Under the old language of Rule 41, as we explained last week, judges could approve warrants authorizing hacking—or as the FBI calls it, network investigative technique, or NIT—only within their jurisdiction.
With the changes, first proposed by the Department of Justice in 2014, judges could now approve hacking operations that go beyond their local jurisdiction if the target’s location is unknown or is part of a network of infected computers, or botnets, under the control of criminals.
This change would be “the broadest expansion of extraterritorial surveillance power since the FBI’s inception,” according to Ahmed Ghappour, an computer crime law expert and professor at UC Hastings.
In support of the changes, the DOJ has argued that when defendants use technology to cloak their location (such as proxies or Tor) judges should be allowed to issue warrants that go beyond their jurisdiction.
“Criminals now have ready access to sophisticated anonymizing technologies to conceal their identity while they engage in crime over the Internet, and the use of remote searches is often the only mechanism available to law enforcement to identify and apprehend them,” DOJ spokesperson Peter Carr said in a statement.
“This amendment ensures that courts can be asked to review warrant applications in situations where is it currently unclear what judge has that authority. The amendment makes explicit that it does not change the traditional rules governing probable cause and notice.”
The timing of the approval couldn’t be better for the feds. Two different judges have recently cast a shadow over the legality of the FBI’s unprecedented mass hacking sting on the child pornography website Playpen.
In the last two weeks, a judge threw out the evidence collected by the FBI against one of the defendants identified during last year’s investigation. And a judge in another case stemming from the same operation recommendedthe evidence to be suppressed. Both judges argued that the single warrant that the FBI obtained to hack Playpen users was invalid because it violated the territorial restrictions in Rule 41.
Privacy advocates, legal experts, and Google, have long opposed changing Rule 41 with this new language, and are now arguing that Congress should step in and amend or reject the rule change.
“The Department of Justice is quietly trying to grant themselves substantive authority to hack into computers and masking it as a bureaucratic update,” Amie Stepanovich, the U.S. policy manager at Access Now, a digital rights organization, said in a statement.
“Such a monumental change in the law should not be snuck by Congress under the guise of a procedural rule,” Neema Singh Guliani, the legislative counsel of the American Civil Liberties Union, said in a statement. “Congress should reject the proposed changes to Rule 41.”
Congress now has until December 1 to weigh in, according to the US law governing the rulemaking process. If Congress doesn’t act, the rule will automatically come into effect.
Following the approval, Ron Wyden (D-Oregon) announced his intention to “introduce legislation to reverse these amendments shortly, and to request details on the opaque process for the authorization and use of hacking techniques by the government.”