Privacy advocates in Congress are moving to stop a new rule from taking effect Dec. 1 that would allow federal agents armed with a single search warrant to hack millions of Americans’ computers at once.
“It’s more government surveillance,” said Rep. Ted Poe, R-Texas, a former criminal court judge and prosecutor who is leading bipartisan efforts with Sen. Ron Wyden, D-Ore., to stop the rule change. “It’s disturbing.”
Despite congressional concern about criminals and rogue nations hacking everything from the Democratic National Committee to Yahoo, Congress has not held a single hearing on the potential mass hacking ofAmericans by U.S. government agents.
The Justice Department, which has pushed for the rule, says it’s necessary to keep pace with changes in the technology used by criminals, particularly the increased use of “botnets”. These are clusters of computers infected by malware that can be controlled remotely and used by hackers to steal financial data.
Opponents of the new rule say it goes too far, and they’ve got backing from big tech companies that want it stopped. They are pushing to get a vote on the Stopping Mass Hacking Act, a bipartisan bill that would bar the change in federal criminal procedures from taking effect. Congress is scheduled to return from recess on Nov. 15 for about four weeks of work.
“We’re really up against the clock,” said Wyden, who serves on the Senate Intelligence Committee. “If Congress does what it does best and does nothing, then a lot of people are going to have to explain to their constituents why they let this happen without even a debate.”
The controversy centers on an obscure government regulation known as Rule 41 of the Federal Rules of Criminal Procedure. The Justice Department began about three years ago to seek changes to it.Those changes were adopted by the U.S. Federal Courts and approved on April 28 by the Supreme Court, which sent them to Congress for review. The new rule will automatically take effect on Dec. 1 unless Congress acts to stop it.
Federal prosecutors say the updated rule is needed in part to investigate criminals’ use of “botnets”. The risk became more apparent with the recent release of source code for Mirai, a tool to create botnets that helps hackers take over home devices like DVRs and routers and use their combined power to launch denial of service attacks on targets.
To thwart criminals, federal agents already hack into victims’ computers, but the government could greatly expand that ability under the new rule.
Currently, FBI agents must go to magistrates in every judicial district where infected computers are known to be located and request warrants to hack into those machines, which may number in the thousands or even the millions and be scattered across the country. The change to Rule 41 would allow them to go to just one judge to get a warrant to access all those computers, regardless of their locations.
“For example, agents may seek a search warrant to assist in the investigation of a ransomware scheme facilitated by a botnet that enables criminals abroad to extort thousands of Americans,” wrote Assistant Attorney General Leslie Caldwell of the Criminal Division in a blog post. She was referring to criminals who install malware in their victims’ computers and then demand money to remove it.
“This change would not permit indiscriminate surveillance of thousands of victim computers,” she added.
But critics of the new rule are skeptical of such assurances.
“This is lazy investigation on the part of the DOJ,” Poe said. “I never had a policeman come to me when I was a judge and say ‘we’re looking for stolen property in a particular neighborhood and we want one warrant to search every house in the zip code.’ No judge would agree to that. But the DOJ wants to be able to go to one judge and say we’ve got 100,000 infected computers and we want to go in with a single warrant and snoop around. And we’re not going to tell the victims. That’s an abuse of power.”
Will you know?
Federal agents must make “reasonable efforts” to tell people that their property was remotely searched or that their information was seized or copied.
“That’s not a very high bar,” said Robyn Greene, policy counsel at New America’s Open Technology Institute. “It’s entirely possible that you might never be told.”
Google, Inc., which opposes the new rule, said government hacking could inadvertently damage victims’ computer systems and make them more vulnerable to future cyber attacks after they’ve been searched and, in some cases, “cleaned” by federal agents.
“The use of various forms of (hacking) . . . are more invasive than other searches because they often have unknown, widespread, and sometimes destructive consequences,” wrote Richard Salgado, Google’s director of law enforcement and information security.
Wyden said the government would be re-hacking Americans who have already been hacked by criminals.
“You’re essentially hitting an innocent victim twice,” Wyden said. “I think people are going to be furious.”