Government Hacking Rule Revision Raises Concerns

Now you can read us on your iPhone and iPad! Check out the BTRtoday app.

There’s a distinct possibility you’re being watched right now.

At the very least, you’re leaving a trail. Every time you use your computer or smartphone to read an article, check your email, or figure out what the weather forecast is for this weekend, you’re adding yet another notch to your online footprint. Marketers use it to track your purchasing habits, GPS apps use it to track your location, and entities like the United States government can use it to track just about everything you do online.

When it comes to internet surveillance and data collection, the cat has long been out of the bag. It leapt out in the form of Edward Snowden exposing the lengths to which the National Security Administration goes to monitor citizens’ internet and phone activities in the largest intelligence breach in U.S. history.

The federal government, as is their wont, references these measures as necessary for the security of the nation. And in fact, it seems that a fair amount of people are OK with trading privacy for security online—a poll published in December found that 56 percent of Americans favor “the ability of the government to conduct surveillance on Internet communications without needing a warrant.” The same poll also found that 54 percent of Americans believe it’s necessary for the government to restrict some rights in exchange for national security, at least sometimes.

Despite its already expansive ability to monitor its citizens online, the government’s surveillance abilities received an even bigger boost in April, when the Supreme Court approved a rule change that would allow federal judges to grant search warrants targeting massive groups of computers in a variety of jurisdictions.

The change to Rule 41 of the Federal Rules of Criminal Procedure came amongst a number of others, but stands out particularly, not only because of the power it gives federal agents, but also because of the way in which that power is granted.

“What it’s doing is sidestepping the legislative process when it comes to government hacking,” Neema Singh Giuliani, legislative council for the American Civil Liberties Union (ACLU), tells BTRtoday.

Indeed, Congress has had no debate about the issue, and it’s flown largely under the radar in terms of major media coverage and average public knowledge. Advocates like Giuliani are concerned about the possible side effects of this type of procedural change, as well as the way it skirts past the public’s eye.

“It’s a rule that not only ignores the fact that we haven’t had a debate, and this is an issue that Congress can vote on,” Giuliani says, “but also it’s going to have all these other unintended consequences that I don’t think have been fully recognized or appreciated by the individuals who put the proposals forward.”

As Rule 41 is currently written, federal agents have to obtain warrants from every jurisdiction in which suspicious activity is suspected. Under the revision, however, judges may not only administer warrants on computers outside of their jurisdiction, but also those whose location has been concealed.

In order to hack into a computer or phone, the entity in question must first identify a vulnerability. Once that vulnerability is identified and exploited, however, that machine in question is now open to a number of security concerns, namely the transfer of malware. Untold numbers of innocent computer users could be at risk simply for being a victim of a crime such as a botnet (a network of infected computers controlled together without the owner’s knowledge), or due to the sheer size of the warrant in question.

“You could be a victim of a botnet or a particular crime, and the way this rule is crafted, the government can go in and hack your computer if they consider it to be part of evidence of crime,” Giuliani says. “That might have unintended consequences on your personal life, but let’s say you’re a system and you service a hospital, or you service other people. How does that affect the broader community who rely on certain services?”

The answers to such questions are unknown, because there has yet to be a widespread public discussion about the issue—likely just how law enforcement agencies prefer it, according to Rainey Reitman, activism director for the Electronic Frontier Foundation (EFF).

“I’m certain that law enforcement thinks it’s a heck of a lot easier to go ahead and start using these techniques without going through that necessary public debate,” Rainey says. “As a person who uses the Internet and wants to be able to use it with privacy and security, I’m uncomfortable with that.”

Rainey believes average users should be concerned due to the likelihood of increased instances of hacking techniques, as well as the obvious security and privacy dangers this sort of ruling represents.

“What we’re talking about is government agents breaking into computers remotely, copying data, executing code,” she says. “If we want the government engaged in those sort of activities, we want to make sure we do it in a really thoughtful, careful way.”

The primary method of creating a public debate is to bring the issue to Congress—which, as previously mentioned, hasn’t really established any rules or procedures in terms of hacking. If this issue had been brought to Congress earlier on in the process, this might not be the first time you would’ve heard of it.

“What’s particularly interesting is if the Department of Justice had gone to sympathetic legislators and explained that they wanted to use new techniques, and asked those legislators to write a bill and push that through Congress, then we would’ve seen a heck of a lot of media attention,” Rainey says.

If Congress does nothing about the rule change, it will automatically go into effect at the beginning of December. Oregon Democratic Senator Ron Wyden has proposed a bill to counteract the rule change, and it’s been co-sponsored by Kentucky Senator and former Republican presidential candidate Rand Paul. It’s the first step in hampering the obscure procedural change, and Rainey thinks that getting Congress members involved will have a positive effect.

“There’s a really strong sense in Congress that they’re put in place to write laws and build policy,” she says. “The idea that we’d see pretty significant substantive changes getting pushed through without them having a chance to weigh in, I think that will really bother a lot of members.”

In order to continue building awareness to get to that point, the EFF has planned a day of action on June 21st, where the foundation will campaign with companies and public interest groups concerned about the change. The idea is to stand united to rally Congressional and public support and educate constituents on the privacy and security consequences of the revised Rule 41.

“I don’t think anybody in this debate believes that law enforcement shouldn’t have the tools they need to do their jobs,” Rainey says. “However, we’ve got to do it in a way that thinks through the ramifications of the tools we’re using.”