Imagine a bank in Manhattan receives a number of strange online requests for access to its accounts. After investigating, the bank’s security team suspects an attack by a botnet originating in Eastern Europe. The FBI then seeks a single warrant from a U.S. judge to hack into the devices of victims of the botnet wherever those devices are located. It turns out there are 100,000 computers in the botnet, and one of them is yours.
So the victims become the target again—this time by the U.S. government, which at this very moment is granting itself the unprecedented power to hack into your computer without your knowledge or consent. Your personal data may be accessed and stored or your computers might be rendered unusable. And all of this will likely make you even more vulnerable to further attacks.
In late April, the Supreme Court approved a rule change that will allow U.S. law enforcement to get a warrant to hack into users’ computers and phones anywhere around the world. This is just the latest effort by the U.S. government to expand its hacking operations. The Department of Justice tried to use the courts to force Apple to undermine the security of its own devices, before paying a hacker a $1.3 million bounty to do its dirty work for them. The National Security Agency plans to eliminate its firewall between its hacking and defensive operations, creating a powerful cyber-surveillance behemoth. These heavy-handed efforts don’t even include the Obama administration’s nearly $20 billion budget for cybersecurity in 2016. And now the Supreme Court has just stepped into this minefield.
The change concerns Rule 41 of the “Federal Rules of Criminal Procedure,” which govern how the U.S. government pursues an investigation. The update to the arcane rule has three parts. The first allows a judge to approve an order for hacking to extend to any jurisdiction regardless of the location of the device, so long as the end user has attempted to obfuscate that location. This would include people who use a virtual private network, or VPN, to protect their data and people who use the Tor browser. Some criminals do use these sorts of tools to hide their location—but so too do human rights defenders and marginalized people who seek to protect themselves from harm. The second part allows a single order to issue for an entire network of computers, such as devices belonging to victims infected with botnet malware. Finally, the change modifies the notice requirements for court orders.
This update not only tacitly blesses the government’s ability to hack into devices, but permits operations that reach thousands or millions of computers with a single court order. The change allows the U.S. government to hack into machines without geographic restriction, which means that it could inevitably affect hundreds of millions of innocent users outside of U.S. borders.
One of the biggest problems with the changes to Rule 41 is that it is difficult to anticipate how methods to infiltrate user devices will perform in the real world. To understand the unpredictable nature of government malware, you need only look at the wildfire spread of Stuxnet (and its spawn) to an untold number of non-target devices. Documents received by Wired under the Freedom of Information Act further demonstrate this fact—the documents show that in various investigations, the FBI was confused by the behavior of its own software.
At Access Now, the digital rights organization that I co-founded, we’ve seen hacking powers frequently misused around the globe when repressive governments utilize sophisticated intrusion tools, such as those offered by Blue Coat Systems and Hacking Team. And we know from our free 24-hour Digital Security Helpline that the most frequent victims of such hacks are often users at risk—LGBTQ people, journalists, and marginalized communities.
Government hacking also broadly undermines the security of the global internet. Many forms of hacking rely upon vulnerabilities in commonly used commercial software. State-sponsored hacking—especially of the type that could result from this rule change—discourages a government from disclosing a discovered vulnerability to someone who can patch it. Patched vulnerabilities keep users’ data secure against data breaches or other unauthorized access, but aren’t useful to governments looking to break into user systems. We already know the NSA likely undermined basic encryption standards used in developing secure software in order to maintain its own hacking capabilities. It’s not unlikely that the FBI would make the same decisions.
Now that the Supreme Court has approved the rule change, the only way to stop it is for Congress to pass a law to amend or render it invalid before Dec. 1, 2016. At that point the rule enters full force and effect with massive implications for human rights around the world.
The rule change comes at a time when there needs to be a discussion about what sort of authority we give to our governments to hack their citizens, and the citizens of other nations. Hacking comes with unique risks, just like other forms of surveillance that Congress has limited with additional safeguards. Yet Congress has never spoken on the issue of government hacking.
That should soon change. Sen. Ron Wyden announced at RightsCon earlier this year that he will fight this change; he plans to introduce legislation to knock it back. Meanwhile, governments around the world—including the United Kingdom and the Dutch governments—are debating how to authorize government hacking. The United States should be setting an example by initiating a public debate in Congress—not by quietly slipping through major changes in procedural documents.
