The team-up that helped force the sunset of one of the domestic surveillance authorizations of the PATRIOT Act is back together for a new fight. Sen. Rand Paul (R-Ky.) is joining Sen. Ron Wyden (D-Ore.) to try to halt the implementation of a new federal rule that has the potential to launch a new form of far-reaching, high-tech surveillance.
What they're trying to stop is an update to Rule 41 of the Federal Rules of Criminal Procedure. This update, approved by the Supreme Court in April, would authorize federal judges to issue warrants that would allow remote hacking into large numbers of computers in any jurisdiction. At the moment, the rules allow judges to authorize these warrants only in their own jurisdictions. But crimes involving computer and internet communications are hardly confined to a single jurisdiction. The example prosecutors use here is child pornography, their go-to when they can't use terrorism to justify an expansion of government power.
Wyden spoke out against the rule change early on, saying it would "have significant consequences of Americans' privacy and the scope of government's powers to conduct remote surveillance of searches of electronic devices." He has promised legislation to reverse the implementation of the rule. Paul has now joined him as a co-sponsor to make it a bipartisan push.
So what is the potential for harm here, given that prosecutors will still have to get a warrant? Rainey Reitman at the Electronic Frontier Foundation notes how innocent people could get swept up in all of this. All that needs to happen is for a computer user to inadvertently have some sort of malware installed that is being used by some hacker to participate in or conceal the roots of criminal online behavior:
It would grant authorization to a judge to issue a search warrant for hacking, seizing, or otherwise infiltrating computers that may be part of a botnet. This means victims of malware could find themselves doubly infiltrated: their computers infected with malware and used to contribute to a botnet, and then government agents given free rein to remotely access their computers as part of the investigation. Even with the best of intentions, a government agent could well cause as much or even more harm to a computer through remote access than the malware that originally infected the computer. Malicious actors may even be able to hijack the malware the government uses to infiltrate botnets, because the government often doesn't design its malware securely. Government access to the computers of botnet victims also raises serious privacy concerns, as a wide range of sensitive, unrelated personal data could well be accessed during the investigation. This is a dangerous expansion of powers, and not something to be granted without any public debate on the topic.
Make no mistake: the Rule 41 proposal implicates people well beyond U.S. borders. This update expands the jurisdiction of judges to cover any computer user in the world who is using technology to protect their location privacy or is unwittingly part of a botnet. People both inside and outside of the United States should be equally concerned about this proposal.
The change to Rule 41 isn't merely a procedural update. It significantly expands the hacking capabilities of the United States government without any discussion or public debate by elected officials. If members of the intelligence community believe these tools are necessary to advancing their investigations, then this is not the path forward. Only elected members of Congress should be writing laws, and they should be doing so in a matter that considers the privacy, security, and civil liberties of people impacted.
A lawyer for the American Civil Liberties Union worried about the broadness of the rule in a story at the Los Angeles Times. Why couldn't the rule have been more specific?
"The department has been less than forthcoming about the extent of its hacking, which raises concerns about the proposal ," said Neema Guliani, a lawyer for the ACLU. "They are saying they have a problem in cases where they don't know where the computer is, or think someone is trying to hide it. But the rule change is a lot broader than that. If they wanted to just address that issue, they could have narrowed the rule by saying they could conduct the search only to locate the computer."
Read more here.