The changes affect Rule 41 of the Federal Rules of Criminal Procedure which determines how the government investigates criminal complaints.
The changes will allow a judge to grant permission to law enforcement agencies enabling them to hack computers anywhere, provided the location of the target computer has been hidden by technical means. That means that users of TOR, VPNs, and proxies etc could all become vulnerable, regardless of why they are using such tools. But it doesn’t stop there.
“It might also extend to people who deny access to location data for smartphone apps because they don’t feel like sharing their location with ad networks,” the EFF previously warned.
“It could even include individuals who change the country setting in an online service, like folks who change the country settings of their Twitter profile in order to read uncensored Tweets.”
Also of concern is the second part of the proposal which would allow judges to issue a search warrant authorizing the hacking or seizing of computers that might be acting as part of a botnet. That means you, if your computer happens to have been infected with a botnet trojan.
Importantly, Congress didn’t vote through the changes to Rule 41, judicial approval was obtained by the Department of Justice instead. This means that unless Congress passes new legislation to block the changes, time will run out December 1, 2016.
With this deadline looming, a fresh push is underway to try and block what many see as a serious danger to computer users’ security worldwide. To that end a broad coalition of 50 organizations including public interest groups, privacy tool providers, and Internet companies have written to Congress opposing the changes.
In their letter, Google, EFF, Demand Progress, FightForTheFuture, TOR, VPN providers Private Internet Access, Golden Frog and Hide My Ass, plus many others, urge Congress to “consider and debate” the implications of the new rule.
“The changes to Rule 41 give federal magistrate judges across the United States new authority to issue warrants for hacking and surveillance in cases where a computer’s location is unknown,” the letter reads.
“This would invite law enforcement to seek warrants authorizing them to hack thousands of computers at once — which it is hard to imagine would not be in direct violation of the Fourth Amendment.”
Noting that the changes would allow for the hacking of innocent computer users, the coalition describes the proposal as dangerously broad.
“It fails to provide appropriate guidelines for safeguarding privacy and security, and it circumvents the legislative process that would provide Congress and the public the critically necessary opportunity to evaluate these issues,” they continue.
But perhaps most importantly, the proposed changes will undermine the security of those who need it most – those who have taken legitimate steps to protect their privacy with anonymizing tools such as VPNs and TOR.
“There are countless reasons people may want to use technology to shield their privacy. From journalists communicating with sources to victims of domestic violence seeking information on legal services, people worldwide depend on privacy tools for privacy, personal safety, and data security,” the letter reads.
“Many businesses even require their employees to use virtual private networks for security, especially during travel. Such tools should be actively promoted as a way to safeguard privacy, not discouraged.”
Finally, the groups encourage Congress to take action.
“The Stopping Mass Hacking Act offers a simple solution: it rejects the changes to Rule 41. Passing this bill by December 1 will ensure that Congress has time to fully consider the issue of government hacking before this practice becomes widespread. We urge you to support this bill and to reject the changes to Rule 41,” their letter concludes.
A petition to stop the changes to Rule 41 can be found here.