On December 1, Congress authorized sweeping new government hacking and surveillance authorities by allowing changes to Rule 41 of the Federal Rules of Criminal Procedure to take effect. Republican leaders stonewalled bipartisan efforts in the Senate and the House to stop or delay the change and it went into effect without congressional hearings, without meaningful congressional debate and without the public fully knowing the consequences of this change. That is exceptionally troubling.
Put simply - Congress does not know the extent of what the Rule 41 changes will mean for Americans.
These changes appear to be a nearly blank check for the government to hack into Americans’ personal devices, have access to their information, and possibly damage them in the process.
The Justice Department advocated for this change in order to investigate “botnets”—a network of devices infected with malware and controlled by a criminal. But the Justice Department failed to explain exactly how it will fight these botnets. One likely approach is a “mass hack” where the FBI uses this new authority under Rule 41 to hack thousands or millions of devices as part of a “mass search.”
But little is known about “mass hacks” and “mass searches.” What kind of hacking tools will the Justice Department use? Are they tested to be safe and not damaging to computer systems? Could criminals exploit these same tools? The Justice Department has never fully addressed these questions. Its answer, essentially, is “trust us.”
This shrug of the shoulders and a “trust us” from the Justice Department leaves the American public, independent cybersecurity experts and several members of Congress seriously concerned about the collateral damages a “mass hack” would cause.
In the investigation of a botnet, it is important to understand the tools the FBI will be using because these actions won’t just affect the computers of criminals. By design, botnets often target and infect unsuspecting victims’ devices. This is how a botnet can achieve immense and damaging computing power—by infiltrating millions of people’s internet-connected devices. That’s the smartphones, tablets, laptops, routers, and even baby monitors owned by people like you and me. In fact, security researchers identify that nearly one in every three computers in America is infected by malware.
The government claims that in order to investigate and take down a botnet, the FBI must deploy software onto the affected devices. But Congress and outside cybersecurity experts know little to nothing about this software or other tools the FBI might use. Without independent testing, there’s no way for Congress to verify that these tools won’t have unintended and potentially dangerous consequences. Cybersecurity experts warned the new Rule 41 change means an errant government hack takes down critical computer systems like those of a medical facility or traffic lights.
Congress also had so little information about the implementation of the change that 23 members of Congress, including myself, had to write the Justice Department asking for answers to very basic questions: How will the government prevent collateral damage to Americans’ devices? How will the government notify Americans when the government hacks their device? Will the government use this new authority to search and “clean” the botnet off Americans’ devices? These are all basic questions that should have been addressed in a face-to-face hearing.
The Justice Department replied “trust us” to the first two questions and did not respond at all to the last question. Failing to answer even these basic questions thoroughly is a red flag. For all we know, Americans who have already been hacked once by a botnet will get a pop-up window in the near future, that says “I’m from the government and I’m here to help.”
The kicker to this new policy is that this sweeping change took place, as one observer called it, “under the cover of dullness.”
Using a change to a rule of Federal Criminal Procedure to grant vast new search and seizure authorities is legislative malpractice. Allowing the Justice Department to wave its arms in the air and give itself new authority in way that almost completely circumvented Congress sets a dangerous precedent. The protections of the Fourth Amendment are stretched to invisibility when one warrant issued by one judge can be used to break into millions of Americans’ devices across the country.
Americans should not have to forfeit their Fourth Amendment rights simply because they use smartphones and internet-connected devices. That’s why my colleagues and I pushed hard to stop or delay the change.
Instead, Congress and the government are far behind in acknowledging this reality. One way I’ve proposed updating our protections for the digital age is requiring law enforcement to always get a warrant when it uses location tracking technology, like finding a person using the GPS on their phone. Protections like this, which are laid out in the GPS Act I introduced with Congressman Chaffetz, move privacy and surveillance policy in the right direction by providing Americans with more security and more liberty. Changes like those to Rule 41 move in the wrong direction, providing Americans with less security and less liberty.
While there is no question law enforcement needs tools to fight crime in the digital age, mass hacking with no known protections for Americans’ Fourth Amendment rights and potentially massive collateral damage is not the answer. Americans expect that their privacy extends to their personal devices—more of our lives is kept on our phones than previous generations kept in their houses. By failing to stop or even delay this change, Congress gave Americans’ less security and less liberty, rather than more of both.
