The rules for how the Department of Justice tracks down criminals in the digital age are woefully arcane, but the DoJ's recent proposed changes to update those rules go way too far, using vague terms to grant sweeping remote search powers that would take a torrential horse piss on the Fourth Amendment.
Under the auspices of probable cause, it'd give FBI agents the power to install tracking malware on computers all over the world, without telling people they've started surveillance. Even though it looks like a minor rule change, the proposal would make it much easier for FBI agents to get warrants on computers without first figuring out their exact location. It gives judges much more flexibility on handing out remote search warrants outside of their jurisdictions. And that would give federal agents way more power to search computers.
This proposal isn't just the DOJ being Big Brothery for no reason. Remote computer searches are difficult to execute right now and that's an obstacle for combating digital crime and hunting criminals who use anonymizing software. This is a real problem, and something that needs to be addressed. But not this way. This is like using a nuke instead of a sniper rifle, and it's going to blow up our privacy rights.
I'm not going to lie, I didn't think I'd ever write an article about a DOJ procedural change because frankly, that sounds like comically dull policy housekeeping. And comically dull is what they were going for: It's a lot easier to slip in a major expansion of power if no one cares enough to pay attention.
But this proposal is way too big not to notice, no matter how boring-sounding and rote the DOJ tries to make it.
"Basically, we think this is a substantive legal change masquerading as a mere procedural rule change," Electronic Frontier Foundation staff counsel Hanni Fakhoury told me via email. "The government is essentially pushing for approval of the idea that it should have the power to deploy malware and execute remote searches. To us, it seems like that's a decision Congress should make."
The vague language of these rules could galvanize an avalanche of covert government surveillance by making it totally OK in certain situations to search peoples' computers without ever letting them know. And that's a violation of the Bill of Rights hidden inside a wonky-sounding procedural adjustment.
Right now, law enforcement officials can get a warrant to search computers remotely, as long as they have probable cause. But, apart from rare, limited circumstances, they need to find the right jurisdiction to petition for a warrant, and they need to give notice of their searches to whoever they're investigating. Notice is an important part of our Fourth Amendment privacy right. It's generally not legal for FBI agents to search you and never tell you. Except this change would make it so.
"The rule itself would be an acknowledgement that remote access searches are valid without notice, without special justification," Electronic Privacy Information Center general counsel Alan Butler told me. "Notice is one of the essential procedural protections of the Fourth Amendment. Validating a rule that implies that notice will never happen does not comport with the Fourth Amendment."
One of the primary reasons given for the DOJ's rule change is that it will help in hunting down botnets, or "robot networks." Criminals infect other peoples' computers with malware that lets them remotely control their machines; most of the time, people don't even know their computers got hijacked (hijacked computers are called "zombies"). Botnets can be huge and hard to trace, so the proposal is supposed to make things easier by giving law enforcement more room to search.
This is messed up because it'll allow law enforcement to dig around the computers that belong to the victims of botnets. So on top of getting invaded by criminals, now botnet victims would get invaded by the government too, without any heads up. And as botnets grow more sophisticated, the FBI and other law enforcement will have a hard time limiting the scope of their searches, since malware could spread to unexpected places. Oh, and did I mention that even if your computer wasn't directly part of a botnet, but had a tangential connection, it could be fair game for covert searches?
Basically, if you have a computer that is in any way vulnerable to a botnet, you have a computer that'll be vulnerable to the FBI installing tracking software on your zombified computer, and that software could poke around any number of personal files trying to sniff out other malware. This gives the government an excuse to play cat-and-mouse with cybercriminals using your laptop as the game board.
To make matters worse, the FBI won't have to confirm that a computer is within the US before it starts digging. If someone is using Tor and there's no way to figure out where their computer is actually located, the rule change will let agents search first, without notification. And if it turns out a computer is in, say, Iceland? Well, the search will already be carried out, sovereignty be damned.
That's going to piss off other countries. This whole thing is a mess.
A mess that might become official business, and soon: Judicial committee has already approved of the changes to what's known as Rule 41. Since the proposal got its first approval, it's now subject to a review by something called the Standing Committee on Rules of Practice and Procedure. From there, the Supreme Court will have a look, and unless Congress acts, the changes could go into effect as soon as December 2016.
In response to a deluge of comments arguing against the new rules, the DOJ issued a memo that said groups that saw this as an expansion of warrant powers as "misreading the text of the proposal or misunderstanding the current law." Right.
Just as Congress pushed through the Patriot Act by using terrorism as a catchall bogeyman, proposals like these are using fear of faceless, havoc-wreaking cybercriminals to justify invasive and unconstitutional changes. It's important to contest these changes loudly and to push for big power expansions like this to at least be debated in Congress and not pushed through by the very agencies that will benefit from looser privacy rules.