For three years the federal government has been in deliberation on Rule 41, which will automatically go into effect on December 1st, 2016, unless lawmakers successfully push it back for an additional six months, with the “Stop Mass Hacking Act,” to further discuss this “procedural change.”
So what is it? Better yet, why should you care?
If you use any device connected to the internet, from a computer, to a phone to your Blu-ray player, this rule affects you.
The Federal Rules of Criminal Procedure (available online here) govern “procedure in all criminal proceedings in the United States district courts, the United States courts of appeals, and the Supreme Court of the United States.” (Their words: a mouthful, right!?)
Rule 41 has to do with remote (read: digital) search and seizure. Under current procedure, federal agents must apply to one judge to review a search warrant, and a separate one for each jurisdiction, up to 94 districts, when a computer is affected.
The federal judiciary’s Advisory Committee on criminal rules (made up of legal insiders like judges, law professors, and attorneys) proposed amendments to Rule 41 which changes the nature of the current procedures in two major ways:
1. An agent can apply for a search warrant to discover where an offender is located (current procedure requires a warrant to be applied for in the district of the offender).
2. An agent will be able to apply for warrants to be reviewed by one judge, even if the devices cross multiple districts (if it’s at least 5 districts).
The full text of both the unanimous Supreme Court rulings and the amendments themselves are available online here.
Why did deliberation take three years? Extensive written comments and public testimony were heard by the federal advisory committee. In the end, the ruling passed and will go into automatic effect (unless legislative opposition passes). Here are some of the strongest arguments in favor of the amendment:
• Current procedures were written before modern tactics. Through cloaking, botnet attacks and other methods, cybercriminals are more elusive than ever. Applying for 94 warrants in 94 districts is cumbersome beyond manageability (and expensive, that’s all done on tax dollars!).
• The change is procedural, but doesn’t change any current law. Meaning, when the use of remote search would be illegal, it still is. Advocates emphasize that this procedural change in no way alters your 4th Amendment Constitutional Rights (the one that guarantees people’s security “In their persons, houses, papers, and effects, against unreasonable searches and seizures” and requires “probable cause”).
• Without this procedural change, when a case crosses into another judicial district, the judge may not allow evidence obtained under warrant in another district, making prosecution nearly impossible when you have criminal rings. (They love to give examples that are tough to disagree with, such as child prostitution rings).
• Supporters say the federal government will gain the ability to “liberate computers infected with malware,” which would apply to other infected devices in the IoT (Internet of Things).
Ultimately, the Supreme Court “rejected criticism of the proposal as misinformed.” You can even see where they used that label on their blog.
So what would make people like Senator Ron Wyden (D-Ore.) oppose the change? That camp has plenty to say as well:
• The amendment allows judges to issue warrants for computers and devices which lie outside their jurisdictions, so what’s to stop federal agents from working with the same favorable judges?
• The US government could use tracking malware on devices, with the aim of breaking through Tor and other tools, to locate the host location. What’s to stop the misuse of such malware, by both the government and cybercriminals to spy on people, generate botnet attacks, or other undesired/unintended consequences?
• People who cloak for other reasons, such as to deny access to location on smartphone apps, may unintentionally become targets.
• What about journalists, victims of domestic violence, people seeking legal services, or other people with vital reasons for location privacy? Millions of people may not want government surveillance, for these or other valid reasons. A “backdoor” to privacy puts everyone at risk.
• The amendment could allow for cross-district and even cross-national hacking. Do we really want to set the precedent in the world of allowing local, possibly technologically naïve, judges to grant global warrants?
• The amendment allows for the search and seizure of infected devices. That means even if you had nothing to do with an attack, your malware infected device could fall into federal hands. It took three years of deliberation to decide on this amendment, how long would your device be held for an investigation and what would your rights be to get it back?
For these and other reasons, companies like Google and security professionals are lobbying for the “Stop Mass Hacking Act,” to delay a decision so that word can spread about this proposed change.
Though the legal incentive for reducing red tape is worthy, this amendment is too wide-sweeping and alarming. The federal government should be protecting devices of private citizens from global assault, not focusing efforts on internal hacking.
Spread the word: stop federal mass hacking.