An update to the Federal Rules of Criminal Procedure, specifically Rule 41, which could automatically take effect in December, is once again bringing up concerns of privacy and security in the digital world.

“The changes in Rule 41 leave Americans […] more exposed to threats, and, of course, put at risk their liberty,” said Sen. Ron Wyden, D-Ore., in his opening address at a discussion hosted by New America Thursday among lawmakers, lawyers, and rights activists. “Our lives are lived online; most of our most private information is stored on the cloud.”

The proposed changes authorize two new avenues for law enforcement in the digital sphere: the ability to obtain warrants to search computers in an unknown location, and the ability to search any device that a hacker has potentially broken into, specifically in the instance of botnet infections.

“In the traditional physical world, the government can’t search something if they don’t know where it is,” explained Orin Kerr, a research professor at George Washington University Law School and a member of the Advisory Committee for the Federal Rules of Criminal Procedure, who authored the revision.

In a panel at the event, Kerr described the lack of avenues for law enforcement when they are seeking to search a computer that is hiding its location, which the changes to Rule 41 seek to fix. “Instead, the answer for which district you go to is the district where activities related to the crime may have occurred.”

Amie Stepanovich, U.S. policy manager and global policy counsel at Access Now, argued that Kerr was “putting the horse before the cart” in his assessment of the rule change, saying that how to get into these computers was not as important as whether the government should.

“The very important debate that we haven’t had yet is the ‘if,’ ” she said at the panel.

The second change to the rule was equally contentious, as opponents claimed that it would allow the government to hack into computers of people that had done fundamentally nothing wrong.

“No law should authorize the government to punish the victims of hacking,” Wyden said.

Though the law requires law enforcement to make “reasonable efforts” to notify those they hack of what they are doing,  many of the panelists questioned how that would work and what constituted a “reasonable effort.”

As an example of the expanded powers provided by the law, Washington, D.C., lawyer Kobie Flowers held up a warrant that his firm had litigated.

“The warrant allows me to get into […] the Facebook account of my client. All data,” he said. He explained that the unrestricted nature of the warrant would have enabled law enforcement to go into the Facebook accounts of friends and all those connected with the original search. “These agents were allowed to get into, arguably, anyone’s Facebook account.”

Panelists also worried that the method the government used to hack into these various computers or accounts could leave citizens exposed to malicious hackers.

“When you hack a system, you don’t actually know what’s going to happen,” said Steven M. Bellovin, a professor of Computer Science at Columbia University and technology scholar on the Privacy and Civil Liberties Oversight Board.

Both Wyden and some of the panelists also had issues with the implementation of the rule change itself, as it came from an advisory committee, and not elected officials. And without Congress voting to strike down the change, it automatically goes into effect in December.

“Talk about the deck being stacked here,” Wyden said. “If nothing happens, this goes into effect.”

He characterized the contents of the alteration as an attempt to “change the 4th Amendment without elected officials, who can be held accountable, weighing in.”

Stephanie Martz, a principal at Monument Policy Group and director of Reform Government Surveillance, agreed with Wyden, saying, “we think that this is a perfect thing for Congress to deal with.”

Wyden explained that the only way to remove the changes was to vote on a bill against it in Congress.

“We are going to need your help to get it passed,” he told the audience.

Read More About
About
Jessie Bur
Jessie Bur
Jessie Bur is a Staff Reporter for MeriTalk covering Cybersecurity, FedRAMP, GSA, Congress, Treasury, DOJ, NIST and Cloud Computing.
Tags