Google, privacy groups urge Congress not to expand federal hacking power

A change to federal criminal procedure would allow judges to approve searches on computers outside their jurisdiction, a move that could have vast 'unintended consequences' for innocent people, civil liberties groups say.

Technology companies and privacy groups are asking lawmakers to reject a proposed rule change to federal criminal procedure that would make it possible for judges to issue warrants to search computers located outside their jurisdiction.

A coalition including Google, PayPal, the American Civil Liberties Union, and a range of tech advocacy groups sent a letter to leaders in the Senate and House of Representatives asking them to stop changes to Rule 41 of the Federal Rules of Criminal Procedure. In April the US Supreme Court approved changes to Rule 41 authorizing judges to allow “remote access” to criminal suspects computers. Opponents have cited the change as the “largest expansion” of search and seizure power in the nation’s history.

“This would invite law enforcement to seek warrants authorizing them to hack thousands of computers at once – which is hard to imagine would not be in direct violation of the Fourth Amendment,” the letter stated, adding that such a change will have “unintended consequences” for innocent users.

The rules will be enacted on December 1 unless blocked by Congress. A small group of bipartisan senators introduced a bill last month that would prevent the decision from going into effect. 

Signatories to Tuesday’s letter say the changes will affect two circumstances law enforcement encounters when investigating cybercrimes.

First, the changes will enable investigators to obtain a warrant to hack into suspects’ devices when their location is hidden by the anonymizing web browser Tor or shielded by virtual private networks.

Previously, some federal courts have suppressed this kind of evidence obtained under Rule 41 because those warrants couldn't be tied to a specific location, US Assistant Attorney General Leslie Caldwell wrote in a blog post Monday. The change would avoid similar outcomes in future cases.

Law enforcement could also be allowed to obtain a single warrant in cases where criminals take over unsuspecting users’ computers and use them to form a botnet to launch cyberattacks that span many districts. Under current rules, Ms. Caldwell said, investigators must acquire a warrant in each judicial district with an infected computer. The change will make that process less burdensome, she said.

“This change would not permit indiscriminate surveillance of thousands of victim computers — that is against the law now and it would continue to be prohibited if the amendment goes into effect,” Caldwell wrote.

The FBI and the Department of Justice declined to comment on the coalition’s letter, and the Administrative Office of the US Courts did not return a request for comment.

Instead of adopting the changes, tech and privacy groups are calling on Congress to support a bill proposed in May by Sens. Ron Wyden (D) of Oregon and Rand Paul (R) of Kentucky. Their Stopping Mass Hacking Act would undo the Supreme Court’s approval of Rule 41.

“While it may be appropriate to address the issue of allowing a remote electronic search for a device at an unknown location, Congress needs to consider what protections must be in place to protect Americans' digital security and privacy,” Senator Wyden said when he introduced the legislation. “This is a new and uncertain area of law, so there needs to be full and careful debate.”

In a report last week, Susan Landau, a professor of cybersecurity policy at Worcester Polytechnic Institute, argued for more and better “lawful hacking” options. That, she said, is a better alternative than legislation seeking to give law enforcement special access to encrypted communication. But in another report from March 2016, Ms. Landau and two coauthors criticized the Rule 41 proposal, arguing the changes could violate innocent computer users’ privacy and damage criminal investigations.

The Rule 41 proposal could also damage tech companies based in the US, according to Alan Fairless, chief executive officer of the cloud storage company SpiderOak.

“There’s obviously the growing perception … that hosting data in the US is a little dangerous,” Mr. Fairless told Passcode in an interview, a reference to international concerns about government surveillance programs following the Edward Snowden revelations. “It’s an ongoing issue, and I don’t think this helps at all.”