"The Feds Will Soon Be Able to Legally Hack Anyone" warns the headline at Wired in a commentary written partly by Democratic Oregon Sen. Ron Wyden. The piece is warning about coming changes to "Rule 41," a reference familiar to everybody in any field remotely connected to cybersecurity and privacy and mostly unknown to anybody else.
Right now the Department of Justice is working to expand its hacking and surveillance authorities under the Federal Rules of Criminal Procedure. It's already legal, under this Rule 41, for the FBI to get authorization from a judge to attempt to install malware to hack into computers that are believed to be connected to crimes. But Rule 41 has limits—judges can only authorize intrusions into computers within their own jurisdictions. This update would lift that limit and would authorize the feds to turn to a judge to get permission to "hack a million computers or more with a single warrant."
Wyden has teamed up with other tech privacy-minded legislators (like Republican Sen. Rand Paul) to try to stop this amendment to Rule 41. They have until December to block it.
In the middle of this debate over how much hacking authority the government should have, one activist organization is analyzing whether such authority fundamentally endangers human rights, at least in its current use. Access Now, an advocacy and policy group devoted to protecting and advancing the rights of users of digital and technological tools, released a lengthy report about how government hacking can threaten our liberties.
Access Now notes how little public debate there has been on the "scope, impact, or human rights safeguards for government hacking." The massive release of secret government surveillance documents by Edward Snowden did prompt significant discussions about digital snooping in the United States and some European countries, and there have been some very modest reforms in the states. Others, though, like the United Kingdom, are actually considering formalizing a system that expands authorized government snooping on private digital data.
Access Now carefully analyzed how governments engage in hacking, separating their behaviors into three categories: Message control (in censoring and manipulating digital information), deliberate damage (malware that harms systems and data), and surveillance and information-gathering.
Access Now determined that government hacking causes significant harms to human rights. Here's a brief sample of how they describe the impact of hacking that installs malware or otherwise damages a person's systems:
Government hacking that falls under this umbrella is often designed specifically to deprive a person of their property in some way. This implicates due process protections, which require a fair trial overseen by a competent judicial authority, qualified legal representation, and the ability to appeal. It also directly conflicts with the right recognized in most countries for individuals to own private property. When the damage a government seeks to carry out also implicates human life or wellbeing, the threat to human rights is exceptionally grave. Government hacking to do damage also implicates other human rights, such as freedom of expression and association, since these rights are frequently exercised using devices that such hacking could render inoperable.
Access Now ultimately concludes that "there should be a presumptive prohibition on all government hacking," based on international human rights law. In order to justify hacking, Access Now recommends 10 specific safeguards, such as requiring very specific, tailored laws that describe when hacking is permitted in the narrowest terms possible. That's pretty much the opposite of what the Rule 41 expansion is attempting to accomplish.
Access Now's report coincides with a high-profile government hacking story, but it didn't get much traction in the U.S. amid all the election coverage. In August, Apple iPhone and iPad users were sent a security update over a vulnerability that was uncovered by a human rights advocate in the United Arab Emirates (UAE). Ahmed Mansoor was sent a link from an unknown source that would have installed surveillance malware on his phone had he clicked on it. Investigation determined that it was likely somebody within the government of UAE who attempted the hack.
In response to emailed questions, Drew Mitnick, policy counsel for Access Now, said that Mansoor's discovery highlighted how government-sponsored hacking has significantly increased over the last decade, but it's still not an area where there's nearly enough discussion.
"Disappointingly, it's up to third parties to talk about government hacking," Mitnick says. "Few within government are willing to talk about it openly. Our report both articulates a standard of how government hacking of individuals is almost always impermissible under human rights law, and pushes governments to be more open about how and when they hack."
But the debate over government hacking—to the extent that such a debate is publicly occurring—seems to revolve around government officials declaring that it's all used to keep us safe from terrorists, drug traffickers, and child pornographers. There is little acknowledgment of abuses of government hacking authority or the potential harmful consequences. Mitnick notes that the presumption should be that the government must prove it actually needs a particular hacking authority in order to successfully fight these crimes. Right now there's a lot of assertion without evidence to back it up.
"In the case of hacking, the government has failed to make its case that other methods are unavailable," Mitnick says.
Cybersecurity issues, though, have only been brought up briefly and vaguely in the presidential race. Mitnick notes that pushes to scale back federal hacking authority seem to be dependent so far on vocal responses by lawmakers like Wyden.
"At one point, he was the only one speaking about the risks, but now Senators [Jon] Tester [D-Montana], Steve Daines [R-Montana], and members from both sides of the aisle and chambers are supporting legislation to stop the Rule 41 changes that would increase the FBI's use of hacking. The Clinton campaign has also recently adopted secure technologies to keep hackers out. It is clear that Washington is starting to pay attention."
Read Access Now's full report on the human rights violations that come from government-sponsored hacking here.