Today, law enforcement can’t get a warrant to hack into a computer if it doesn’t know the computer’s physical location. That will change on December 1, as a result of yesterday’s decision by the Supreme Court.
Federal judges have traditionally been hesitant to grant search warrants on computers in unknown locations for fear of straying outside their jurisdiction. The High Court apparently feels that in the brave new world of borderless cybercrime, law enforcement needs to be able to search anywhere.
There may be some truth in that. “From an academic perspective, this version of rule 41 is an expected evolution caused by the digital revolution,” said Cooper Levenson cyberlaw attorney Peter Fu. “Mass crimes necessitate mass responses.
“Unfortunately, such changes should have been introduced by elected officials and not the federal bench,” Fu adds.
The court made the change in a revision to Rule 41 of the Federal Rules of Criminal Procedure, which lays out how and when federal agencies can search private property. The court informed Congress of the change in a letter yesterday.
The only thing that can stop the rule change from going into effect is a law passed by Congress. At least one senator has vowed to introduce such a law. “These amendments will have significant consequences for Americans’ privacy and the scope of the government’s powers to conduct remote surveillance and searches of electronic devices,” Senator Ron Wyden (D-Oregon) said in a statement on Thursday.
The tech and privacy communities are getting to grips with the implications of the rule change today.
“No, companies shouldn’t feel good about the expansion of the FBI’s authority,” says Electronic Freedom Foundation staff attorney Andrew Crocker. “Far from being a small procedural change, it will enable more remote hacking–which the FBI already does without adequate court oversight.”
Perhaps the main objection to the rules change is that it could have specific unintended consequences. The new latitude for hacking and searching could extend beyond computers owned by bad guys.
“These searches . . . have the potential to reach computers belonging to victims of crimes as well as ensnaring innocent users,” Crocker says. “Google has already voiced objections, and we hope other companies will as well.”
Like most changes to the law, this one could be used for good or bad. In a positive hypothetical, the FBI could get a warrant to hack into a server hosting illegal or harmful materials (think child porn or terrorist plots), then remain there to see who views that content. It could then hack into the computers of those people to collect more evidence.
On the other hand, the FBI could get a warrant to hack into the computer of an identity thief, but could also then legally hack into the computers of all the people who had been victimized by the thief. Most people would say that’s an overreach and a threat to the privacy and civil liberties of an innocent person.
In general terms, the change to Rule 41 could make consumers around the world feel less comfortable storing sensitive data on cloud services like Google’s.
The Department of Justice told the court that the revision to Rule 41 would not (expressly) widen the scope of warrants issued to law enforcement agencies under the rule.
Google took specific exception to this statement in its comments to the court. “. . . Despite this weak assurance that the amendment does ‘not purport’ to expand the current scope of Rule 41, in reality it will: The nature of today’s technology is such that warrants issued under the proposed amendment will in many cases end up authorizing the government to conduct searches outside the United States,” writes Richard Salgado, Google’s director of law enforcement and information security.
“Google urges the Committee to reject the proposed amendment to Rule 41,” Salgado writes in his conclusion. “. . . The proposed amendment substantively expands the government’s current authority under Rule 41 and raises a number of monumental and highly complex constitutional, legal, and geopolitical concerns that should be left to Congress to decide.”
The outrage of tech companies might be just the tip of the backlash against the rule change. The European Union will certainly have something to say about the U.S. government’s increased ability to surveil the computers of its citizens.