Hacking America

The 114th Congress
is notorious for its inaction. And, with an ongoing election cycle consuming
Congress’s time and attention, an amendment to Rule 41 of the Federal Rules of
Criminal Procedure might not seem like it should be the auspicious body’s first
order of business. However, if Congress does not pass a bill before the first
of December to stop a pending amendment to Rule 41, the change will increase
the government’s use of hacking in its investigations, threatening the privacy
and cybersecurity of all Americans in the process.

Currently, Rule 41 authorizes magistrate judges to
issue search warrants that will be executed within their district. However, the
amendment, which was approved by the Advisory Committee on the Federal Rules of
Criminal Procedure, would remove this limitation and instead allow any
magistrate judge in the country to issue search warrants to remotely access
electronic devices or networks when law enforcement doesn’t know where the
targeted device or network is located. It is, in other words, a dramatic
invasion of Americans’ privacy, and undermines their cybersecurity.

New
America’s Open Technology Institute recently hosted “Hacking America,” an event highlighting
proposed changes to Rule 41. Senator Ron Wyden (D-OR), a staunch privacy and
cybersecurity advocate, keynoted the event, voicing his concerns with the
changes. His remarks were followed by a panel of experts, all of whom further
discussed the broader implications of the amendment.

The
rule changes, Wyden cautioned, would expand government hacking and surveillance. It would allow the
government to break into and search millions of computers with a single warrant
issued by one judge. The government could do two things – both of which would
involve it infecting computers with malware: First, it could hack
into the computers or networks of investigative targets in order to collect
information or conduct surveillance. Second, it could hack into the devices of
victims of computer crimes in order to “clean” their computers. However, the
process of “cleaning” is questionable and has not yet been explained by the
Justice Department or the FBI.

Government
hacking, like all hacking, risks damaging the targeted devices. Panelist Steven Bellovin, a professor of Computer
Science at Columbia University, said that even large companies such as Twitter and Apple, which have some of the best coding and
security expertise in the world, have vulnerabilities in their
software and updates. He warned that, given the inherent
difficulty of developing secure software and hardware, government hacking could
inadvertently crash a device, permanently disable it, or place the device at
risk by creating security flaws. If the government were to hack critical
infrastructure networks such as a power plant, transportation system, or
hospital, it could jeopardize public health and safety by crashing the network
or creating a security flaw that could give access to bad actors.

So,
too, could the rule change bring about increased forum (court) shopping. As
Washington, D.C. attorney Kobie Flowers explained, the rule would remove
jurisdictional requirements and allow any judge in the country to issue
warrants for remote access searches anywhere, which means that the government
would likely skip over the judges that had previously given them a hard time,
and instead only apply for warrants in favorable forums where the judges are
prosecutor-friendly. As Flowers said, the government “will figure out which
judge to go to […] to get access to our data…we need to slow down, think
[these rule changes] through.”

There
is also the real concern that the rule change is substantive in nature, meaning
that the Advisory Committee lacked the authority to issue it in the first
place, since the Committee can only make procedural changes. Orin Kerr, a member of the Advisory Committee
speaking on the panel in his personal capacity, argued that the changes were
not substantive like other panelists claimed. Instead, he said, the changes
were made to address the procedural issue of venue and not for the application
of law or other policies. Kerr said that the current rule presumes that the
government always knows the location that they need a search and seizure
warrant for. The new rule changes would address circumstances where the
government does not know the location of the electronic device they are trying
to access.

However,
panelist Amie Stepanovich, U.S. Policy Manager at Access
Now, rebutted Kerr’s arguments, saying that the Advisory Committee focused on
the wrong question. Instead of answering the procedural “how” the government
should be able to remotely hack, she suggested that the focus be put on “if”
the government should hack at all. Congress has never passed any law
authorizing the government to hack, yet these changes presume that such an
authority exists, and in effect, will expand its use. Stephanie Martz, Director of the Reform Government Surveillance coalition, also argued that, while the
Committee’s intent was to address venue, venue is not distinct from the policy
implications. The consequences of the change, in other words, are indeed
substantive.

Although
many of the arguments around the changes deal with domestic law, Martz and
Stepanovich also raised international concerns, as the changes would result in
magistrate judges issuing warrants that would enable the government to hack
computers located abroad. This kind of international hacking would create
serious international tension. It would also give the U.S. government access to
Europeans’ data, which could undermine the Privacy Shield, the new transfer
agreement between the US and the European Union. This could harm the economy,
as it would make it much harder for U.S. companies to operate in Europe.
Finally, Stepanovich cautioned that the new rules would negatively impact human
rights internationally since other countries look to the U.S. as an example of
what policies they should put into place.  She explained that if the U.S.
were to allow government hacking to proceed, they are “actually giving a huge
win to countries like Russia and China that also want to hack into computers
without safeguards, without protections.”

In
order to stop the Rule 41 changes from going into effect, Congress must pass a
bill like the Stopping Mass Hacking Act.
Though Congress excels at inaction, as Wyden lamented, government hacking is
far too important an issue to let languish. Congress has over four months to
hold hearings on government hacking and on the rule changes, and to pass a bill
to stop them—or, simply put, to do its job.