Senators: Americans “Deserve Answers” About Justice Department’s Expanded Hacking Authority

Image courtesy of inajeep

On December 1, a new rule will likely go into effect at the Justice Department that may expand law enforcement agencies’ authority to remotely hack into computers and take what data they find there during an investigation. Lawmakers have been pressing the DOJ for more information on the rule, specifically why the agency wants this authority, and what it plans to do with it, but they now say the folks in Justice are only providing non-answers.

As we explained in October, Rule 41 of the Federal Rules of Criminal Procedure dictates how a legal search and seizure can be conducted.

In April, the Supreme Court approved an amendment — written not by Congress, but by the Judicial Conference of the United States, the policy-making body for the federal court system — to that rule that would allow federal magistrate judges to issue warrants that would let law enforcement remotely search through computers outside of the court’s physical jurisdiction, and to seize data on those computers if the device’s location is “concealed through technological means,” or if the computer was part of a botnet used in a cyber attack.

The Electronic Frontier Foundation ran a deep-dive explanation of the implications of this amendment, but the gist of what critics argue is that the changes to Rule 41 would expand procedural power (the things law enforcement can legally, regularly do) to access more people’s stuff.

The EFF pointed out in that critique that the part about being able to access computers used in cyber attacks is particularly threatening to privacy, since most people whose computers have been hijacked in that way don’t even know it.

“This means victims of malware could find themselves doubly infiltrated,” the EFF wrote at the time. “Their computers infected with malware and used to contribute to a botnet, and then government agents given free rein to remotely access their computers as part of the investigation. Even with the best of intentions, a government agent could well cause as much or even more harm to a computer through remote access than the malware that originally infected the computer.”

In May, Sen. Ron Wyden (OR) and four others co-sponsored a bill that would have prevented the Rule 41 changes from going into effect. Literally, that’s all it said: “The proposed amendments to rule 41 of the Federal Rules of Criminal Procedure, which are set forth in the order entered by the Supreme Court of the United States on April 28, 2016, shall not take effect.”

In a post on Medium at the time, Wyden wrote that, “The American public should understand that these changes won’t just affect criminals: computer security experts and civil liberties advocates say the amendments would also dramatically expand the government’s ability to hack the electronic devices of law-abiding Americans if their devices were affected by a computer attack.”

That bill has gone, well, about as far as you’d expect most bills to go this year, with Congress both gridlocked and also largely out of session.

That brings us back to October, when Wyden and 22 other members of Congress sent a letter to U.S. Attorney General Loretta Lynch asking her to clarify just what the Justice Department would do with the expanded authority that the Rule 41 changes will bring it.

“We are concerned about the full scope of the new authority that would be provided to the Department of Justice,” the letter read. “We believe that Congress — and the American public — must better understand the Department’s need for the proposed amendments, how the Department intends to use its proposed new powers, and the potential consequences to our digital security before these rules go into effect.”

“In particular… please describe how the principle of probable cause may be used to justify the remote search of tens of thousands of devices,” the letter continued. “Is it sufficient probable cause for a search that a device merely be ‘damaged’ and connected to a crime?”

The DOJ did respond in a letter of its own [PDF] late last week, arguing that the Rule 41 amendments mark the end of a three-year deliberation process and that, basically, they’re no big deal and the lawmakers need to calm down.

“It is important to note that the amendments do not change any of the traditional protections and procedures under the Fourth Amendment,” the response reads, echoing statements made by the DOJ earlier this year.

“Further, the amendments would not authorize the government to undertake any search or seizure ore use any remote search technique … that is not already permitted under current law,” it continues. “Nothing in the amendments changes the existing legal requirements.”

“As with law enforcement activities in the physical world,” it continues, “law enforcement actions to prevent or redress online crime can never be completely free of risk. Before we conduct online investigations, the Department of Justice carefully considers both the need to prevent harm to the public caused by criminals and the potential risks of taking action.”

To that end, the letter says, the DOJ tests its software tools before using them to “ensure that tools work as intended and do not create unintended consequences.”

Original letter-writers Wyden and Sen. Chris Coons (DE), however, find the answers less than satisfying.

“The American people deserve answers to these very basic questions about how our government intends to hack thousands or millions of personal devices with a single warrant,” Wyden said in a statement. “The Justice Department’s failure to answer these questions should be a big blinking warning sign about whether the government can be trusted to carry out these hacks without harming the security and privacy of innocent Americans’ phones, computers and other devices.”

Coons echoed the sentiment, saying, “While I am pleased that the Department of Justice responded to our October letter concerning the proposed amendments to Rule 41 of the Federal Rules of Criminal Procedure, many questions remain unanswered. That is why I continue to believe Congress should have a substantive debate surrounding any changes before they go into effect.”

The Senators are now operating under a very tight deadline to get any changes made. Without more action, the Rule 41 amendments go into place a week from Thursday.

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.