Shaking My Head

The government will dramatically expand surveillance powers unless Congress acts

Last month, at the request of the Department of Justice, the Courts approved changes to the obscure Rule 41 of the Federal Rules of Criminal Procedure, which governs search and seizure. By the nature of this obscure bureaucratic process, these rules become law unless Congress rejects the changes before December 1, 2016.

Today I, along with my colleagues Senators Paul from Kentucky, Baldwin from Wisconsin, and Daines and Tester from Montana, am introducing the Stopping Mass Hacking (SMH) Act (bill, summary), a bill to protect millions of law-abiding Americans from a massive expansion of government hacking and surveillance. Join the conversation with #SMHact.

What’s the problem here?

For law enforcement to conduct a remote electronic search, they generally need to plant malware in — i.e. hack — a device. These rule changes will allow the government to search millions of computers with the warrant of a single judge. To me, that’s clearly a policy change that’s outside the scope of an “administrative change,” and it is something that Congress should consider. An agency with the record of the Justice Department shouldn’t be able to wave its arms and grant itself entirely new powers.

Let’s get into the details

These changes say that if law enforcement doesn’t know where an electronic device is located, a magistrate judge will now have the the authority to issue a warrant to remotely search the device, anywhere in the world. While it may be appropriate to address the issue of allowing a remote electronic search for a device at an unknown location, Congress needs to consider what protections must be in place to protect Americans’ digital security and privacy. This is a new and uncertain area of law, so there needs to be full and careful debate. The ACLU has a thorough discussion of the Fourth Amendment ramifications and the technological questions at issue with these kinds of searches.

The second part of the change to Rule 41 would give a magistrate judge the authority to issue a single warrant that would authorize the search of an unlimited number — potentially thousands or millions — of devices, located anywhere in the world. These changes would dramatically expand the government’s hacking and surveillance authority. The American public should understand that these changes won’t just affect criminals: computer security experts and civil liberties advocates say the amendments would also dramatically expand the government’s ability to hack the electronic devices of law-abiding Americans if their devices were affected by a computer attack. Devices will be subject to search if their owners were victims of a botnet attack — so the government will be treating victims of hacking the same way they treat the perpetrators.

When the public realizes what is at stake, I think there is going to be a massive outcry: Americans will look at Congress and say, “What were you thinking?”

As the Center on Democracy and Technology has noted, there are approximately 500 million computers that fall under this rule. The public doesn’t know nearly enough about how law enforcement executes these hacks, and what risks these types of searches will pose. By compromising the computer’s system, the search might leave it open to other attackers or damage the computer they are searching.

Don’t take it from me that this will impact your security, read more from security researchers Steven Bellovin, Matt Blaze and Susan Landau.

Finally, these changes to Rule 41 would also give some types of electronic searches different, weaker notification requirements than physical searches. Under this new Rule, they are only required to make “reasonable efforts” to notify people that their computers were searched. This raises the possibility of the FBI hacking into a cyber attack victim’s computer and not telling them about it until afterward, if at all.

A job for Congress — not the Justice Department

These changes are a major policy shift that will impact Americans’ digital security, expand the government’s surveillance powers and pose serious Fourth Amendment questions. Part of the problem is the simple fact that both the American public and security experts know so little about how the government goes about hacking a computer to search it. If a victim’s Fourth Amendment rights are violated, it might not be readily apparent because of the highly technical nature of the methods used to execute the warrant.

It is Congress’ job to make sure we do not let the Executive Branch run roughshod over our constituents’ rights. That is why action is so important: this is a policy question that should be debated by Congress. Although the Department of Justice has tried to describe this rule change as simply a matter of judicial venue, sometimes a difference in scale really is a difference in kind. By allowing so many searches with the order of just a single judge, Congress’s failure to act on this issue would be a disaster for law-abiding Americans.

When the public realizes what is at stake, I think there is going to be a massive outcry: Americans will look at Congress and say, “What were you thinking?”