A very boring sounding “procedural” update to Rule 41 of the Federal Rules of Criminal Procedure is anything but procedural. The proposed amendment instead grants federal courts sweeping new powers. These will allow the FBI to hack into the computers of anyone whose location is “concealed through technological means,” or who has been a victim of botnets.
The obvious targets here are users of the Tor anonymity network and VPN users. The legislation could also cover anyone who turns off their GPS location data, or who changes their Twitter account location details in order to bypass censorship.
So even if a computer is only tangentially related to an investigation, and its owner is not suspected of any wrongdoing, it can be targeted under the new rules. A little surreally, even the innocent victims of cybercrime (those whose computers have been infected by Botnets) will be liable to having their computers hacked by the FBI. As Gizmodo notes,
“The new rule would allow the FBI to infect innocent people’s computer with malware in order to investigate cybercrime—even if their only connection to the crime is that they’re the victims. What could go wrong?”
At present, for a judge to authorise the FBI to hack a computer, the FBI must know where the computer is. It must then get a warrant in the proper jurisdiction. Under the new rules, any federal judge will be able to issue a warrant to hack any computer anywhere. The FBI can then hack any number of computers in that are in some way connected to it. The only limitation being that to hack a computer, it must be using some form of technology to hide its location.
Of course, the FBI cannot know where these computers are located before hacking them (as they are hiding their location). The changes to Rule 41, therefore, give the FBI carte-blanch to hack computers anywhere in the world.
The new rules are obviously a clear and present threat to those who, for perfectly legal and legitimate reasons, wish to protect their online privacy. Botnet victims are even at more at risk, as they could be infected by malware twice –once by the botnet, then by the FBI! Not only does this have grave privacy implications, but insecure government malware could potentially even help spread the botnet infection!
As the Electronic frontier Foundation (EFF) warns,
“Make no mistake: the Rule 41 proposal implicates people well beyond U.S. borders. This update expands the jurisdiction of judges to cover any computer user in the world who is using technology to protect their location privacy or is unwittingly part of a botnet. People both inside and outside of the United States should be equally concerned about this proposal.”
So what can we do about changes to Rule 41?
The changes are being enacted under a statuary process known as the Rules Enabling Act. This is designed to enable purely procedural changes to laws relating to federal courts. For example, correcting clerical errors in court, or deciding on court holidays.
This use of an obscure procedural process to dramatically increase US government hacking powers is a major violation the democratic process. As the EFF argues,
“The change to Rule 41 isn’t merely a procedural update. It significantly expands the hacking capabilities of the United States government without any discussion or public debate by elected officials. If members of the intelligence community believe these tools are necessary to advancing their investigations, then this is not the path forward. Only elected members of Congress should be writing laws, and they should be doing so in a matter that considers the privacy, security, and civil liberties of people impacted.”
The Amendment was initially proposed by the advisory committee on criminal rules for the Judicial Conference of the United States. It has been now been passed from the Supreme Court to Congress, and is due to become law on 1 December.
The EFF has launched a campaign to raise public awareness about the issue, and has organized a “day of action” on 21 June. Here at BestVPN we are proud to support this campaign.