Pending Rule 41 Changes Facilitate Government Spying, So Senators Introduce Legislation To Protect Citizens
Tuesday, May 24, 2016
Late last week, MacDailyNews reported (links added):
"U.S. Senators Ron Wyden, D-Ore., and Rand Paul, R-Ky., yesterday introduced the Stopping Mass Hacking (SMH) Act to protect millions of law-abiding Americans from government hacking. The Stopping Mass Hacking (SMH) Act prevents recently approved changes to Rule 41 from going into effect. The changes would allow the government to get a single warrant to hack an unlimited number of Americans’ computers if their computers had been affected by criminals, possibly without notifying the victims."
This news story caught my attention because you don't often see Senators Wyden and Paul working together. It raises several questions: what is so important? What is going on?
Last summer, this blog briefly discussed Rule 41 changes the U.S. Justice Department (DOJ) sought. The rule governs how search, seizure, and arrest warrants are obtained by prosecutors for criminal cases. Given sophisticated computer viruses (e.g., malware) that can take over multiple computers in multiple areas and coordinate attacks by those infected computers (a/k/a botnets), the DOJ sought changes where judges could approve warrants where the botnet location is unknown or located in another area, state, or jurisdiction. The Tech Dirt blog covered this well on April 29:
"The DOJ is one step closer to being allowed to remotely access computers anywhere in the world using a normal search warrant issued by a magistrate judge. The proposed amendments to Rule 41 remove jurisdiction limitations, which would allow the FBI to obtain a search warrant in, say, Virginia, and use it to "search" computers across the nation using Network Investigative Techniques (NITs)."
The Tech Dirt blog post also published the relevant section of the pending Rule 41changes approved by the U.S. Supreme Court (SCOTUS):
"Rule 41. Search and Seizure
(b) Venue for a Warrant Application. At the request of a federal law enforcement officer or an attorney for the government:
(6) a magistrate judge with authority in any district where activities related to a crime may have occurred has authority to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information located within or outside that district if:
(A) the district where the media or information is located has been concealed through technological means; or
(B) in an investigation of a violation of 18 U.S.C. § 1030(a)(5), the media are protected computers that have been damaged without authorization and are located in five or more districts."
The document also says the following about electronic searches:
"(f) Executing and Returning the Warrant.
(1) Warrant to Search for and Seize a Person or Property.
* * * * *
(C) Receipt. The officer executing the warrant must give a copy of the warrant and a receipt for the property taken to the person from whom, or from whose premises, the property was taken or leave a copy of the warrant and receipt at the place where the officer took the property. For a warrant to use remote access to search electronic storage media and seize or copy electronically stored information, the officer must make reasonable efforts to serve a copy of the warrant and receipt on the person whose property was searched or who possessed the information that was seized or copied. Service may be accomplished by any means, including electronic means, reasonably calculated to reach that person."
So, the remote, electronic searching of computers doesn't target only the computers of the defendant suspected of committing a crime, but it also targets innocent people whose computers may or may not have been infected by the computer virus or botnet. How? Government prosecutors can easily craft broad warrants, and/or computer-illiterate judges can approve them.
And, innocent people won't necessarily receive any notice (e.g., the "reasonable efforts") about remote electronic searches of their devices (e.g., desktops, laptops, phones or tablets) located inside or outside their homes. And, that notice might be after the remote electronic searches were completed. Huh? When the government performs broad searches like this, that is called surveillance... spying.
Were you aware of Rule 41? Of the pending changes? Probably not. And, you'd probably agree that innocent persons' computers shouldn't be searched; and if so, advance notice should be provided. This troubles me and I hope that it troubles you, too.
I also find it troubling that the proposed Rule 41 changes weren't discussed nor debated publicly in Congress. Using the proposed Rule 41 changes, the government has found slick, stealth way to gain broader powers to spy on U.S. citizens while conveniently ignoring the Fourth Amendment of the U.S. Constitution.
Senator Paul said in a statement:
"The Fourth Amendment wisely rejected general warrants and requires individualized suspicion before the government can forcibly search private information. I fear this rule change will make it easier for the government to search innocent Americans’ computers and undermine the requirement for individual suspicion..."
Senator Wyden said in a statement:
"This is a dramatic expansion of the government’s hacking and surveillance authority. Such a substantive change with an enormous impact on Americans’ constitutional rights should be debated by Congress, not maneuvered through an obscure bureaucratic process... Unless Congress acts before December 1, Americans’ security and privacy will be thrown out the window and hacking victims will find themselves hacked again - this time by their own government."
Proponents of the Rule 41 changes will often argue that the changes are needed to fight child predators and terrorists. A wise person once told me, "you can't just run away from the Fourth Amendment." The ends don't justify the means.
The Computer & Communications Industry Association (CCIA) said:
"The proposed rule change has gone largely unnoticed by the public via a behind-the-scenes process usually reserved for procedural updates. The CCIA has voiced its concern about the government’s requested change for the past two years and we invite other technology advocates to join us in supporting this important legislation... We welcome Senators Wyden and Paul’s efforts to prevent this highly controversial rule change from taking effect. They recognize that the far-reaching implications of the government’s proposed changes merit the full attention of their colleagues in Congress. There are Constitutional, international, and technological questions that ought to be addressed transparently... The government’s proposal is a substantive expansion of its ability to conduct electronic searches, and it deserves a public debate in Congress..."
Peter Goldberger, the Co-Chair of Committee on Rules of Procedure at the National Association of Criminal Defense Lawyers (NACDL) said:
"This is a significant and substantive change to the law masquerading as a procedural rule change.. While it is surely possible to craft a constitutional procedure for digital searches, the rule making process is not sufficient for addressing such fundamental constitutional questions. Only a comprehensive legislative approach, crafted after full public hearings, could possibly deal with all the complex aspects of this issue."
