quickly gathered backing from over 50 organizations; on 21 June, opponents even organized a national “day of action” against the Rule 41 revisions.

Since then, congressional leadership has studiously avoided the issue. No hearings. No votes.

This week, top Judiciary Committee Democrat Pat Leahy and Utah conservative Republican Mike Lee requested the courtesy of an actual hearing. Senate Judiciary Committee chairman Chuck Grassley responded politely that he “appreciates the feedback he is receiving on the Rule 41 changes and is considering the requests and any need for a hearing.”

Outside Congress, as you might expect, the folks at Tor have been especially vocal about all this. This week, Tor blogger ailanthus wrote that:

[many in Congress] don’t yet understand either the technology or its impact on democratic institutions and values. Some understand that Tor and encryption are currently used by politicians, judges, and even the FBI to keep their communications private–but others do not… Some know that a back door for one good guy is eventually a back door for multiple bad guys. Many others do not. So some US officials can take advantage of this ignorance… to expand their power.

Of course, for the bill to become law, it needs more than hearings: it needs to pass both the Senate and the House. And, with an election coming, they’re each taking an awful lot of days off between now and December. So we’ll keep you posted… and, of course, if you happen to have an opinion, now would be a good time to let your congressfolk know.