A new bill has been introduced by an assembly of legislators in the US Senate. The novel regulation – called the Stop Mass Hacking Act – has been introduced by a bipartisan group of Senators to reign in the mass hacking powers that the Department of Justice has over US citizens. Snooping powers that the DOJ claims are vital for ‘ contending with ‘sophisticated 21st-century criminals.’
The bill’s authors, Democrat Ron Wyden, and Republican Rand Paul have penned the latest legislation following alterations to Rule 41 of the Federal Rules of Criminal Procedure last month. Those changes were made by the Supreme Court at the request of the FBI, and left unchallenged would come into force by December 1st. According to members of Congress, however, the alterations will, in fact, give the DOJ vast privacy-invading powers for remotely hacking any machine using malware: Powers that will be enforceable with the oversight of just one magistrate judge in any jurisdiction (regardless of where the target machine is in relation to that court order).
For the Senators who have penned the Stop Mass Hacking Act, the overreaching changes to Rule 41 that are being rushed through are highly problematic because they allow the FBI nearly complete control over the process of gaining the right to snoop on any suspect that it deems necessary. Wyden, for one, believes that the powers are unlawful and would allow the DOJ to be in violation of its true constitutional rights.
The concern is that while Rule 41 only used to let Magistrates grant permission for Feds to hack private machines in their own jurisdiction – now those judges will be able to give the thumbs up for law enforcement to snoop unfairly into the lives of people in locations far removed from the where the judge presides.
‘This is a dramatic expansion of the government’s hacking and surveillance authority, Wyden commented in an official statement. ‘Such a substantive change with an enormous impact on Americans’ constitutional rights should be debated by Congress, not maneuvered through an obscure bureaucratic process.’
Opposition to the changes is not limited to the Senators who have penned the Stop Mass Hacking Act, either. Google – as well as privacy advocacy groups such as the Electronic Frontier Foundation (EFF) – have affirmed assurances that they will join in the fight to block the changes. In a statement on its website, Google’s Legal Director Richard Salgado said that the ‘significant changes’ to Rule 41,
‘could have profound implications for the privacy rights and security interests of everyone who uses the Internet.
Today, Rule 41 prohibits a federal judge from issuing a search warrant outside of the judge’s district, with some exceptions. The Advisory Committee’s proposed change would significantly expand those exceptions in cases involving computers and networks. The proposed change would allow the U.S. government to obtain a warrant to conduct “remote access” searches of electronic storage media if the physical location of the media is “concealed through technological means,” or to facilitate botnet investigations in certain circumstances.’
Mass Hacking Could Affect VPN Users
EFF’s Rainey Reitman has gone public with the opinion that the changes (due to come into effect in every federal court across the US) could directly affect any computer user who uses a VPN for privacy,
‘The first part of this change would grant authority to practically any judge to issue a search warrant to remotely access, seize, or copy data relevant to a crime when a computer was using privacy-protective tools to safeguard one’s location. Many different commonly used tools might fall into this category. For example, people who use Tor, folks running a Tor node, or people using a VPN would certainly be implicated.’
On top of that, Google is concerned that the wording of the changes to Rule 41, would allow judges to okay remote hacking – not just throughout the US – but anywhere around the world. A political overreach that Google says should not be approved without a reasonable debate in Congress.
DOJ representative Peter Carr, however, insists that the changes are necessary in order to deal with the growing problem of Botnets – often made up of personal computers in various jurisdictions across the US. In those cases, Carr explains, it is incredibly difficult for law enforcement to adequately investigate, and close down, troublesome Botnets responsible for launching cyber warfare such as distributed denial of service attacks.
‘Criminals now have ready access to sophisticated anonymizing technologies to conceal their identity while they engage in crime over the Internet, and the use of remote searches is often the only mechanism available to law enforcement to identify and apprehend them.
This amendment ensures that courts can be asked to review warrant applications in situations where is it currently unclear what judge has that authority. The amendment makes explicit that it does not change the traditional rules governing probable cause and notice,’ said Carr.
EFF’s Reitman isn’t convinced. She has expressed grave concerns over the implications of the new snooping rule. Rules that she believes persecute US citizens that have already been victimized by criminal malware,
‘victims of malware could find themselves doubly infiltrated: their computers infected with malware and used to contribute to a botnet, and then government agents given free rein to remotely access their computers as part of the investigation. Even with the best of intentions, a government agent could well cause as much or even more harm to a computer through remote access than the malware that originally infected the computer. Malicious actors may even be able to hijack the malware the government uses to infiltrate botnets, because the government often doesn’t design its malware securely.’
Finally, Google is concerned that the underhanded legislation changes could negatively affect the US’ international standing – damaging foreign relations – and harming any legal cooperation between nations that the US government claims it is strongly in favor of.
For now, the Stop Mass Hacking Bill will need to be reviewed, and only time will tell if the House of Representatives or Senate will be able to overturn the changes to Rule 41 before they march into full swing on December the 1st. Any US citizens concerned with digital privacy are advised to contact their local Senators to encourage them to support the privacy conscious bill.