Cyber Security

Rule 41: How The DOJ’s New Rules Mean The FBI Can Hack You

The updated Rules of Criminal Procedure will help stop bad guys. But are they worth it?

Cyber Security
Photo Illustration: Vocativ
Nov 30, 2016 at 11:28 AM ET

On Thursday, with little fanfare except outrage from tech-savvy activists, the rules for fighting online crime in the United States will change.

The controversy is twofold. First, critics fear the rules themselves, while intended to help solve real issues that come with fighting internet crime, will open up a Pandora’s box of new authorities for federal law enforcement agencies, like the FBI, giving them vast new powers to hack individuals without an individual warrant and without much cause. Second, such a drastic expansion of legal powers usually is far more public, and comes either through a congressional bill or a president’s executive order. But these changes are simply handed down by the Department of Justice.

The rules being expanded are called Rule 41, and the criticism is of the upcoming changes to them. Here, Vocativ breaks the issue down.

What is Rule 41?

It’s one of the 61 Federal Rules of Criminal Procedure, which are the guidelines for how the U.S. government conducts criminal investigations.

Rule 41 is already a big one: It covers search and seizure, and how warrants are issued. For the most part, as the rules currently stand, warrants are issued for a given judicial district. If a crime is committed in the suburbs of Dallas, for example, a federal agent would probably go through the Northern District of Texas to get a warrant.

The Department of Justice thinks the rules aren’t updated for the age of internet crimes, and wants to change them. It’s already gotten the Supreme Court’s blessing, but as critics are quick to note, it notably never had to pass through Congress.

Why does the DOJ think a change is necessary?

The internet makes some definitions, like the legal definition of location, extremely tricky. Online crimes don’t often fit neatly into geographical districts.

Take the case of infamous neo-Nazi hacker Andrew “weev” Auernheimer, who figured out a vulnerability with certain iPads that made AT&T disclose customers’ personal information. After his conviction, an appeals court reviewed his case because it had been tried in the District Court of New Jersey. But the connection there was slim, and was based just on the fact that some of the victims were in that state. It would have made more sense to hold it in Arkansas, where weev was when he committed the crime, or in Texas or Georgia, the locations of the servers he exploited. An appeals court threw out his conviction over the venue, and weev walked free.

Besides, any internet criminal worth their salt knows how to mask their location by, for instance, using the Tor browser to detour their internet connection around the world as they browse.

There’s another issue, too. A number of online crimes capitalize on botnets, which are are coalitions of hacked computers that can be directed to act together. A botnet could easily include tens of thousands of computers, each conducting an identical criminal act, with at least one located in each of the 94 federal judicial districts in the country.

So what would the DOJ’s Rule 41 changes do?

They would let any magistrate judge issue search and seizure warrants for electronic media if it fits one of two qualifications. Either if the location of the information if “concealed through technological means,” or if it’s a hacking case that concerns computers in at least five districts.

What’s wrong with that?

Technology and privacy legal experts have raised a litany of potential problems with this. Groups like the Center for Democracy and Technology, Access Now, and the Electronic Frontier Foundation agree with the DOJ’s desire for updated rules, but fear they’re written without safeguards.

One of their most fundamental concerns is defining just what it means to legally uncover a device that’s “concealed through technological means.” It’s true that any criminal worth their salt will probably use Tor, but so do millions of legit users, including dissenters in authoritarian countries, privacy advocates, and regular people who simply don’t like advertising their location to every website they visit. So how would, for example, the FBI determine who’s behind a given activity? By hacking them, most likely, after getting that warrant.

Another is that not all districts are created equal. One theory for why prosecutors wanted to try weev in New Jersey — again, that seemingly arbitrary choice is why his case was thrown out — is because it’s a state where a misdemeanor hacking crime can be a felony if that hack is in furtherance of another crime.

And many legal experts worry that if U.S. law enforcement is given warrants that allow them to hack anywhere, there will be no stopping them from hacking foreign targets with impunity.

What about fighting botnets?

With the proposed changes, federal agents could also obtain warrants for computers thought to be hacked. That’s by design, and on one hand, would definitely be a positive. Look, for example, at enormous botnets that can threaten the stability of some of the internet’s favorite sites. In October, an enormous botnet, made up largely of hacked Internet of Things devices, was used to crash a service fundamental to the operation of a lot of major sites, including LinkedIn, Reddit, and Twitter. That botnet singlehandedly largely slowed down much of the internet experience for hundreds of millions of people.

If the FBI had been legally authorized to hack a number of those IoT devices to remove the malicious code that made them part of that botnet, the damage could have been mitigated.

But there’s a drawback to that, too. By one estimate, 30 percent of computers are infected with some kind of malware. Does that mean they should all be fair game for law enforcement to hack in the case of a crime?

The DOJ has defended itself here, with Assistant Attorney General Leslie Caldwell blogging Monday that those warrants would “typically, be done only to investigate the extent of the botnet.” But even though she admits that hacking botnets to return them to owners “could arguably involve conduct that would constitute a search and seizure” — meaning it would possibly violate the Fourth Amendment —  Caldwell says that’s a different fight, and isn’t an issue of venue, which is what these changes would alter.

What are people doing to stop Rule 41?

Senator Ron Wyden (D-Oreg.), one of the most privacy- and cybersecurity-savvy members of Congress, has introduced a bill, called the Stop Mass Hacking Act, to delay the Rule 41 changes from taking place until April.

A number of privacy advocates have launched campaigns, like Access’s No Global Warrants, which encourage people to call their representatives in Congress to support Wyden’s bill.

But the SMH Act hasn’t gotten much attention in the Senate, and almost certainly won’t pass before Dec. 1. The rules will take effect Thursday as scheduled. But that doesn’t mean they’re permanent.

A source on the Hill told Vocativ there was hope that the bill would fare better in 2017, with a new Congress. And as a Stanford Law School Center for Internet and Society analysis found, the rules will probably be readdressed: “Courts, Congress and the Administration will likely grapple with the substantive problems at some point down the road,” it found.