Hacking America

The 114th Congress is notorious for its inaction. And, with an ongoing election cycle consuming Congress’s time and attention, an amendment to Rule 41 of the Federal Rules of Criminal Procedure might not seem like it should be the auspicious body’s first order of business. However, if Congress does not pass a bill before the first of December to stop a pending amendment to Rule 41, the change will increase the government’s use of hacking in its investigations, threatening the privacy and cybersecurity of all Americans in the process.

Currently, Rule 41 authorizes magistrate judges to issue search warrants that will be executed within their district. However, the amendment, which was approved by the Advisory Committee on the Federal Rules of Criminal Procedure, would remove this limitation and instead allow any magistrate judge in the country to issue search warrants to remotely access electronic devices or networks when law enforcement doesn’t know where the targeted device or network is located. It is, in other words, a dramatic invasion of Americans’ privacy, and undermines their cybersecurity.

New America’s Open Technology Institute recently hosted “Hacking America,” an event highlighting proposed changes to Rule 41. Senator Ron Wyden (D-OR), a staunch privacy and cybersecurity advocate, keynoted the event, voicing his concerns with the changes. His remarks were followed by a panel of experts, all of whom further discussed the broader implications of the amendment.

The rule changes, Wyden cautioned, would expand government hacking and surveillance. It would allow the government to break into and search millions of computers with a single warrant issued by one judge. The government could do two things - both of which would involve it infecting computers with malware: First, it could hack into the computers or networks of investigative targets in order to collect information or conduct surveillance. Second, it could hack into the devices of victims of computer crimes in order to “clean” their computers. However, the process of “cleaning” is questionable and has not yet been explained by the Justice Department or the FBI.

Government hacking, like all hacking, risks damaging the targeted devices. Panelist Steven Bellovin, a professor of Computer Science at Columbia University, said that even large companies such as Twitter and Apple, which have some of the best coding and security expertise in the world, have vulnerabilities in their software and updates. He warned that, given the inherent difficulty of developing secure software and hardware, government hacking could inadvertently crash a device, permanently disable it, or place the device at risk by creating security flaws. If the government were to hack critical infrastructure networks such as a power plant, transportation system, or hospital, it could jeopardize public health and safety by crashing the network or creating a security flaw that could give access to bad actors.

So, too, could the rule change bring about increased forum (court) shopping. As Washington, D.C. attorney Kobie Flowers explained, the rule would remove jurisdictional requirements and allow any judge in the country to issue warrants for remote access searches anywhere, which means that the government would likely skip over the judges that had previously given them a hard time, and instead only apply for warrants in favorable forums where the judges are prosecutor-friendly. As Flowers said, the government “will figure out which judge to go to [...] to get access to our data...we need to slow down, think [these rule changes] through.”

There is also the real concern that the rule change is substantive in nature, meaning that the Advisory Committee lacked the authority to issue it in the first place, since the Committee can only make procedural changes. Orin Kerr, a member of the Advisory Committee speaking on the panel in his personal capacity, argued that the changes were not substantive like other panelists claimed. Instead, he said, the changes were made to address the procedural issue of venue and not for the application of law or other policies. Kerr said that the current rule presumes that the government always knows the location that they need a search and seizure warrant for. The new rule changes would address circumstances where the government does not know the location of the electronic device they are trying to access.

However, panelist Amie Stepanovich, U.S. Policy Manager at Access Now, rebutted Kerr’s arguments, saying that the Advisory Committee focused on the wrong question. Instead of answering the procedural “how” the government should be able to remotely hack, she suggested that the focus be put on “if” the government should hack at all. Congress has never passed any law authorizing the government to hack, yet these changes presume that such an authority exists, and in effect, will expand its use. Stephanie Martz, Director of the Reform Government Surveillance coalition, also argued that, while the Committee’s intent was to address venue, venue is not distinct from the policy implications. The consequences of the change, in other words, are indeed substantive.

Although many of the arguments around the changes deal with domestic law, Martz and Stepanovich also raised international concerns, as the changes would result in magistrate judges issuing warrants that would enable the government to hack computers located abroad. This kind of international hacking would create serious international tension. It would also give the U.S. government access to Europeans’ data, which could undermine the Privacy Shield, the new transfer agreement between the US and the European Union. This could harm the economy, as it would make it much harder for U.S. companies to operate in Europe. Finally, Stepanovich cautioned that the new rules would negatively impact human rights internationally since other countries look to the U.S. as an example of what policies they should put into place.  She explained that if the U.S. were to allow government hacking to proceed, they are “actually giving a huge win to countries like Russia and China that also want to hack into computers without safeguards, without protections.”

In order to stop the Rule 41 changes from going into effect, Congress must pass a bill like the Stopping Mass Hacking Act. Though Congress excels at inaction, as Wyden lamented, government hacking is far too important an issue to let languish. Congress has over four months to hold hearings on government hacking and on the rule changes, and to pass a bill to stop them—or, simply put, to do its job.