Today's changes allow judges to issue warrants for federal agencies to remotely access, search, seize and copy digital information that's been concealed via anonymizing software like Tor or a VPN. The changes also allow judges to grant warrants for the search, seizure and copying of information on any connected device that's attacked in a hacking campaign. Officially, the amendments read as follows:
"A magistrate judge with authority in any district where activities related to a crime may have occurred has authority to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information located within or outside that district if: (A) the district where the media or information is located has been concealed through technological means; or (B) in an investigation of a violation of 18 U.S.C. § 1030(a)(5), the media are protected computers that have been damaged without authorization and are located in five or more districts."
Two recent hacking instances offer insight into how these new rules might play out in the real world.
First up, the FBI's global Dark Web pedophilia sting, Operation Pacifier: In 2015, the FBI took over a child pornography website on the Dark Web and, over the course of two weeks, deployed malware to users in order to bypass the anonymizing software and catch 1,500 pedophiles. FBI agents did this on the order of a single warrant issued by a magistrate judge. In the ensuing court battles, some defense lawyers successfully argued that the entire sting relied on an invalid warrant.
At the same time, a senior US District Court judge ruled the FBI did not need a warrant at all to infiltrate a stateside computer, saying, "Generally, one has no reasonable expectation of privacy in an IP address when using the internet."
The new Rule 41 addresses this issue head-on. Now, a magistrate judge does indeed have the authority to issue a warrant allowing federal agents to search and seize any number of computers within or outside of that judge's district.
Secondly, there's the Mirai botnet attack that shut down internet service across the country in late October. Hackers took advantage of weak security protocols in connected home devices like security cameras, DVRs and routers to hit a large domain name server with a distributed denial of service attack that took out Twitter, Spotify, Reddit, The New York Times and other major websites.
In this case, the new rules would let a judge issue a warrant allowing federal agents to search, seize and copy all of the information on these hacked IoT devices. Yes, the victims of the hack are open to digital search and seizure.
This potential scenario worries privacy advocates like the Electronic Frontier Foundation. The organization wrote in a blog post, "Government access to the computers of botnet victims also raises serious privacy concerns, as a wide range of sensitive, unrelated personal data could well be accessed during the investigation. This is a dangerous expansion of powers, and not something to be granted without any public debate on the topic."
Additionally, the first part of the amendment, which targets people using anonymizing software to obscure their location or identity, is vague enough to apply to a broad range of common services, the EFF argues.
"For example, people who use Tor, folks running a Tor node, or people using a VPN would certainly be implicated," the EFF says. "It might also extend to people who deny access to location data for smartphone apps because they don't feel like sharing their location with ad networks. It could even include individuals who change the country setting in an online service, like folks who change the country settings of their Twitter profile in order to read uncensored tweets."
On the other hand, the benefits for law enforcement are clear: The FBI and other agencies need a way to track and prosecute crimes that take place on the Dark Web or by people using privacy software to hide their identities. Rule 41 now enables the Justice Department to operate in an online world.
"From a law enforcement agent's perspective, yes, we need these kinds of rules, obviously," says Gail-Joon Ahn, director of Arizona State University's Center for Cybersecurity and Digital Forensics. "But from the victim's perspective -- the actual victim as well as the witness -- when they present their evidence, their mobile phone or computer, to law enforcement agencies, they have a concern. They are willing to share some evidence related to particular crimes but they may not want to share all the information [on their devices]."
The new Rule 41 could deter hacking victims or people with information about illegal online activity from even coming forward, over concerns that their personal information would become part of the investigation, Ahn says. However, the FBI and other federal agencies need to be able to track and prosecute cyber criminals, and the new rules will be immensely helpful in that regard. Agents face strict rules when it comes to preparing a case for court, and current regulations don't address many new forms of online communication, giving cyber criminals ample opportunity to escape justice.
Ahn lays out the four rules of evidence in computer forensics as follows:
- Admissibility: The evidence must be legally collected.
- Accuracy: The information collected should point directly to a particular identity or particular groups acting illegally.
- Timeline: All of the information needs to connect, presenting the comprehensive story behind the case. If there are gaps in the timeline, that evidence can't be used in court.
- Compliance: The tools used to collect the evidence must be explained and these systems can't alter the evidence they're collecting.
Today's Rule 41 amendments are most closely related to steps 1 and 3, admissibility and timeline. FBI agents are now able to legally collect stores of digital information in order to present a complete picture to the court.
"From their perspective, they need more evidence to resolve their cases," Ahn explains. "Obviously they need some power to access all the evidence in your systems, so that's why they need these kinds of rules."
The changes to Rule 41 are not inherently benign or evil. They're an attempt to make the Department of Justice effective in the digital age, and the ethics behind these changes will only become clear as agencies actually use the updated ruleset. It'll be a case-by-case scenario.
Rule 41 isn't the end of the conversation about cyber security and privacy. As technology continues to advance, the federal government will attempt to keep up with criminals and citizens alike, using new, potentially double-edged, weapons along the way.