As of December 1, 2016, US law enforcement has gained new hacking powers thanks to changes to Rule 41 of the Federal Rules of Criminal Procedure that now simplify the process of getting warrants to hack into devices of US citizens and the citizens of other countries.
The Rule 41 amendments had been proposed in 2014 by an advisory committee on criminal rules for the Judicial Conference of the United States. In April 2016, the United States Supreme Court, and not Congress, approved the proposed procedural changes.
According to standard US government procedures, the Supreme Court then forwarded the amendment to Rule 41 to US Congress, who had until today to disavow the proposed changes. The technical procedure through which could have been accomplished included passing a law that shot down the proposed amendment.
There were several attempts to prevent the changes to Rule 41. Senators Ron Wyden (Oregon) and Rand Paul (Kentucky) came the closest, in both stopping the law, or at least delaying with three months the due date until it could be shot down, but have eventually failed.
Rule 41 gives the FBI new sweeping hacking powers
According to the “new” Rule 41, the FBI and other US law enforcement now have at their disposal a simplified procedure for requesting warrants that allow them to hack the computers and devices of people they have probable cause of committing a crime.
Previously, law enforcement had to request a warrant from a judge from the same jurisdiction where the possible subject resided. If it needed to hack into devices belonging to a group of individuals, it needed to obtain different warrants, in all states, which was a time-consuming operation.
According to the revised Rule 41, law enforcement can now request one warrant for hacking anyone in the US, even multiple targets, from one single judge.
Furthermore, if the target is using Tor, I2P, VPNs, or other technologies that mask his IP address, the FBI has the legal power (in their eyes) to hack anyone across the globe.
The FBI isn’t strange to such scenarios, and it didn’t wait for the new Rule 41 amendment to pass. In 2015, the FBI obtained one warrant, which it used to hack over 8,000 computers in 120 countries.
FBI can hack anyone part of a “botnet”
Also included in Rule 41 is a clause that allows judges to issue warrants that allow law enforcement to hack or seize devices part of a botnet.
Nowadays we have botnets of IoT smart devices, botnets of infected home WiFi routers, botnets of infected PCs, botnets of infected mobile devices, and so on. Any malware that infects any device and uses an online command and control server is a botnet, even annoying adware families. Almost all malware families today use C&C servers, and indirectly form a botnet.
Technically, the FBI and US law enforcement can hack anything they want on the suspicion a device has been infected with malware.
DoJ says Fourth Amendment rights still valid
In a statement published in June, the US Department of Justice has tried to reassure the US population that protections provided by the Fourth Amendment are still into play and law enforcement must establish probable cause before requesting such warrants.
Nevertheless, judges are still the ones ruling on these warrants. Just this spring, the media blasted a clueless judge that oversaw the copyright battle between Oracle and Google. The judge had a very hard time understanding basic principles such as APIs and programming languages. Throwing around words like botnets and malware at such judge would likely result in approval of any warrant the FBI would be requesting.
While the FBI and other law enforcement agencies try to push the agenda for new laws that fight new “cyber” threats, nobody’s talking about educating members of the judicial system.
It’s happening all over the world
There’s a trend across the world with several countries passing privacy-intrusive and sweeping surveillance laws. Just two weeks back, the UK has approved the most extreme surveillance law ever passed in the history of a Western democracy, as Edward Snowden characterized the new Investigatory Powers Bill (IP Bill), which was passed into law this week.
Similarly, also this month, China passed new a cyber-security law that allows it to restrict Internet access in the country in the case of a “national security” issue.
This week, Russia and China signed a pact that would allow the Kremlin government access to Chinas’ famous Great Firewall technology. Russia is already running its own “blocklist,” but now hopes to gather know-how on running a proper Internet censorship tool from the world’s best, which is with no doubt the Chinese administration.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.
