Delay Implementation of Government Hacking Rule

UPDATE: CDT signed onto a coalition letter with more than 20 civil liberties and privacy advocates, and companies, urging Congress to delay implementation of Rule 41. The coalition noted that “government hacking . . . can be much more privacy invasive than traditional searches” and suggested swift passage of Sen. Coons’s bill.

By now, everyone has heard of Crypto Wars 2.0—the push by, in particular, FBI Director James Comey to include “backdoors” in encrypted communications services that allow law enforcement to access them during investigations.

There’s a corollary to that debate, however.  If encryption backdoors are technically infeasible or a bad idea (both are true), the conversation then turns to what the government can do. One of the main policy alternatives is some type of authority for the government to hack into an individual user’s computer.  Unfortunately, that debate has not yet happened, but the government is still about to permit mass government hacking with the potential for a whole host of unintended consequences.  A cart full of cyber-TNT has been put before the horse.

A cart full of cyber-TNT has been put before the horse.

Fortunately, Senators Coons (D-DE), Daines (R-MT), Franken (D-MN), Lee (R-UT), and Wyden (D-OR), and Representatives Conyers (D-MI) and Poe (R-TX), introduced bipartisan legislation today to delay implementation of the rule, and to allow this important debate to take place.

The rule at issue, Rule 41 of the Federal Rules of Criminal Procedure, sets out the procedure for when federal magistrate judges can issue warrants for the search and seizure of property. The rules also cover when a magistrate judge can issue a warrant for a search or seizure outside the judge’s home district.

The updated version of Rule 41—the version that will become part of the Federal Rules of Criminal Procedure unless the bill above is adopted—would greatly expand the authority of magistrates to issue warrants for the search and seizure of electronic media located outside of the judge’s district.  In particular, Rule 41, as amended, would permit magistrates to issue warrants for electronic media that is not located within the magistrate’s district: (a) whenever the physical location of the computer at issue is “concealed through technological means”; or (b) in an investigation under the Computer Fraud and Abuse Act, where “damaged” computers are located in five or more judicial districts.

In plain English, the first change means that a judge could issue a warrant that would allow federal law enforcement to use hacking tools to access a whole slew of computers, many of which will belong to completely innocent users, looking for one that is using Tor.  Tor is software that uses encryption to enable anonymous communications (which also obscures the location of the computer).  The second change potentially means that law enforcement can get a warrant in one district to access computers all around the country, or even all around the world.

Mass government hacking carries the risk of harm to computers of people who are not malicious hackers.

The implications of such a change being written into the rules could be quite significant.  First, and importantly, mass government hacking carries the risk of harm to computers of people who are not malicious hackers. This is because executing these warrants means that law enforcement will literally be exploiting vulnerabilities in computers that have nothing to do with the underlying criminal investigation.

Second, from a legal vantage point, the amendment would make changes through judicial rulemaking that, thus far, have occurred exclusively through legislation. That is, the current provisions of Rule 41 that allow for the issuance of warrants for search or seizure of electronic media outside of a judge’s district, and which are far narrower than the proposed changes, were enacted by Congress through legislation.  Now, however, the scope of the warrant authority is being expanded through what should be a purely “procedural” procedure.  At the very least, Congress needs to debate and deliberate over this dramatic expansion of the FBI’s computer snooping power.

Additionally, the proposed change invites “forum shopping” by the FBI and federal prosecutors.  That is, investigators and U.S. attorneys are going to hunt around for the most “government-friendly” district and repeatedly apply for warrants that operate nationally just from that magistrate or magistrates.

We hope that everyone can agree we need to have an open and deep debate about this proposal. Senator Coons’ bipartisan legislation, by delaying the implementation of the rule for six months, will give Congress and the American people a chance to soberly and comprehensively examine the civil liberties and cybersecurity implications of the proposed rule.