Senators Introduce Bipartisan Bill To Limit Law Enforcement’s Rights To Hack Stuff

Image courtesy of inajeep

A group of Senators has announced today that they are introducing a new bill into the Senate designed to prevent mass hacking of Americans’ digital devices. But the lawmakers aren’t targeting shadowy collectives or foreign nationals with their proposed legislation; they’re seeking to limit the scope of actual Federal agencies’ powers.

The Stopping Mass Hacking Act — which they are, yes, literally referring to as the SMH Act — seeks to limit changes to a section of law known as Rule 41 from going into effect. Senators Ron Wyden (OR) and Rand Paul (KY) are spearheading the effort, with co-sponsorship from Senators Tammy Baldwin (WI), Steve Daines (MT), and Jon Tester (MT).

The text (PDF) of the bill is as short and blunt as it gets, reading, in full: “The proposed amendments to rule 41 of the Federal Rules of Criminal Procedure, which are set forth in the order entered by the Supreme Court of the United States on April 28, 2016, shall not take effect.”

So what’s Rule 41, and what did the Supreme Court change?

The EFF has an in-depth explanation, but the short version is this: the proposed changes to Rule 41 would expand procedural power (so, the things law enforcement can legally, regularly do) to access more people’s stuff.

The proposed change would allow judges to grant search warrants for remote search of accounts and devices — as in, using software to access someone’s phone or computer when it’s miles and miles away and not necessarily in the possession of the entity you’re investigating.

It specifically targets two groups of people and devices. The first are those using certain privacy tools, like VPNs, that virtually hide your device’s location. The EFF surmises that it could even extend to smartphones and apps with location services disabled.

The other group of devices that could be subject to search? Anything that’s part of a botnet which, by definition, is going to include a whole lot of innocent or unrelated persons’ devices running software they don’t know about and don’t intend to run. As the EFF puts it: “This means victims of malware could find themselves doubly infiltrated: their computers infected with malware and used to contribute to a botnet, and then government agents given free rein to remotely access their computers as part of the investigation. Even with the best of intentions, a government agent could well cause as much or even more harm to a computer through remote access than the malware that originally infected the computer.”

Senator Wyden, who has in recent months taken strong stands for consumers rights’ to encryption and privacy, shared his thoughts in a post on Medium.

Speaking partly in *.gif, the language of the internet, Wyden said, “An agency with the record of the Justice Department shouldn’t be able to wave its arms and grant itself entirely new powers.”

“The American public should understand that these changes won’t just affect criminals: computer security experts and civil liberties advocates say the amendments would also dramatically expand the government’s ability to hack the electronic devices of law-abiding Americans if their devices were affected by a computer attack,” Wyden continued. “Devices will be subject to search if their owners were victims of a botnet attack — so the government will be treating victims of hacking the same way they treat the perpetrators.”

The proposal could affect over 500 million computers, Wyden wrote, and the scale matters. “By allowing so many searches with the order of just a single judge, Congress’s failure to act on this issue would be a disaster for law-abiding Americans,” said the Senator, before concluding:

“When the public realizes what is at stake, I think there is going to be a massive outcry: Americans will look at Congress and say, ‘What were you thinking?'”

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.