Thursday, 27 October 2016

23 Lawmakers Want To Know What DOJ Would Do With Expanded Hacking Authority

The U.S. Congress has a month to decide on what it should do about a pending rule change that would arguably grant federal law enforcement agencies more authority to remotely hack into computers. Congress can let this amended rule go into effect by doing nothing, so before they let their idleness get the better of them, a group of nearly two-dozen members of the House and Senate are now pushing the Justice Department for more details.

Since this can get a bit complicated, let’s backtrack a bit. Rule 41 of the Federal Rules of Criminal Procedure dictates the ins and outs of a legal search and seizure.

Earlier this year, an advisory committee to the Judicial Conference of the United States — the policy-making body for the federal court system — submitted an amendment to Rule 41 [PDF] to the Supreme Court for approval.

That amendment would allow a federal magistrate judge to issue a warrant for authorities to remotely search a computer outside of the court’s district — and seize stored data — if the device’s location has been “concealed through technological means,” or if the computer was part of a widespread cyber attack.

SCOTUS approved the amendment to Rule 41 and passed it on to Congress, which has until Dec. 1 to either stop it or allow it to take effect.

The question is whether or not this amendment runs afoul of the Rules Enabling Act — the law that allows for changes to Rules of Criminal Procedure without having to pass new legislation every time. That law states that any new rules produced through this process shall not “abridge, enlarge or modify any substantive right.”

Opponents of the pending change to Rule 41 say that it unlawfully confers a new authority that changes substantive rights. First off, they contend that it adds a criminal taint to a perfectly legal practice: using location to cloak your location.

“There are countless reasons people may want to use technology to shield their privacy,” wrote the Electronic Frontier Foundation earlier this year. “From journalists communicating with sources to victims of domestic violence seeking information on legal services, people worldwide depend on privacy tools for both safety and security.”

However, the DOJ has claimed that the Rule 41 amendment is simply a clarification of existing authority.

“The amendment would not authorize the government to undertake any search or seizure or use any remote search technique not already permitted under current law,” the DOJ told Consumerist in May, noting that law enforcement would still need to demonstrate probable cause. This amendment, in the DOJ’s reading, “would merely ensure that some court is available to consider whether a particular warrant application comports with the Fourth Amendment.”

There doesn’t seem to be much middle ground on the interpretation of this amendment, which is why 23 lawmakers — representing both Republicans and Democrats — sent a letter [PDF] this morning to U.S. Attorney General Loretta Lynch, seeking clarification.

“We are concerned about the full scope of the new authority that would be provided to the Department of Justice,” reads the letter. “We believe that Congress — and the American public — must better understand the Department’s need for the proposed amendments, how the Department intends to use its proposed new powers, and the potential consequences to our digital security before these rules go into effect.”

The letter raises the issue of “forum shopping” — the practice of picking a judge or a court most likely to be amenable to your warrant request. The lawmakers want to know what sort of guidelines the DOJ will put in place to prevent prosecutors from trying to game the system this way.

The DOJ has also been asked to detail what, if any, legal differences exist between obtaining a warrant to search a computer in person versus obtaining that warrant to search remotely.

“In particular… please describe how the principle of probable cause may be used to justify the remote search of tens of thousands of devices,” asks the letter. “Is it sufficient probable cause for a search that a device merely be ‘damaged’ and connected to a crime?”

Speaking of damaged electronics… Gone are the days where only your one home computer was connected to the internet. Now, everything from your phone to your thermostat to your doorbell to your crockpot is on the same network. With regard to searches related to botnet cyber attacks, the lawmakers want to know how the DOJ intends to minimize the collateral damage to these devices.

Additionally, will the DOJ go beyond just searching botnet-attacked devices and use this Rule 41 authority to “clean” affected computers?

The following lawmakers signed this morning’s letter:
SENATE
Sen. Ron Wyden (OR)
Sen. Mike Lee (UT)
Sen. Patrick Leahy (VT)
Sen. Tammy Baldwin (WI)
Sen. Chris Coons (DE)
Sen. Steve Daines (MT)
Sen. Al Franken (MN)
Sen. Mazie Hirono (HI)
Sen. Jon Tester (MT)
Sen. Elizabeth Warren (MA)
Sen. Martin Heinrich (NM)
HOUSE
Rep. John Conyers, Jr. (MI)
Rep. Ted Poe (TX)
Rep. Justin Amash (MI)
Rep. Jason Chaffetz (UT)
Rep. Judy Chu (CA)
Rep. Steve Cohen (TN)
Rep. Suzan DelBene (WA)
Rep. Louie Gohmert (TX)
Rep. Hank Johnson (GA)
Rep. Ted Lieu (CA)
Rep. Zoe Lofgren (CA)
Rep. Jerrold Nadler (NY)


by Chris Morran via Consumerist

No comments:

Post a Comment