Privacy SOS

Massachusetts tech leaders tell congress: Stop Mass Hacking

Today, nearly two dozen Massachusetts academics and business leaders wrote the Bay State congressional delegation, urging them to support the Stop Mass Hacking Act. Unless Congress acts before December 1, 2016, the FBI will gain broad new hacking powers never authorized by elected officials, and likely to be exercised in the dark. 

The letter reads:

We, the undersigned technology experts, business leaders, and academics, urge the Massachusetts congressional delegation to take swift action to stop a dangerous change to the rules of federal criminal procedure which, in the absence of congressional action, will go into effect on December 1, 2016. Bipartisan proposals in the House and Senate, known as the Stop Mass Hacking Act (S. 2952, H.R. 5321), would halt the rule change to give congress, technology experts, and members of the public the opportunity to fully examine and debate its consequences. We write to respectfully ask you to support this legislation, and press for public hearings and transparency regarding the government’s current hacking practices.

The proposed rule change alters language in Rule 41 of the Federal Rules of Criminal Procedure, which controls the federal search warrant regime. The new language authorizes federal magistrates to issue warrants for hacking and electronic spying in cases involving certain types of internet crimes or when the location of a computer is being masked electronically. If it goes into effect, the new rule would permit judges to authorize these searches within and outside their districts—an exception to the general rule that judges may only issues warrants within their jurisdictions. Such changes would go into effect despite the fact that Congress has never explicitly authorized remote hacking by law enforcement agencies.

The rule change raises several internet security and Fourth Amendment concerns. Because the rule change relaxes jurisdiction requirements, it opens the door to forum shopping, where law enforcement agencies apply for warrants in districts they believe are more likely to give them a favorable response. In addition, the change could be abused to allow law enforcement agencies to hack into thousands of computers all over the world with a single warrant, raising serious Fourth Amendment concerns. The rule change could also give law enforcement the power to hack into victims of botnet attacks, like the one that temporarily darkened dozens of large websites on Friday, October 21, without consent or appropriate protections. This authority could disproportionately impact individuals who use privacy-protective technology that masks their location, such as Virtual Private Networks (VPNs), which most corporations require their employees to use when traveling or outside the corporate network.

As members of the Massachusetts tech community, we are particularly concerned that such hacking operations, without appropriate protections, jeopardize internet security. For example, past government hacking operations appear to have resulted in malware being placed on any computer that visited certain internet sites—including devices owned by people never accused of a crime. Regardless of the intentions of law enforcement, such activities may result in damage to systems that the citizens of Massachusetts rely on for health, utilities, or other economic activities. The sensitivity and potential dangerousness of government hacking operations requires deliberate, careful lawmaking to account for these possible unintended consequences.

Unfortunately, despite the significant potential that it will harm the networks millions of people across the nation rely on every day, the rule change has thus far proceeded with inadequate congressional debate. The underlying issues are as complex as they are important, but the public hasn’t had a chance to weigh in or been given an opportunity to understand their implications for themselves, their communities, or their businesses.

It’s never wise to sidestep the legislative process—but it’s particularly unwise to do so when the consequences are so far-reaching and dangerous. Only through informed public debate and legislative action will we arrive at policy that provides the robust accountability, transparency, and oversight required of government hacking operations.

For these reasons, as technology experts and business leaders, we urge you to do whatever you can to stop the rule change from going into effect, and press for public hearings and transparency regarding the government’s current hacking activities. Furthermore, we respectfully request that our community have an opportunity to work with congress to ensure any future proposals related to hacking warrants do not jeopardize individual privacy, internet security, or the economic health of our vibrant technology sector.

Add your voice: Tell your elected official to work to pass the Stop Mass Hacking Act before December 1!

© 2018 ACLU of Massachusetts.