SAN FRANCISCO — It’s been a bad week for privacy and surveillance advocates in the US and UK. On Thursday, Rule 41 will go into effect in the US, giving the government vast and unprecedented powers to hack into the phones, computers, and other devices of Americans. Less than 24 hours ago, the UK government voted to legalize mass surveillance programs in the country.
Rule 41, officially known as the Federal Rule of Criminal Procedure 41, goes into effect on Dec. 1 unless a last-ditch effort by Senators Wyden, Coons, and Daines on Wednesday succeeds in delaying the bill by three months. The senators, who were part of earlier efforts to delay the bill, have warned that the proposed changes to Rule 41 by the Supreme Court would broaden the government’s ability to hack into personal devices such as computers or smartphones.
“This rule change would give the government unprecedented authority to hack into Americans’ personal devices. This was an alarming proposition before the election,” Senator Ron Wyden said in an emailed statement to BuzzFeed News. “Today, Congress needs to think long and hard about whether to hand this power to [FBI Director] James Comey and the administration of someone who openly said he wants the power to hack his political opponents the same way Russia does.”
Under Rule 41 as it currently stands, warrants into computers and smartphones are approved by judges within the same jurisdictions as warrants for physical searches, with law enforcement officials specifying a computer in a specific location that they will hack into. But under the proposed changes to Rule 41, one warrant can be used on multiple computers, which privacy advocates say could affect tens of thousands of computers that are quietly infected, for instance, with botnets. Warrants can be issued to hack into computers in undisclosed locations or hidden by “technological means,” such as Tor browsers that mask a user’s identity. Lastly, there is a subtle shift in language from the current law, which states that the government must notify individuals who are involved in search and seizure. The new wording says the government must “make a reasonable effort.” Privacy advocates say this leaves the door open for the government to start hacking into people’s personal devices without their knowledge.
PayPal, Google, and the American Civil Liberties Union have joined privacy advocacy groups in speaking out against Rule 41, saying in an open letter to lawmakers that it would “give federal magistrate judges across the United States new authority to issue warrants for hacking and surveillance in cases where a computer’s location is unknown.” In the week since Donald Trump won the presidency, privacy advocates have pushed harder on Congress to reconsider Rule 41, arguing that it opens the door to mass surveillance and hacking of American’s personal devices.
On Monday, the Department of Justice answered questions posed by senators about its support of Rule 41 changes. The letter argued that the changes were “an update” of existing laws, but did not address concerns by the senators that these changes would allow police departments to essentially shop around for compliant judges to issue warrants for hacking devices — the new Rule 41 allows any judge, in any state, to issue a warrant for hacking a computer anywhere in the world.
Meanwhile, the UK on Tuesday passed the Investigatory Powers Act, a controversial new law that formally legalizes a number of mass surveillance programs, and which forces internet service providers to store browsing data on all customers for 12 months.
The British civil liberties group Liberty told The Independent that the new law was a “beacon for despots everywhere.”
“It’s a sad day for our democracy as this bill — with its eye-wateringly intrusive powers and flimsy safeguards — becomes law,” said Bella Sankey, the group’s policy director. “This new law is world-leading — but only as a beacon for despots everywhere. The campaign for a surveillance law fit for the digital age continues, and must now move to the courts.”
Sheera Frenkel is a cybersecurity correspondent for BuzzFeed News based in San Francisco. She has reported from Israel, Egypt, Jordan and across the Middle East. Her secure PGP fingerprint is 4A53 A35C 06BE 5339 E9B6 D54E 73A6 0F6A E252 A50F
Got a confidential tip? Submit it here.