Privacy SOS

FBI warns against cyber attacks but seeks rule change to make them much more likely

Despite warning about the risk of cyber attacks against the United States, the FBI wants congress to change the federal rules of criminal procedure in a way that would make them much more common. The rule change the FBI seeks would allow agents to obtain warrants to hack into computers, even if the FBI doesn’t know where those computers are or who they belong to. My colleague Nate Wessler at the National ACLU helped to prepare a comment to congress advising against this change. He explains:

The FBI wants to be able to infect computers with malware when it doesn’t know where exactly they’re located. The implications for computer security, and for constitutional limits on the government’s search powers, are drastic.

The Department of Justice is asking a judicial committee to amend Rule 41 of the Federal Rules of Criminal Procedure, which generally permits magistrate judges to issue search warrants to the government only for searches within their judicial district. The government wants to lift the geographical limitation to allow it to conduct electronic surveillance of devices whose locations are unknown.

We know that the FBI – and possibly other law enforcement agencies – have been infecting the devices of criminal investigative targets since at least 2001. But if the proposed amendment is adopted, it will throw the doors wide open to an industry peddling tools to undermine computer security, and make the U.S. government an even bigger player in the surveillance software industry. That’s cause for concern when you consider the government’s own track record on data security. As we noted in a comment we submitted last week to the committee ahead of tomorrow’s hearing, “Agencies struggle with the most basic security practices, such as using good passwords, updating anti-virus software, and encrypting internet traffic on their websites.” Federal agencies reported a staggering 25,000 data breaches in 2013, and foreign governments and hackers have repeatedly penetrated federal systems – the White House’s network being the latest.

If the FBI gets its way, it will mean less cyber security for everyone—and not just because government agents may hack into your computer. The loosening of these rules would open the floodgates for an expansion of an already troubling economic market for the sale of “zero day” exploits. These are security flaws identified by independent researchers or corporations, including major war and surveillance companies. If one of those companies found a major security flaw in Google, for example, it wouldn’t necessarily tell Google. It might instead sell that “zero day” vulnerability to the NSA, to enable government agents to exploit the flaw in their surveillance attacks. The market for zero days is already extremely problematic. But opening up hacking to law enforcement nationwide would mean a huge increase in the business. That’s because security researchers would have an even larger market for selling these exploits, instead of alerting the companies about their flawed software.

A change in the federal criminal procedure rules to allow the FBI and other law enforcement to hack into our computers would therefore have the effect of hurting cyber security for every living person—not just those people targeted by specific government operations.

Read the ACLU’s full comment on the rule 41 proposal if you want to learn more about government hacking and why allowing it on this scale is a terrible idea.

© 2020 ACLU of Massachusetts.