All that came to a head this week when months of opposition and requests for inquiry and review came to nothing. In Congress, a bipartisan bill called the Review the Rule Act was introduced, but that failed in Washington on Wednesday afternoon.
In a last-ditch effort, civil-society organizations, trade associations and companies sent a letter to lawmakers dated Nov. 21 pleading to delay the implementation of Rule 41's changes and subject them to further review. "The consequences of this rule change are far from clear, and could be deleterious to security as well as to Fourth Amendment privacy rights," they wrote.
The letter explained the changes "could be abused to obtain a single warrant to search millions of targets" and "would allow a judge to issue a warrant that would permit law enforcement to search the computers of hundreds of entirely innocent crime victims without their consent." It's kind of like searching all the houses on your block, without clearing with the owners first, just to find one bad guy.
Also concerned were 22 senators and congresspeople, who wrote the attorney general at the Department of Justice in October with a lot of specific questions about implementation.
The DoJ responded to the lawmakers in kind, with a letter. It didn't answer their questions. Instead, the DoJ reminded them that the use of remote searches isn't new and that warrants for these searches are already issued under Rule 41, including ones for multiple computers. Warrant applicants will still have to get the proper probable-cause ducks in a row for the judge, they assured.
But, of course, it remains to be seen whether or not the judges will actually understand what it is they're rubber-stamping approval for. The letter was also pretty light on explaining the part where if someone gets hacked, the FBI gets to poke around in their computers or devices without the user's consent -- or knowledge -- until after the fact.
By examining the DoJ's response, it's easy to tell that this whole messy mix of desires and half-cocked protectionism is slightly personal for the authorities. The main thrust of Rule 41's changes is about dealing with its ongoing irritation with online anonymity tool Tor. The main changes to search warrants and jurisdiction, Justice said, specifically apply to when a suspect is using anonymizing software. It named Tor specifically.
In that letter, the DoJ included a long digression about Tor and the FBI's investigation into a vile darknet child-sexual-exploitation website called Playpen. The FBI had taken control of the site and exploited vulnerabilities in Tor to unmask visitors, some of whom are currently being prosecuted. It said that despite successes with the Playpen investigation, "Federal courts have ordered the suppression of evidence in some of the prosecutions because of the lack of clear venue in the current version of Rule 41."
Pedos can die in a million fires; unquestionably, this is the kind of fighting we want to see the FBI doing, as long as it's being done properly. Consider the FBI's willingness to take over darknet sites and own site visitors, and it shines a fresh light on how things are about to change in the world of underground sites.
With the legal framework to make anything it finds stick, it's safe to say that the golden age of buying illegal stuff on the darknet is over. It also feels increasingly like the use of anonymity tools automatically makes you a suspect, which is already true in repressive regimes around the world that target Tor users.
Your computer is now a "crime scene"
Where Rule 41's changes get weirder is when it comes to botnet victims. The DoJ made a case in its letter that the warrant changes are needed for investigation when the victims of computer crime (botnet and ransomware) reside in different jurisdictions. In a blog post, U.S. Assistant Attorney General Leslie Caldwell likened the computers of botnet victims to a crime scene -- that authorities need access to.
Unlike a regular warrant for search, in which the homeowner is notified by authorities before they enter and search the premises, targets under Rule 41 are notified only after they've been hacked and searched.
Imagine the FBI breaks into and enters your house in order to find out who you are, to tell you that your house was burgled. And after, it's like oh, here's the paperwork that gave us permission to burgle you in the first place.
On one hand, I get what it's trying to do here, sort of. It's attempting to deal with things like the Mirai botnet, which shut down half the internet (and is still a growing threat). To do that, current thinking is to intervene and stop the attacks on the victims' devices. Which means accessing the computers and DVRs of people who don't know they're infected with a botnet.
Except trying to fight botnets by expanding FBI hack and search powers is a quick-and-dirty, but highly problematic, way to solve this problem. Not to mention how horribly it could be abused. If there's anything we learned from the Silk Road bust, it's that if there's a chance for abuse, there exists someone within the authorities who consider it a chance worth taking.
Combine the anonymity-tool-unmasking intentions and the interest in accessing botnet victims' devices, and now there's a whole lot of people who are gonna get legally hacked by their own government. Thinking about what this means under a Trump presidency gives it all a much darker cast.
Our president-elect is unapologetically vindictive, openly advocates hacking his opponents, and has called for expanding the NSA's domestic spying programs -- abuse seems all but unavoidable. International cyberwar incidents also appear highly likely, because no one's said jack about what happens when one of the computers the FBI hacks, surveils and gathers evidence from is across a border.
I suppose we'll find out.
Image: stevanovicigor/Getty (Hooded figure)