U.S. Senators Ron Wyden and Rand Paul introduce bipartisan bill to block expansion of FBI hacking authority

U.S. Senators Ron Wyden, D-Ore., and Rand Paul, R-Ky., yesterday introduced the Stopping Mass Hacking (SMH) Act to protect millions of law-abiding Americans from government hacking. The Stopping Mass Hacking (SMH) Act prevents recently approved changes to Rule 41 from going into effect. The changes would allow the government to get a single warrant to hack an unlimited number of Americans’ computers if their computers had been affected by criminals, possibly without notifying the victims.

Sens. Tammy Baldwin, D-Wis., Steve Daines, R-Mont., and Jon Tester, D-Mont., are original co-sponsors of the Senate bill.

“This is a dramatic expansion of the government’s hacking and surveillance authority. Such a substantive change with an enormous impact on Americans’ constitutional rights should be debated by Congress, not maneuvered through an obscure bureaucratic process,” said Sen. Wyden in a statement. “Unless Congress acts before December 1, Americans’ security and privacy will be thrown out the window and hacking victims will find themselves hacked again – this time by their own government.”

“The Fourth Amendment wisely rejected general warrants and requires individualized suspicion before the government can forcibly search private information. I fear this rule change will make it easier for the government to search innocent Americans’ computers and undermine the requirement for individual suspicion,” said Sen. Paul in a statement.

“Congress must act to prevent this threat to the privacy of law abiding Americans and ensure a rule change of this magnitude has the proper oversight.” said Sen. Baldwin in a statement. “I am proud to join this bipartisan effort. We need to stand up to this government intrusion and protect American civil liberties and freedoms.”

“Our law enforcement policies need to be updated to reflect 21st century realities with a process that is transparent, effective and protects our civil liberties,” said Sen. Daines in a statement.

“This bill reins in the government’s ability to search and seize our personal electronic information. Our right to privacy doesn’t end when we turn on a computer, send an email, or search the Internet,” said Sen. Tester in a statement. “We must ensure that law enforcement agencies have the tools they need to keep us safe while also protecting our civil liberties, and this bill is a first step in that direction.”

A House companion bill is expected to be introduced soon.

At the request of the Department of Justice (DOJ) the U.S. Federal Courts recommended an administrative change to Rule 41 of the Federal Rules of Criminal Procedure which were approved by the Supreme Court last month.

The amendments to Rule 41 would make it easier for DOJ to obtain warrants for remote electronic searches. The amendments would allow a single judge to issue a single warrant authorizing government hacking of an untold number of devices located anywhere in the world. The amendments would take effect on December 1, 2016 absent Congressional action.

MacDailyNews Note: The Computer & Communications Industry Association and The Internet Association both back this bill:

CCIA Applauds Senate Bill To Stop Surveillance Expansion

Today Senators Ron Wyden and Rand Paul introduced the Stopping Mass Hacking Act (S. 2952), a bill that would block a controversial expansion of the government’s hacking authority from taking effect. Congress currently has until December 1st to reject the Department of Justice’s proposed changes to Rule 41 of the Federal Rules of Criminal Procedure. The changes would allow magistrates to issue warrants for the government to remotely search computers outside the magistrate’s own district—including unknown locations, and to remotely access multiple computers in multiple locations that may have been the victims of hacking.

The proposed rule change has gone largely unnoticed by the public via a behind-the-scenes process usually reserved for procedural updates. The Computer & Communications Industry Association has voiced its concern about the government’s requested change for the past two years and we invite other technology advocates to join us in supporting this important legislation. The following can be attributed to CCIA President & CEO Ed Black:

“We welcome Senators Wyden and Paul’s efforts to prevent this highly controversial rule change from taking effect. They recognize that the far-reaching implications of the government’s proposed changes merit the full attention of their colleagues in Congress. There are Constitutional, international, and technological questions that ought to be addressed transparently before such a broad rule change.

“The government’s proposal is a substantive expansion of its ability to conduct electronic searches, and it deserves a public debate in Congress. These remote searches could involve foreign computers and may require so-called ‘network investigative techniques,’ which essentially amount to government hacking. While the government argues the updates are merely procedural, the use and consequences of these techniques have never received appropriate public and Congressional review.”

Statement In Support Of The Stopping Mass Hacking Act

Internet Association President and CEO Michael Beckerman issued the following statement in support of the Stopping Mass Hacking Act (S. 2952), which rejects changes to the Federal Rules of Criminal Procedure. If allowed, the misguided rules would enable magistrate judges to extend the scope of their warrants to computers outside of their jurisdiction:

“The Internet industry applauds Senators Ron Wyden, Rand Paul, Tammy Baldwin, Steve Daines, and Jon Tester for their efforts to roll back proposed rules that expand the government’s authority to hack into and remotely surveil computers in any jurisdiction. Rule 41 currently permits federal judges to grant search warrants only for evidence within their district. The proposed changes could give magistrates the authority to grant remote electronic searches of computers for evidence of any sort of crime in any district. The implications of this proposed change are far reaching, present an opportunity for Congressional oversight, and should only be addressed as part of a broader national discussion about privacy and security.”

