What proposed Rule 41 changes mean for your privacy
Last week, US Senator Ron Wyden took the floor of the Senate to explain why his (and his colleagues’) Stopping Mass Hacking Act should be voted in.
The bill, consisting of merely a few sentences, aims to prevent the acceptance of the amendments to Rule 41 of the Federal Rules of Criminal Procedure which have been approved by the Supreme Court of the United States earlier this year.
What is Rule 41, and what changes are we talking about?
Rule 41 of the Federal Rules of Criminal Procedure defines, among other things, what judges can and cannot do when it comes to providing warrants for searches and seizures to help an investigation.
“Right now, Rule 41 only authorizes federal magistrate judges to issue warrants to conduct searches in the judicial district where the magistrate is located,” the EFF explained.
“The new Rule 41 would for the first time authorize magistrates to issue warrants when ‘technological means,’ like Tor or virtual private networks (VPNs), are obscuring the location of a computer. In these circumstances, the rule changes would authorize warrants to remotely access, search, seize, or copy data on computers, wherever in the world they are located.”
In addition to this, the amendments would also “give a judge the authority to issue a single warrant that would authorize the search of multiple, potentially thousands or millions of, devices that can cover any number of searches in any jurisdiction,” Senator Wyden noted.
The amendments will take effect on December 1, 2016 if the Congress does nothing to stop this from happening.
Who’s against the changes, and why?
The proposed changes have been opposed by the American Civil Liberties Union, the Electronic Frontier Foundation, The Tor Project, Privacy International, security researchers, a slew of bipartisan US Senators, and many others, and a campaign is underway that aims to motivate the public to demand of the Congress that the changes be scrapped.
Wyden and security researchers Matt Blaze and Susan Landau have explained their opposition in a Wired op ed, citing many concerns they have regarding the changes.
For one, the malware that law enforcement would use to hack into those computers is poorly evaluated – and not by independent experts. It could crash users’ devices and computers and, in some cases, this could lead to serious consequences (e.g. if the computers in question are used in hospitals).
“The public doesn’t know nearly enough about how law enforcement executes these hacks, how (or whether) a victim would be notified of the search, and what risks these types of searches will pose. By compromising the computer’s system, the search might leave it open to other attackers,” Wyden noted in an earlier write-up.
“No one believes the government is setting out to damage victims’ computers. But history shows just how hard it is to get hacking tools right. Indeed, recent experience shows that tools developed by law enforcement have actually been co-opted and used by criminals and miscreants,” Wyden, Blaze and Landau noted.
“For example, the FBI digital wiretapping tool Carnivore, later renamed DCS 3000, had weaknesses (which were eventually publicly identified) that made it vulnerable to spoofing by unauthorized parties, allowing criminals to hijack legitimate government searches.
But the most important concern is that of these changes affecting UC citizens’ right to privacy and protections against unreasonable searches and seizures
“This is a dramatic expansion of the government’s hacking and surveillance authority. Such a substantive change with an enormous impact on Americans’ constitutional rights should be debated by Congress, not maneuvered through an obscure bureaucratic process,” Senator Wyden pointed out when he introduced the Stopping Mass Hacking Act.
“Unless Congress acts before December 1, Americans’ security and privacy will be thrown out the window and hacking victims will find themselves hacked again – this time by their own government.”