You can read the Stopping Mass hacking Act (Adobe PDF) text. It's short. I wish that it went further and, a) cited prior legal cases to prevent the remote electronic searches of innocent persons' devices, b) included stronger language to prevent innocent persons from the burden of responding to court orders, subpoenas, and searches, and c) prevent the government from hiring a third-party to perform the remote electronic searches.
So, now you know. Thankfully, Senators Wyden and Paul are paying attention and have decided to work together. The seriousness demands such. Senators Tammy Baldwin (D-Wisconsin), Steve Daines (R-Montana), and Jon Tester (D-Montana) are co-sponsors of the Senate bill. Contact your Senator and ask why he/she does not support the Stopping Mass Hacking (SMH) Act. Then, contact your Representative and demand that he/she support a similar bill in the House of Representatives. Tell them that rules changes should not masquerade as changes in laws.
The two things that are most disturbing about the proposed changes to Federal Rule of Criminal Procedure 41 (Crim. 41) are how they were done and what those changes do. The controversial changes to Crim. 41, which have the potential, depending on how the federal courts would interpret them, were done through a bureaucratic process in the judicial branch of government, which is for considering and promulgating changes in the administration of justice and the rules of procedure. That process is not meant to change or affect the rights of U.S. persons. In fact, the federal statute authorizing this process, 28 U.S.C. § 2072, mandates that the process of changing the rules of procedures shall not affect anyone’s substantive rights:
Such rules shall not abridge, enlarge or modify any substantive right. All laws in conflict with such rules shall be of no further force or effect after such rules have taken effect.
28 U.S.C. § 2072 (b). Yet, depending on how the federal courts interpret Crim. 41, it may do exactly what both the U.S. Constitution, as the supreme law of the land, and 28 U.S.C. § 2072, supra, forbid it to do. And this potential mischief was done in a way by the Department of Justice that obscured what was done from the public view.
What was done?
Unlike some of the sources that the Editor cites, supra, I don't have any problem with one of the effects of Crim. 41. That is where Crim. 41 expands the territorial jurisdiction of judges and magistrate judges so that, as provided by Crim. 41, they can issues search warrants that extend beyond the territory of their district. So a federal judge or magistrate in New York City, when faced with cybercrime that occurs in many places in the country or is of unknown location, can issue a search warrant that will be valid anywhere that the cybercrime is having its effect. That, I think, is simply a sensible concession to the realities of the Internet age, where, unlike prior times, crime knows no boundary or border or even set geographic location. Restricting the scope of search warrants to federal court district, many of which were drawn in the last century or even the 19th century, makes not sense in the Internet age.
The problem with Crim. R. 41 is that it does much more than expand the territorial scope of search warrants. If read, I believe incorrectly, it could permit a judge or magistrate to authorize the search of any computing device that is connected to the Internet or any other interstate network, which has been affected by cybercrime, even the computing devices of innocent persons, whose only involvement in the cybercrime is that they are victims of it. If so read, that search would permit federal law enforcement authorities to conduct massive searches of any affected computer.
That is going way too far, because it violates several provisions of the U.S. Constitution’s Bill of rights, e.g., the 1st, 4th, and 5th Amendment, and would also violate precedent that limits the reach of search warrants, applying much more restrictions on warrants that search the property of innocent and uninvolved persons than it places on suspected criminals. Innocent persons are entitled to notice before the search occurs, unless exigent circumstances dictate otherwise, and notice must be given forthwith as soon as practical; the authorities must obtain the innocent person’s consent to the search or afford him a reasonable opportunity to challenge the search in court; the search can’t unduly burden any of the property rights of the innocent person whose property is being searches; importantly, the government can’t search at all, if it can obtain what it seeks elsewhere or by other reasonable and practical means; and the search can’t interfere with any of the innocent person’s other substantive rights, especially his constitutional rights. This is what the U.S. Constitution and 28 U.S.C. § 2072 (b), and precedent requires. And, if read in that way, Crim R. 41 might not do much harm, and the DOJ’s virtually clandestine effort to amend Crim. R. 41 to dramatically expand the government authority to search the computers of even innocent people would come to very little and perhaps nothing.
But the problem is that the language of Crim. R. 41 is not expressly qualified to conform to the mandates of the U.S. Constitution, law, and precedent. Crim. R. 41’s language could be read to authorize the search of any computing device that is connected to any interstate network which is affected by cybercrime. That’s the mischief that Senators Paul and Wyden are most concerned about. Their approach to eliminating that danger is to legislatively veto the changes to Crim. R. 41, instead of amending it to comply with law. That approach is certainly preferable to allowing Crim. R. 41 to go into effect as written.
Posted by: Chanson de Roland | Wednesday, May 25, 2016 at 02:58 PM
A coalition of 50 organizations, including public interest groups, privacy tool providers, and Internet companies, have united against Rule 41 changes. Cindy Cohn, the Executive Director of the Electronic Frontier Foundation (EFF) said:
"Any expansion of law enforcement’s ability to remotely attack computers should be thoroughly considered by Congress, not passed off as a minor procedural adjustment. Yet Rule 41 would grossly expand the power of law enforcement to seek orders to attack and exploit computers around the country and around the world, with no statutory guidance, safeguards, or consequences for the harm they will cause."
Learn more, read the advice from several experts, sign the online petition, and contact your elected officials:
Stop the Changes To Rule 41
Posted by: George | Wednesday, June 22, 2016 at 12:35 PM