Just in time for the Trump administration, the FBI has gotten what critics characterize as broad new hacking powers. As of Thursday, government agents can now use warrants obtained from a single judge to hack computers in multiple jurisdictions, rather than having to get warrants from judges in each distinct jurisdiction, as required under the old rule. The rule went into effect despite the last-ditch efforts by Sen. Ron Wyden (D-Ore.) and others to either kill or delay it in order to give Congress time to study its implications.
In a speech on the Senate floor Wednesday, Wyden said the change to Rule 41 of the Federal Rules of Criminal Procedure was especially troubling given the imminent presidency of Donald Trump, who has "openly said he wants the power to hack his political opponents the same way Russia does."
The changes were approved by the US Supreme Court in a private vote at the end of April, after several years of discussion within the federal judiciary. They were never debated by Congress. The US Department of Justice says the news rules are necessary, particularly in cases where criminals use anonymizing software to conceal their location while committing crimes such as peddling child pornography. Another concern is the weaponizing of hundreds of thousands of internet-connected devices into "botnets" that are then used to flood websites with traffic to shut them down, or for criminal activities that, in the words of Assistant Attorney General Leslie Caldwell, "siphon wealth and invade privacy on a massive scale."
Wyden isn't convinced that the changes are urgent. Along with Sens. Chris Coons (D-Del.) and Steve Daines (R-Mont.), he tried on Wednesday to get the Senate to approve legislation that would have either blocked or delayed the implementation of the new powers.
Those efforts failed.
"By sitting here and doing nothing, the Senate has given consent to this expansion of government hacking and surveillance," Wyden said in a statement. "Law-abiding Americans are going to ask, 'What were you guys thinking?' when the FBI starts hacking victims of a botnet hack. Or when a mass hack goes awry and breaks their device or an entire hospital system and puts lives at risk."
Caldwell argued the rules had already been debated and vetted. In a November 28 blog post, she wrote the federal judiciary deliberated on the changes for three years, using the same process used to modify other rules of criminal procedure. The current rule change deals specifically with venue issues—removing traditional jurisdictional constraints—and not what investigators can actually do as part of the search, she wrote. Further, investigators already had the power to search multiple computers at the same time, she noted, and it was already legal for investigators to hack victim computers to understand the scope of the criminal hack.
"It would be strange if the law forbade searching the scene of a crime," she wrote.
Caldwell also wrote that the rule modification doesn't change what is and isn't permissible under the Fourth Amendment protection against unreasonable searches and seizures. "The Constitution already forbids mass, indiscriminate rummaging through victims' computers, and it will continue to do so," she wrote. "By contrast, blocking the [rule change] would make it more difficult for law enforcement to combat mass hacking by actual criminals."
But those reassurances likely will not satisfy privacy advocates. In June, tech writer Mike Masnick noted that the DOJ's justification for the rule change "skirt[ed] the truth, at best." The new rule, Masnick wrote, "effectively wipe[s] out the requirement to give a copy of the warrant to the person whose computers are being hacked," which "pretty much guarantees that some of the people who are hacked following this won't even know about it." He suggested that the DOJ's use of the threat of child exploitation as a way to legitimize the rule change in effect derailed the necessary review of serious modifications to the government's powers that should be debated and approved by Congress. "The FBI has a rather long history of abusing its surveillance powers, and especially seeking to avoid strict oversight," Masnick wrote. "Approving such a change just because the DOJ is insisting it's 'FOR THE CHILDREN, WON'T YOU PLEASE THINK OF THE CHILDREN!' isn't a particularly good reason."
"Google has a significant interest in protecting its users and securing its infrastructure," wrote Richard Salgado, Google's director of law enforcement and information security, in a February 2015 letter submitted to the Judicial Advisory Committee on Criminal Rules. "The proposed amendment substantively expands the government's current authority under Rule 41 and raises a number of monumental and highly complex constitutional, legal, and geopolitical concerns."