And it was all done by unelected bureaucrats.
The FBI’s authority to hack your computer — legally — just expanded massively, and Congress never so much as had a hearing about it.
The scope of this policy change should be clear, and yet all this was accomplished by simple administrative rules change, without any meaningful input or oversight.
Way back in April of this year, the Electronic Frontier Foundation and other tech freedom advocates sounded the alarm on a proposed change to Rule 41 of the Federal Rules of Criminal Procedure. The change involved procedures surrounding federal law enforcement’s use of “remote access to search electronic storage media and to seize or copy electronically stored information.” In translation, this involves the FBI’s authority to access a computer or device from a distance via malware, i.e. legal hacking.
There are a number of legal uses for such hacking, and the rule change provides for seeking a warrant in order to use this technique. What the rules change fails to do, however, is define boundaries on how this tactic can be used. Law enforcement hacking into an individual’s computer is not a small thing — and the warrants authorized by the new Rule 41 could allow not only the hacking of a suspect’s computer, but dozens, thousands, even millions of other computers at a time.In order to remotely access a suspect’s computer, law enforcement generally has to implant some piece of malware. This isn’t as much of a problem when investigating an immediate suspect, but it gets much more troublesome when the warrant can be interpreted as allowing the hacking of everyone who has interacted with that bad actor.
In the most extreme example, computers which were hacked to be part of a “botnet” attack — in which an innocent user’s machine is hacked to provide processing power to a larger coordinated online attack — could be subject to legal hacking under the new Rule 41. This could grant law enforcement full access to rooting around the machines of thousands or even millions of users who had no idea that they had been affected by the botnet hack in the first place.
Any sane person would be okay with legal hacking authority to pursue leads on the worst online criminals, dealing in crimes like terrorism, child pornography, and human trafficking. But there need to be strict guidelines to define how law enforcement can and cannot access the computers and data of presumably innocent people. Malware used to investigate actors who may presumably be innocent can screw up their systems, and can also provide avenues for other hackers to sneak into their systems.
The scope of this policy change should be clear, and yet all this was accomplished by simple administrative rules change, without any meaningful input or oversight. Upon learning of the Rule 41 change, Senator Ron Wyden, D-Ore. (F, 6%) sponsored the “Stopping Mass Hacking” Act (appropriately abbreviated ‘SMH’) to stop the rules change. He spent months attempting to force basic congressional input on this major expansion of law enforcement authority, but was continuously rebuffed and now the new rule is officially in place.
Even though the rule change is official, it’s not too late to retroactively question whether we ought to trust the federal government with such authority to hack into our computers without consequence.