Skip to content
Naked Security Naked Security

Campaigners bid to delay Rule 41 ‘legal hacking’ bill

Lawmakers seek to delay controversial rule granting US law enforcment officials wide-ranging freedom to hack computers - wherever they are

Two weeks before a December 1 deadline for a federal rule that would let feds hack you wherever you are, lawmakers made a last-ditch effort to push it back for six months.

As we reported  in April, when the US Supreme Court first proposed the rule change, it was to a procedural rule known as Rule 41.

The change would allow judges to issue warrants for the government to hack computers anywhere, even outside their jurisdictions and regardless of whether those computers belong to innocent victims of criminal hacking.

An amended Rule 41 was to automatically go into effect on December 1 2016 unless halted by Congress.

With the clock fast ticking down toward what opponents saw as an impending privacy catastrophe, and with the “Stop Mass Hacking Act” legislation to stop the changes being repeatedly pushed off during the frenetic election season, a coalition of senators and representatives finally did something.

Namely, a bicameral coalition proposed legislation on Thursday afternoon: not to stop the changes dead, but to at least delay implementation until July 1 next year.

The bill is called the Review the Rule Act (PDF).

Legislation doesn’t get much more succinct than this. The bill description:

To delay the amendments to rule 41 of the Federal Rules of Criminal Procedure.

One of the delay backers, Senator Steve Daines, a Republican from Montana, reiterated what opponents have been saying for months: the Rule 41 change would give the federal government a “blank check” to infringe on people’s civil liberties, and Congress needs time to investigate what the rule would mean for Fourth Amendment rights.

Opponents have banded together to fight off Rule 41 changes, many as members of the No Global Warrants coalition of public interest groups, privacy tool providers and internet companies.

Among their arguments:

  • An amended Rule 41 would invite law enforcement to seek warrants authorizing them to hack thousands of computers at once, likely in direct violation of the Fourth Amendment protection against unreasonable search
  • “It would also take the unprecedented step of allowing a court to issue a warrant to hack into the computers of innocent internet users who are themselves victims of a botnet”
  • The government could now “shop” for a sympathetic judge known for lenient standards

As evidence of how Rule 41 could be used unlawfully, opponents point to the warrant the FBI used in the Playpen investigation, which resulted in the FBI putting malware on to more than 1,000 computers around the world as agents tried to track down sexual abusers of children.

In late October, the Center for Internet and Society at Stanford Law School hosted a discussion on the controversy over Rule 41.

The results included consensus on some broad points: both those panelists opposed and in favor of the rules change agreed that, for one thing, current law doesn’t adequately address situations where the government has probable cause to search but doesn’t know exactly where they’re going to turn up computers with evidence.

Another thing broadly agreed upon is that if you go searching computers overseas, you’re very likely going to break international law or treaties when you go after anonymous targets.

Also, there’s this: wouldn’t an amended rule mean the US could break the rule of reciprocity? As in, if the US gives itself carte blanche to hack anonymous targets the world over, wouldn’t it open the door to other countries hacking US citizens in violation of those same laws and treaties?

That panel discussion took place about a week after the Mirai botnet, one of the largest and most powerful distributed denial of service (DDoS) attacks ever, hit DNS provider Dyn and shook major services including Twitter, Reddit and Spotify.

That type of attack is what one of the changes to Rule 41 is supposed to address.

Could the rule change have been used to mitigate the Mirai threat?

The panelists “had relatively little to say” about that, as the CIS’s Marshall Erwin and Jennifer Granick said. Rule 41 changes include a botnet provision that’s seen little investigation compared with the other change, which would impact territorial reach and Fourth Amendment implications.

More mulling is required, they said, and hopefully the proposed delay will help that happen:

If changes to Rule 41 go into effect on December 1 as scheduled, courts, Congress and the Administration will likely grapple with the substantive problems at some point down the road. In the meantime government hacking moves forward.

If [the Review the Rule Act] becomes law, there’s time to deal with those problems now, but the law enforcement gap remains unaddressed for six more months. Regardless, we should assume that substantive concerns need attention now, even if judges begin to issue warrants under the revised rule.

9 Comments

I don’t really care. I am not a criminal and I don’t know any criminals.
As long as they make no changes to my system well then, hack away until you get bored.

So…you’re okay with them accessing the webcam integrated into your laptop cover just to make sure you’re not building any bombs in your bedroom? “We’re just checking”.

@ Ken “I don’t really care. I am not a criminal ” YET… right?
I Guess you never really learned anything from History or in your History classes! People wonder why the U.S. has become what it has, the reason, all you have to do is read comments from people like Ken here. Thanks Ken it’s people like you who are really making great strides in the destruction of this country and it’s freedoms.

Hi LIsa. Missed word here–likely “computers” or “servers”–feel free to discard my comment instead of approve if it’s already been mentioned
:-)

FBI putting malware on to more than 1,000 [?] around the world

This is very disturbing indeed, the thing people saying they’re OK with this don’t understand is that these same systems the gov’t would use to hack can be overtaken by bad guys as well. Any security loophole is a total flaw and can be accessed by anyone computer savy it’s only creating greater risks for us the people. It’s not just about privacy, granted privacy is very important, these types of hacks would give access to anything and everything including banking info. So your ok with the gov’t or criminals taking that information ok with them taking pictures of you or your family posting them God knows where saying ignorant shit just because. I’m sorry but if your ok with these types of laws then you are the issue with this country, your a sheep your docile and they will have more control over you than ever before. This country was free the constitution was made to protect these freedoms, they keep trying to destroy it and get closer and closed with laws like this. If we do not stand and stop this shit now the constitution will dissappear and it’ll be top late to reverse the effects.

It’s Nov 29, 2016 and I am just now hearing about this proposed rule 41 amendment – literally two days before it is to take effect and although “I am not a criminal and I don’t know any criminals,” I am really concerned. What is the latest on this bid to delay until July???

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?