At the urging of the Department of Justice, the U.S. Courts’ Committee on Rules of Practice and Procedure is considering whether to bless procedures that would allow law enforcement to hack into computers, including by the use of controversial “zero-day exploits.” As Bloomberg News reported this morning, the proposed rule change raises privacy concerns. It has the potential to threaten internet security and to facilitate violations of the Fourth Amendment.
Currently, the federal rule governing search warrants (Rule 41) permits magistrate judges to authorize searches only within their judicial district. This territorial limit has historically been an important check on government power, but the proposed change would open up a loophole for certain digital information. It would allow law enforcement to “use remote access” to search computers when “the district where the media or information is located has been concealed through technological means.” (The proposed language is on page 499 of this document posted online today).
In plain English, this proposal would permit the government to seek warrants allowing it to hack into computers over the internet using malware, including so-called “zero-day” software exploits—special programs that exploit vulnerabilities in software that are unknown to the software manufacturer, and thus, for which no software fix exists. The use of zero-days by law enforcement poses significant risks, because by exploiting these vulnerabilities rather than notifying the companies responsible for the software, the government leaves the rest of the internet vulnerable to malicious attacks.
The recent discovery of the “Heartbleed” internet security flaw has spawned a robust debate about the wisdom of the government exploiting vulnerabilities for offensive purposes rather than responsibly disclosing them to software makers to design fixes. Indeed, we now know that it’s not just the National Security Agency that secretly takes advantage of zero-day vulnerabilities—it’s the FBI too. As part of our efforts to understand the government’s policies and practices around exploiting zero-days, the ACLU recently submitted a Freedom of Information Act request seeking a range of records about the stockpiling and use of zero-days by law enforcement and intelligence agencies.
DOJ’s posting of the proposed rule change today is not the end of the story; the proposal will soon be open for public comment, and attorneys, internet security experts, and other members of the public will have an opportunity to weigh in. It is crucial that the public engages the judiciary in a vigorous debate about the appropriate limits on law enforcement’s electronic search powers. Indeed, that debate has already begun, and the judiciary’s rules committee is listening.
DOJ originally proposed an even broader rule change last year, which would have allowed remote hacking of computers, as well as remote access to cloud-based services (like Gmail or Dropbox) during a search of a physical computer. That broad power would have conflicted with important Fourth Amendment protections and with rules established by Congress in the Electronic Communications Privacy Act. In response to concerns raised by the ACLU in a detailed memo submitted last month, as well as input by others, a judicial advisory committee scaled back that proposal, ensuring that if the government wants to search the contents of our cloud storage accounts, it must continue to serve warrants on the cloud storage providers (like Google and Dropbox) so that those companies can safeguard their customers’ privacy rights.
The judiciary has already started to push back against federal law enforcement’s demands for unreasonably expansive power to hack into our computers and cloud accounts. Let’s keep the momentum going.