PREVIOUS UPDATE: The recently proposed Stopping Mass Hacking Act (SMH Act), cosponsored by Senators Ron Wyden (D-OR), Rand Paul (R-KY), Tammy Baldwin (D-WI), Steve Daines (R-MT) and Jon Tester (D-MT), and its companion in the House (co-sponsored by Congressmen Ted Poe (R-TX), John Conyers (D-MI), Blake Farenthold (R-TX) and Zoe Lofgren (D-CA)) would stop the changes to Rule 41 described below from going into effect. CDT applauds this effort, and hopes that it can be approved by both houses of Congress and signed by the President by the December 1st deadline.
Last week, the Supreme Court expanded the FBI’s ability to hack into computers located anywhere in the world. This grant of extraordinary new power did not come about in the way you might expect – the Court did not issue a new opinion about a law that had been carefully crafted and extensively debated by Congress and various stakeholders. Instead, the Court gave its stamp of approval to a controversial rule change to the obscure Rule 41 of the Federal Rules of Criminal Procedure – the rules that dictate the procedures for criminal cases in courts in the United States. The new authority the rule change in question gives to the federal government could be astoundingly dangerous. If Congress does not enact legislation to block or mitigate this rule change by its December 1st deadline, measures must be taken to ensure that law enforcement officials’ new powers are exercised responsibly and transparently.
The rule change. Under the old Rule 41, magistrate judges with authority in a given district could only issue warrants for search and seizure of property when that property was located in that district, with certain narrow exceptions. The changes to Rule 41 approved by the Supreme Court would add two very expansive exceptions, allowing magistrates to grant warrants to search and seize electronic media located outside of their district in two circumstances: 1) when the physical location of the information is “concealed through technological means;” and 2) when, in an investigation of a violation of the Computer Fraud and Abuse Act (CFAA) (18 U.S.C. § 1030(a)(5)), computers in five or more districts have been “damaged without authorization.”
As CDT testified before the Advisory Committee in 2014, this seemingly small, venue-related change could have profound consequences for the privacy and security of computers worldwide. For example, under the rule’s first exception, “technological means” would encompass not only the use of online anonymity tools, such as Tor, but also perfectly legitimate, everyday uses of the internet that may change the route of network traffic (such as the use of a secure Virtual Private Network (VPN)). As a result, a great number of innocent people may have their private devices and data searched and seized without the protections afforded by the Fourth Amendment’s particularity requirement or, if they are located abroad, protections from having their personal data searched by the United States government without adequate process (such the Mutual Legal Assistance Treaty process). Moreover, given that the government’s intrusion methods necessarily involve exploiting weaknesses in devices in order to gain access, the new rule will put all devices, their data, and dependent systems that happen to be in law enforcement’s path at risk of potentially dangerous destruction.
What can be done? Given the great privacy and cybersecurity concerns that come with the proposed changes to Rule 41, in an ideal world Congress would band together and block them, which would allow such sweeping expansions of federal investigatory powers to be considered and debated in the proper branch of government: the legislature. Unfortunately, the rulemaking process imposes a December 1st deadline for blocking legislation to be drafted, approved by both houses of Congress, and signed by the President. Thus, although CDT applauds any effort to block the rule change, the success of such efforts are unlikely. The duty of ensuring that the government’s new hacking powers will be used responsibly will ultimately fall on the Department of Justice, and there are several measures it should adopt to this effect until Congress can formally require them by law:
- Limit the scope of information that may be gathered: The new rule’s first exception to traditional venue requirements is meant to address circumstances where law enforcement cannot identify the place to be searched because the location of the information has been concealed. Therefore, it would be appropriate to limit the scope of such “blind” searches to the collection of location and identifying information – e.g., the target’s IP or MAC address – which would enable investigators to pinpoint the location of the information they’ve requested to search. Investigators could then go to the appropriate judicial district where that information is located and obtain a warrant through traditional means that comply with the Fourth Amendment’s particularity requirement. Limiting the scope of remote searches would ensure that individuals using legitimate and legal tools that reroute network traffic are not given any fewer Constitutional protections than those who do not. In addition, it would reduce the risk of forum shopping while preserving the government’s ability to forgo the Fourth Amendment’s particularity requirement when the purpose of their search is to determine the area to be searched.
- Remove the exception for “damaged” computers: Approximately 500 million computers are victims of botnet attacks per year (that’s about 18 victims per second). Under the new rule, if damaged computers that are part of a CFAA investigation are located in five or more districts, a judge may authorize the government to hack them, regardless of their location, regardless of whether they are mere victims of the botnet attack, and regardless of how uniquely sensitive they are. This could lead to catastrophic results. A government network intrusion may, for example, end up damaging a hospital computer with critical patient information, a computer connected to a nuclear reactor, or a computer used by the Iranian government. The government’s need to remotely hack into computers that may be part of a botnet is simply not compelling enough to justify the grave risks involved. CDT cannot come up with any ways to amend this provision of the rule change in a way that would adequately mitigate the great damage it could cause, and other commentators have recommended that the exception for “damaged computers” be removed entirely.
- Provide additional details about the nature and possible effects of proposed hacking techniques: Given the unique risks that come with remote searches and seizures, law enforcement officials should provide enough details about their proposed course of action for magistrate judges to make informed decisions about what, exactly, they’re being asked to approve. Such details are not as critical in the physical world because the consequences of physical searches are generally apparent: in the physical world, for example, it is clear to magistrate judges when law enforcement officials are proposing to use a battering ram as opposed to explosives, which might injure innocents or damage property. It is also clear when the subject of the government’s forced entry is a single family home and not a hospital or power plant. Such clarity does not exist as readily in the digital space, particularly when the government only asks to use a “network investigative technique” to conduct its search (as is the current common practice). To the extent feasible, warrant applications for remote searches should specify the techniques that will be used throughout the remote search, demonstrate that such techniques will minimize risk and collateral damage, provide the approximate number of devices that will be implicated, and demonstrate that law enforcement has exhausted other alternatives to determining the location of the information to be searched. Moreover, magistrate judges should learn how to adequately scrutinize these warrant applications.
If the Department of Justice adopts these limitations and transparency mechanisms, the upcoming changes to Rule 41 may not have the recklessly dangerous results that CDT and others have feared.