The US Department of Justice is seeking to drastically expand its abilities to search computers remotely through an obscure change in the rules of criminal procedure. This would have the effect of making it easier for law enforcement to remotely break into and search computers worldwide when the computer’s location is concealed. This change is highly dangerous in that it will essentially allow law enforcement to hack into hundreds of millions of computers all over the world. This kind of expansion of power should not be happening in an obscure forum – The Judicial Conference’s Advisory Committee on the Federal Rules of Criminal Procedure – but in open debate and consideration in Congress. Yesterday, I testified before the Advisory Committee, having worked with CDT’s Senior Counsel Harley Geiger on our written testimony.
The DOJ is proposing the change to Rule 41 of the Federal Rules of Criminal Procedure; Rule 41 is basically the procedure judges must follow to issue warrants, including when the judge has jurisdiction to issue a warrant, to search for and seize evidence of a crime. The proposed changes would expand the conditions under which such a warrant could be issued, allowing law enforcement to seek a warrant from any district in cases where the target computer’s location is “concealed through technological means,” as well as for computers that have been intentionally damaged and are in 5 or more separate federal judicial districts.
The first change seems to be designed to allow law enforcement to investigate crimes that involve the use of online anonymity tools, such as Tor. However, as CDT’s testimony argues, it would reach far beyond just Tor to encompass any use of computers that may change the route their network traffic takes to reach a destination. This behavior is exactly what many businesses demand of their employees when they turn on a secure Virtual Private Network (VPN) to connect with confidential documents back at the office or to use a proxy that examines their traffic for viruses and other malware. This could even go so far as to implicate people who misreport the town in which they live on social networks like Facebook or Twitter. The simple fact is that there are many, many ways to intentionally or unintentionally “conceal through technological means” a device’s location, and most of those techniques are regularly used for completely legitimate online behavior that has nothing to do with crime.
The second change seems to be aimed at botnets. Botnets are networks of hijacked computers that malicious hackers can direct to commit crime at massive scales, like distributed denial-of-service attacks that can bring down websites. However, this part of the proposed rule change would allow a warrant to be issued based on a computer being “damaged” as specified in the Computer Fraud and Abuse Act (CFAA). The statute’s definition of “damage” is very broad, encompassing any type of intentional damage to a computer. That opens this authority to be much broader than botnets, and it would in fact reach hundreds of millions of computers around the world that have been infected with garden-variety malware and viruses.
The combination of these two blunt features of the proposed rule change would amount to massive authority on the part of US law enforcement to hack into computers worldwide on the slightest pretense that a device was concealing its location or had been damaged in some manner. Changes of this magnitude should not be in front of the Judicial Conference and its abilities to make procedural changes to judicial rules. Instead, the proposed rule changes should be enacted through Congress where a full airing of the concerns can be had and enshrined in clear, unambiguous enabling legislation.