One week before the government gains vast new hacking powers, a Democratic group of lawmakers are criticizing the Justice Department’s “failure to substantively answer” questions about how the new authority will impact Americans’ online privacy and security.
“The American people deserve answers to these very basic questions about how our government intends to hack thousands or millions of personal devices with a single warrant,” Sen. Ron Wyden, D-Ore., said.
Earlier this week, the Justice Department published a blog celebrating the “good news” that updates to Rule 41 of the Federal Rules of Criminal Procedure would give law enforcement expanded authority to hack computers in large numbers and across borders with a single search warrant. Assistant Attorney General Leslie R. Caldwell has held up botnets and child pornographers as prime reasons for expanding the government’s hacking authority. The rules take effect Dec. 1.
A bipartisan group of 23 lawmakers sent a letter to the Justice Department last month asking seven clarifying questions about the new authority. Wyden and Sen. Chris Coons, D-Del., say the following questions remain unanswered:
- How to prevent “forum shopping” by federal prosecutors when seeking a single warrant to hack thousands or millions of devices.
- Whether and how the government plans to “clean” devices belonging to innocent Americans, including under what legal authority.
- How the government would prevent further damaging a compromised device already hacked by both a criminal and the government.
- Whether having your device “damaged,” and connected to a crime, is probable cause to search it.
“Forum shopping” is when prosecutors pick and choose where to have a criminal case heard based on which court they think is best for their chances of victory rather than which court makes the most legal sense.
“That is why I continue to believe Congress should have a substantive debate surrounding any changes before they go into effect on December 1, 2016,” Coons said Tuesday in a written statement. “Congress should pass my Review the Rule Act (S.3475) and ensure we have adequate time to do our job and consider and debate these changes.”
“The Justice Department’s failure to answer these questions should be a big blinking warning sign about whether the government can be trusted to carry out these hacks without harming the security and privacy of innocent Americans’ phones, computers and other devices,” Wyden argued.
Civil liberties groups and notable technologists have also pushed for a more public debate over the rule changes to take place in Congress.
“If the DOJ believes that hacking should be permitted, they should ask Congress to pass legislation clarifying when hacking can be used, the protections in place to protect innocent third parties, and the recourse in cases where government hacking damages networks or devices,” ACLU Legislative Counsel Neema Singh Guliani told CyberScoop earlier this week.
In a letter to lawmakers written last week, Assistant Attorney General Peter Kadzik argued back that the debate over the rule changes took three years and “included extensive written comments and public testimony” before being unanimously approved and adopted.
The new rule changes wouldn’t authorize any hacking not already permitted under current law, Kadzik wrote. Instead, it would apply in two circumstances only: When suspected criminals use anonymity tools like Tor to hide the location of their computer and when criminals create botnets in five or more jurisdictions.
Kadzik’s letter asserts that forum shopping is “often” not possible under the amended rules, that the DOJ will carefully consider possible risk of harm to computers when engaged in mass hacking, and will safeguard any information collected from botnet victims who have been hacked by criminals as well as the DOJ itself.
For Wyden and Coons, the answers were not enough.
Wyden is currently pushing the Stopping Mass Hacking (SMH) Act, which would block the new Rule 41 amendments from taking effect on Dec. 1.