Policy —

Rule 41 would make it easier for the government to carry out hacks

ACLU: Rule 41 fix has "insufficient privacy protections, transparency, or oversight."

Rule 41 would make it easier for the government to carry out hacks

Privacy activists and at least one senator are up in arms over a proposed change to a section of the Federal Rule of Criminal Procedure that would allow any magistrate judge to issue warrants authorizing government-sanctioned hacking anywhere in the country.

If the proposal does go forward, it would mark a notable expansion of judicial power to sign off on "remote access" of criminal suspects’ computers. As Ars has reported previously, for more than two years now, the Department of Justice has pushed to change Rule 41 in the name of being able to thwart online criminal behavior enabled by tools like Tor.

On Thursday, the Supreme Court passed the proposed change to Rule 41 and sent it to Congress on Thursday, which will have until December 1 to modify, reject, or defer the proposal. If the House of Representatives and Senate do not pass a resolution in favor by simple majority, the revisions will become law that same day.

For now, Rule 41 allows these junior judges to authorize electronic searches only within their own judicial district. This month alone, two federal judges in Massachusetts and Oklahoma suppressed evidence in two related child pornography cases because a magistrate in Virginia authorized the FBI to seize and operate Playpen, a Tor-hidden site, for 13 days. In so doing, investigators also deployed malware that disrupted Tor's privacy protections and revealed over 1,000 true IP addresses, and lead to 137 prosecutions, including the two men in these two states. Given the success in those states, it seems plausible that other similar cases could also be jeopardized.

In the Oklahoma case, Department of Justice spokesman Pete Carr e-mailed Ars earlier this week to say that the agency was "disappointed with the court’s decision," adding that the DOJ is reviewing its options. But, he added that this case underscored why Rule 41 revisions are sorely needed. "The decision highlights why the government supports the clarification of the rules of procedure currently pending before the Supreme Court to ensure that criminals using sophisticated anonymizing technologies to conceal their identities while they engage in crime over the Internet are able to be identified and apprehended."

Unintended consequences?

For now, Sen. Ron Wyden (D-Oregon) appears to be the only legislator to have spoken out against the revision.

"These amendments will have significant consequences for Americans’ privacy and the scope of the government’s powers to conduct remote surveillance and searches of electronic devices," he said in a Thursday statement. "I plan to introduce legislation to reverse these amendments shortly, and to request details on the opaque process for the authorization and use of hacking techniques by the government."

Other activists have also now been speaking out against the proposal. Google is one of the largest companies to publicly lobby against this proposed change.

"Such a monumental change in the law should not be snuck by Congress under the guise of a procedural rule," Neema Singh Guliani, an attorney with the American Civil Liberties Union, said in a statement sent to Ars.

"The change proposed would expose Americans, including victims of crimes, to government hacking with insufficient privacy protections, transparency, or oversight. Congress should reject the proposed changes to Rule 41, and instead demand answers from the government about their current hacking practices."

Kevin Bankston, the head of New America’s Open Technology Institute said in his own statement said that this legal expansion goes beyond traditional wiretapping.

"Like wiretapping, hacking is uniquely invasive compared to regular searches and raises serious issues under our Fourth Amendment, which protects us from unreasonable searches," he said. "Unlike wiretapping, however, Congress has never authorized government hacking nor established protective rules for the road to ensure it's not abused. Government hacking also raises a host of new and serious risks to privacy and security that wiretapping doesn’t, including the risk that the malware used by the government might spread to innocent people’s computers or cause unintended damage."

In 2014, Carr told Ars that he was not aware of any figures as to how many times such remote access has been granted. He also did not answer Ars' question as to the precise technical capabilities of such tools nor whether they involve zero-day exploits.

Channel Ars Technica