US govt quietly tweaks rules to let cops, Feds hack computers anywhere, anytime
Congress? Democracy? No need for that
On Thursday, the US Supreme Court approved a change to Rule 41 of the Federal Rules of Criminal Procedure. It sounds innocuous, but the effects will be felt around the world.
Under today's rules, US cops and FBI agents need to know where a computer is before they can get a warrant to directly hack the machine – because they have to ensure the judge and court they approach for the warrant has jurisdiction over the matter. In other words, a judge usually can't issue a search warrant against someone or something outside her district.
Under the proposed rule change [PDF] this geographical information won't be needed, and a single search warrant can be used to authorize American crimefighters to infiltrate any PC, Mac or other device anywhere in the world.
In addition, the rule change will also allow the FBI and others to hack into victims' computers that have already been broken into by cyber-criminals. This is being billed as a measure to help track down the operators of botnets.
The US Department of Justice has been proposing the rule change for three years, saying it's just a procedural matter that doesn't mean the police get any extra powers. Not surprisingly, civil libertarians, technology companies, and some politicians disagree.
"Instead of directly asking Congress for authorization to break into computers, the Justice Department is now trying to quietly circumvent the legislative process by pushing for a change in court rules, pretending that its government hacking proposal is a mere procedural formality rather than the massive change to the law that it really is," said Kevin Bankston, director of new America's Open Technology Institute.
"Congress shouldn't let the Justice Department and an obscure judicial rules committee write substantive law, especially on a novel and complex issue with serious privacy, security, and civil liberties implications. If government hacking is to be allowed at all, it should only be done with authorization from Congress, with strong protective rules in place, and after deep investigation and robust debate."
The DoJ argues that because of the rise of anonymizing services like Tor it's often impossible to find out where a target computer is located. It's an issue that is dogging the FBI as it attempts to prosecute pedophiles who accessed the Playpen, a website hidden in the Tor network that hosted images and videos of child sex abuse.
In that case the FBI took over the site's servers and ran it themselves for two weeks. During that time they deployed a "Network Investigative Technique" (NIT) to unmask and identify some of the perverts visiting the site, and begin making arrests.
That NIT somehow injected code into some Playpen visitors' web browsers that leaked their real public IP address to FBI agents, allowing investigators to track down where the Playpen users lived with the help of ISPs. Exactly how the NIT worked isn't known – the FBI refuses to talk about it.
When the Feds went to get a warrant to install the NIT on people's PCs, the agents obtained a single warrant from a local magistrate judge who simply did not have jurisdiction over all 1,200 or so people, scattered over the US and beyond, who were suspected of accessing the Playpen hidden service. The US courts have now ruled that the investigation amounted to an illegal search, and hundreds of potential Playpen prosecutions are now in doubt.
Changing the rules as a procedural measure, rather than after a debate in Congress, has been slammed for being underhand and for setting a dangerous precedent. "It carries with it the specter of government hacking without any Congressional debate or democratic policymaking process," said Richard Salgado, Google's legal director of law enforcement and information security in testimony on the matter.
Although the Supremes have now approved the rule changes, they aren't in force yet. Under the law, Congress has until December 1 to respond to the tweaks before they come into effect. Senator Ron Wyden (D-OR) has said he will be moving on the matter immediately.
"I plan to introduce legislation to reverse these amendments shortly, and to request details on the opaque process for the authorization and use of hacking techniques by the government," he told The Register.
"These are complex issues involving privacy, digital security and our Fourth Amendment rights, which require thoughtful debate and public vetting. Substantive policy changes like these are clearly a job for Congress, the American people and their elected representatives, not an obscure bureaucratic process."
Quite how much support the senator will get from his fellow congresscritters is uncertain. This is an election year and Congress seldom gets things done at the best of times. But unless something is done before December 1, it's open season for police hacking teams to go rummaging around in hard drives and flash chips around the world. ®
Sponsored: Becoming a Pragmatic Security Leader