Campaigners bid to delay Rule 41 ‘legal hacking’ bill

Two weeks before a December 1 deadline for a federal rule that would let feds hack you wherever you are, lawmakers made a last-ditch effort to push it back for six months.

As we reported  in April, when the US Supreme Court first proposed the rule change, it was to a procedural rule known as Rule 41.

The change would allow judges to issue warrants for the government to hack computers anywhere, even outside their jurisdictions and regardless of whether those computers belong to innocent victims of criminal hacking.

An amended Rule 41 was to automatically go into effect on December 1 2016 unless halted by Congress.

With the clock fast ticking down toward what opponents saw as an impending privacy catastrophe, and with the “Stop Mass Hacking Act” legislation to stop the changes being repeatedly pushed off during the frenetic election season, a coalition of senators and representatives finally did something.

Namely, a bicameral coalition proposed legislation on Thursday afternoon: not to stop the changes dead, but to at least delay implementation until July 1 next year.

The bill is called the Review the Rule Act (PDF).

Legislation doesn’t get much more succinct than this. The bill description:

To delay the amendments to rule 41 of the Federal Rules of Criminal Procedure.

One of the delay backers, Senator Steve Daines, a Republican from Montana, reiterated what opponents have been saying for months: the Rule 41 change would give the federal government a “blank check” to infringe on people’s civil liberties, and Congress needs time to investigate what the rule would mean for Fourth Amendment rights.

Opponents have banded together to fight off Rule 41 changes, many as members of the No Global Warrants coalition of public interest groups, privacy tool providers and internet companies.

Among their arguments:

  • An amended Rule 41 would invite law enforcement to seek warrants authorizing them to hack thousands of computers at once, likely in direct violation of the Fourth Amendment protection against unreasonable search
  • “It would also take the unprecedented step of allowing a court to issue a warrant to hack into the computers of innocent internet users who are themselves victims of a botnet”
  • The government could now “shop” for a sympathetic judge known for lenient standards

As evidence of how Rule 41 could be used unlawfully, opponents point to the warrant the FBI used in the Playpen investigation, which resulted in the FBI putting malware on to more than 1,000 computers around the world as agents tried to track down sexual abusers of children.

In late October, the Center for Internet and Society at Stanford Law School hosted a discussion on the controversy over Rule 41.

The results included consensus on some broad points: both those panelists opposed and in favor of the rules change agreed that, for one thing, current law doesn’t adequately address situations where the government has probable cause to search but doesn’t know exactly where they’re going to turn up computers with evidence.

Another thing broadly agreed upon is that if you go searching computers overseas, you’re very likely going to break international law or treaties when you go after anonymous targets.

Also, there’s this: wouldn’t an amended rule mean the US could break the rule of reciprocity? As in, if the US gives itself carte blanche to hack anonymous targets the world over, wouldn’t it open the door to other countries hacking US citizens in violation of those same laws and treaties?

That panel discussion took place about a week after the Mirai botnet, one of the largest and most powerful distributed denial of service (DDoS) attacks ever, hit DNS provider Dyn and shook major services including Twitter, Reddit and Spotify.

That type of attack is what one of the changes to Rule 41 is supposed to address.

Could the rule change have been used to mitigate the Mirai threat?

The panelists “had relatively little to say” about that, as the CIS’s Marshall Erwin and Jennifer Granick said. Rule 41 changes include a botnet provision that’s seen little investigation compared with the other change, which would impact territorial reach and Fourth Amendment implications.

More mulling is required, they said, and hopefully the proposed delay will help that happen:

If changes to Rule 41 go into effect on December 1 as scheduled, courts, Congress and the Administration will likely grapple with the substantive problems at some point down the road. In the meantime government hacking moves forward.

If [the Review the Rule Act] becomes law, there’s time to deal with those problems now, but the law enforcement gap remains unaddressed for six more months. Regardless, we should assume that substantive concerns need attention now, even if judges begin to issue warrants under the revised rule.