Federal agents may soon be able to remotely hack into hundreds or even millions of computers across the country — with a single warrant. And Congress has to act by December 1 to stop this incredible power grab.
Today, Sens. Ron Wyden (D-Ore.), Rand Paul (R-Ky.), Tammy Baldwin (D-Wis.), Steve Daines (R-Mont.), and Jon Tester (D-Mont.) introduced the Stopping Mass Hacking Act to halt proposed changes to a judicial rule, which would allow the government to remotely hack our electronics more easily, quickly, and with less oversight from judges. (The ACLU opposes the proposed changes.) Congress should adopt this law expeditiously to ensure the government doesn’t start hacking into devices far and wide without regard to the significant privacy and cybersecurity implications.
The bill was introduced in order to roll back the Justice Department’s proposed changes to Federal Rule of Criminal Procedure 41, which dictates in what circumstances judges can grant search warrants in federal criminal cases. While the DOJ has framed the changes as merely procedure tinkering, in reality they circumvent the legislative process to make substantive changes to the government’s hacking authority. Absent congressional action, the changes will automatically go into effect on Dec. 1.
The rule change would allow the government to obtain a search warrant to remotely hack a computer in cases involving certain internet crimes, or when the location of the computer is being masked electronically (for example, when a person uses a virtual private network or a privacy-protective service like Tor). Judges would be permitted to authorize these searches within and outside their district — as an exception to the general rule that judges may only issues warrants within their jurisdiction. This could allow the government to hack into millions of computers across the country, without proper judicial oversight.
Before the government is allowed to hack, we should have a robust public debate around the risks involved. For example: Should the FBI be allowed to hack the computers of innocent cybercrime victims in order to search for evidence? What standards and protections should apply when third parties that have nothing to do with a given investigation are likely to be affected? Will hacking harm our cybersecurity by incentivizing the government to stockpile vulnerabilities instead of disclosing them to software makers for patching?
But DOJ has been developing its hacking capabilities without this important debate. Last year, documents revealed that in 2007, the FBI masqueraded as a fake Associated Press reporter to deliver malware to the computer of a suspect. More recently, the FBI appears to have the developed the capability to remotely enable microphones or cameras on smart devices. Indeed, many have suggested that as the use of encryption spreads, so too may the government’s reliance on hacking to gain access to private information from afar.
Congress has never authorized such conduct. In other words, the DOJ has put the proverbial hacking cart before the horse. If, after this debate, the public and elected officials decide that hacking should be allowed, then Congress should pass a law laying out what standards and protections apply.
The proposed changes to Rule 41 bypass this important process and are dangerous for many reasons. First of all, the rule would permit the government to use one warrant to hack hundreds or even millions of computers across the country, raising significant policy and constitutional concerns. Also, by expanding the districts in which law enforcement may apply for a warrant, the rule encourages law enforcement to “forum shop” — bypassing districts that have developed stricter rules.
The rule also fails to require the government to include key information in warrant applications (such as the effect on victims), which is necessary for appropriate judicial oversight. Finally, the proposed changes would unconstitutionally relax requirements to notify the targets of government searches, by permitting law enforcement to choose between giving notice to either the property owner or the target of the search, when those are different people.
Congress should not stand idle by allowing important issues in this arena to be decided through a bare-bones procedural rule change. Instead, they should pass the Stopping Mass Hacking Act and ensure that this important issue receives the debate and consideration it deserves.