The Obama administration made a huge digital power grab this past year, and barely anybody noticed.
The Department of Justice quietly changed Rule 41 of the Federal Rules of Criminal Procedure, which outlines what federal agencies like the FBI can and cannot do during law enforcement investigations. And though the DOJ insists this change is totally no big deal, nothing could be further from the truth.
There are two main ways it could affect Americans’ digital privacy. First, as the Electronic Frontier Foundation explains, it “would grant authority to practically any judge to issue a search warrant to remotely access, seize, or copy data relevant to a crime when a computer was using privacy-protective tools to safeguard one’s location.”
Now, people who use privacy protections are a much larger category than many realize. For example, if you’ve ever denied an app on your phone permission to access your location data, you’re using a basic privacy-protective tool. And there are plenty of perfectly innocent reasons to use more advanced protections than that. For instance, many people use Virtual Private Networks (VPNs) to keep their accounts and data safe while on a public wifi connection, like at the airport or the library. (Even the federal government strongly recommends VPN use on public networks like that.)
But for whatever reason, the Rule 41 change makes such privacy protections a liability where government is concerned. Before, if the feds wanted to hack someone’s computer to investigate a suspected crime, agents would have to get permission—a warrant—from a judge with geographic jurisdiction over the computer in question. Under the new rule, the agents can go to any “magistrate judge with authority in any district where activities related to a crime may have occurred.”
If that sounds super vague, that’s because it is. It means that if one judge tells the FBI, “No, I don’t think you have a good reason to hack this person’s computer,” the bureau can just move on to another judge—and another, and another, until they find one who gives the okay.
In other words, every request is pretty much guaranteed to be approved eventually.
The second part of the rule change is arguably more worrisome still. It’s about investigating botnets, which are virtual networks created when a hacker infects thousands or even millions of computers with malware, allowing him to remotely control them. Compromised computers in botnets can be used for illegal activities without their owners’ knowledge, which is where the name comes from: it’s a portmanteau of “robot” and “network,” because the infected computers are like evil robots under the criminal’s control.
So with the new Rule 41, if the FBI is investigating a botnet, it can get a judge (again, this could be just about any federal magistrate judge) to issue a single warrant letting the agency hack any computer they suspect might be infected. For a really big botnet, that means the feds would be allowed to secretly poke around literally millions of Americans’ computers under just one warrant.
That’s a clear violation of the Fourth Amendment, which provides that warrants can only be issued “particularly describing the place to be searched, and the persons or things to be seized.”
There’s just no way to “particularly” describe a million computers.
On a more practical note, how the FBI would access all those computers is itself a serious security violation. “Hacking—stealthily breaking into computers, copying data, deleting data, or executing code—can have serious consequences for users and their devices,” explains No Global Warrants, a coalition of pro-privacy organizations that oppose the new Rule 41. “A government agent could actually do more damage to the computers of innocent users during a botnet investigation than the botnet itself.”
With this mass hacking, the feds would be treating the victims of botnets the same way they treat criminals—and, ironically, violating victims’ privacy much like the botnet creators did.
Come December 1, this rule change will go into effect—unless Congress passes the Stopping Mass Hacking Act, bipartisan legislation sponsored by civil libertarian senators Rand Paul and Ron Wyden. The bill is simple: it says the new rule won’t go into effect, because, as Wyden has argued, this change is way too big for the DOJ to just “wave its arms and grant itself entirely new powers.”
If you agree, go to NoGlobalWarrants.org and ask your representative to support the Stopping Mass Hacking Act today.