8 Comments

  1. Wyden is about the only democrat I can vote for and fortunately he is my senator. Him and Rand Paul deserve two big thumbs up for this effort.

  2. Rule 41 sounds ripe for removal as unconstitutional.

    The Fourth Amendment To The US Constitution

    “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

    I see nothing in the Fourth Amendment about mass warrants without being accompanied by PROBABLE CAUSE, supported by Oath or affirmation.

    What is the problem with #MyStupidGovernment? We know full well they already abuse US citizens with unwarranted surveillance as well as bogus rubber stamp FISC warrants. JUST DO IT RIGHT PLEASE.

    1. Derek,

      There are obvious concerns raised by the amendments to Rule 41, but they do address at least two very real issues. Those who would block the rule need to suggest a better way to solve the problems:

      1. Currently, a prosecutor who is informed that a computer has been used in connection with a crime can get a warrant to search it if he has (as you say) a sworn affidavit setting out specific facts that describe the search target and can show a neutral magistrate probable cause that the computer is an instrumentality of crime.

      However, that is not enough under the current Rule 41, which goes beyond the Constitutional minimum. It additionally requires a showing that the target has a current physical presence within the same federal judicial district as the issuing magistrate. Given the realities of the internet and mobile computing (even desktop computers can be moved), proving the current physical location is rarely possible without evidence that can only be obtained after the search that the Rule makes impossible. Catch 22, meet Rule 41.

      Since the cybercriminal’s computer cannot be searched, he cannot be arrested and he can go on victimizing people forever. The amendments would allow a magistrate in the district where a crime occurred to issue a warrant for a computer subject to lawful search that is in a location that cannot otherwise be determined.

      2. A botnet may involve thousands of computers, each of which is being used to help commit crimes without the knowledge of its owner. Under the current Rule 41, there is no way to locate all those computers so the owner can be notified and remove the malware to stop the ongoing criminal enterprise. They may be located in any or all of the 94 federal judicial districts, though exactly where may be impossible to determine until AFTER an investigation that may constitute a Fourth Amendment search. Again, Catch 22; if there is no known location for each computer, there can be no Rule 41 warrant to find them. Yes, the computer victims are crime victims, but that does not mean that their computers are not instruments for someone else’s crimes. If the owners remain uninformed, the crimes (some of which harm only private parties and others which might imperil public safety) will go on indefinitely.

      I doubt that the U.S. Supreme Court, which adopted the amended Rule 41 after a series of very public hearings and a lengthy comment period (hardly an obscure bureaucratic process), is wedded to this particular solution to those problems. However, those who want to suspend the amendment at this late date should be expected to propose a reasonable alternative.

      1. Derek and TxUser: thank you for your comments.

        I appreciate each of your rational and thoughtful comments. I was convinced Derek was on the right track until I read TxUser’s reply. I believe, in the end, that a fully informed populace will make better decisions. This is in contrast to our political parties election process. The sleaze-ball politics, dogmatic rhetoric and country dividing “us or them” mentality is killing our country. We need to get back to “United We Stand” the motto of this still great country before we are no more.

      2. 1. The mobile computer is a great point! The warrant should be able to follow the computing device. That may be a question of what judge addresses the desired warrant, federal judge versus state. But that’s outside of my knowledge.

        2. Botnets: Another remarkable point!

        From what you’ve provided in your comments, I agree that these issues require a definitive solution for the future.

        We’re in an era where the US government was caught breaking the law, ignoring the Constitution and breaking foreign treaties all for the sake of what we’re left to believe is a maniacal need to surveil everything available. We’ve all seen photos of the massive surveillance hub built by the NSA and heard about the several FBI man-in-the-middle hubs on the Internet. Therefore, we’re set up to be justifiably paranoid. Then add in the fact that our government has lied about the known facts, have no intention of apology, consider Snowden a traitor as opposed to whistleblower. Then we have the disingenuous Mr. Comey of the FBI wrecking the reputation of his own law enforcement organization with his anti-encryption bullshit.

        Meanwhile, we have blatant corporatocracy with money buying politicians, lobbyists writing laws, a movement to override governmental and citizen concerns by the corporate ‘right’ to make profits via the TPP, TTIP and TSA treaties. Headache inducing complexity and deceit.

        The result is a difficulty establishing a new balance between law enforcement and business versus citizen’s rights. And that’s leaving out the concern of humanity versus the natural world of our miracle planet Earth, our only home. Overwhelming.

      3. One other thing I meant to mention: The amendments to Rule 41 make it clear, if the FBI was in any doubt, that hacking a remote computer is a search, and that such searches must comply with the Fourth Amendment, statutes, and judicial rules just like any other search.

        1. The FBI has played a part in bringing down conspirators using pernicious botnets harnessed to abet securities fraud, even without accessing the infected computers directly. The problem is, those botnets remain largely intact and available for hire from the next clever American who has no qualms doing business with Russian and Chinese hacker groups. It appears to me that the language in the amendments gives law enforcement more reach, to break up the botnets directly. Please correct me if I have the details wrong.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.