The Supreme Court on Thursday approved changes that would make it easier for the FBI to hack into computers, including those belonging to victims of cybercrime. The changes will take effect in December, unless Congress adopts competing legislation.
Previously, under the federal rules on criminal procedures, a magistrate judge couldn’t approve a warrant request to search a computer remotely if the investigator didn’t know where the computer was—because it might be outside his or her jurisdiction.
The rule change, sent in a letter to Congress on Thursday, would allow a magistrate judge to issue a warrant to search or seize an electronic device regardless of where it is, if the target of the investigation is using anonymity software like Tor to cloak their location. Over a million people use Tor to browse popular websites like Facebook every month for perfectly legitimate reasons, in addition to criminals who use it to hide their locations.
The changes are already raising concerns among privacy advocates who have been closely following the issue.
“Whatever euphemism the FBI uses to describe it—whether they call it a ‘remote access search’ or a ‘network investigative technique’—what we’re talking about is government hacking, and this obscure rule change would authorize a whole lot more of it,” Kevin Bankston, director of the Open Technology Institute, said in a press release.
Ahmed Ghappour, a visiting professor at University of California Hastings Law School, has described it as “possibly the broadest expansion of extraterritorial surveillance power since the FBI’s inception.”
The Supreme Court ruling also expands the warrants to allow the FBI to hack into computers that have already been hacked, such as those infected by a botnet—a type of malware that gives criminal hackers the power to take over many innocent “zombie” computers to distribute spam or spread viruses.
This part of the ruling would allow the FBI to search the victim’s property.
“On account of their distributed nature, investigations of unlawful botnets undoubtedly pose a significant barrier to law enforcement,” Amie Stepanovich, senior policy counsel for digital rights group Access Now, said in testimony before the judicial panel that considered the rule change before it got to the Supreme Court.
However, “the proposed amendment unilaterally expands [FBI] investigations to further encompass the devices of the victims themselves, those who have already suffered injury and are most at risk by the further utilization of the botnet.”
It’s now up to Congress to modify or reject the proposed changes. Otherwise, the policies go into effect on December 1.
“These amendments will have significant consequences for Americans’ privacy and the scope of the government’s powers to conduct remote surveillance and searches of electronic devices,” Senator Ron Wyden, D-Ore., wrote in a press release on Thursday. “I plan to introduce legislation to reverse these amendments shortly, and to request details on the opaque process for the authorization and use of hacking techniques by the government.”