Tuesday marks the final day for public comment on a subtle Justice Department rule change that, if approved, would give law enforcement the ability to hack into millions of computers belonging to users not accused of any wrongdoing.
The DOJ has proposed that rules of criminal procedure should give judges more latitude in issuing computer search warrants. Under the offered amendment, law enforcement would be able to obtain a warrant to pry into any computer that is using “technological means” to conceal its location.
The change appears to target American computer users who prefer to keep their online activities and location hidden from third parties through anonymity-granting programs like Tor or secure Virtual Private Networks (VPN), which are used by numerous business and federal institutions to give employees remote access to work files.
In a Facebook post written Tuesday, Ladar Levison, the founder of now the shuttered encrypted email service Lavabit, warned the rule change would mean, “using a VPN or TOR [is] sufficient evidence of wrongdoing to justify a search warrant.” He added,
“Under the new rules, this search warrant would allow, amongst other things, the FBI to remotely push spyware onto your computer,” he added.
In 2013, Levison closed Lavabit down after the US government demanded the company compromise the privacy of all of its users by handing over the service’s encryption keys.
According to Joseph Lorenzo Hall, the chief technologist at the Center for Democracy and Technology (CDT), which submitted testimony before the Advisory Committee in charge of approving the rule, the proposed change “could even go so far as to implicate people who misreport the town in which they live on social networks like Facebook or Twitter.”
“The simple fact is that there are many, many ways to intentionally or unintentionally ‘conceal through technological means’ a device’s location, and most of those techniques are regularly used for completely legitimate online behavior that has nothing to do with crime,” Hall added.
The rule change also aims to give authorities more access to computers that have been “damaged,” which could broadly be defined as containing any sort of malware. While the DOJ’s intent may be to target “botnet” malware, which is often used to string computers together to launch “distributed denial of service” (DDoS) attacks that can shut down websites or networks, innocent computer users could be left more vulnerable to government surveillance.
As Amie Stepanovich, a senior counsel at digital rights group Access, said in testimony against the rule, “Botnet malware may sit stagnant on an infected computer for months or years without causing any additional harm to the computer itself or any other system, and without coming to the attention of the computer’s owner or operator.”
“Victims of botnets include journalists, dissidents, whistleblowers, members of the military, lawmakers and world leaders, or protected classes,” she added. “Each of these users, and any other user subject to search or seizure under the proposed amendment, has inherent rights and protections under the U.S. Constitution, the International Covenant on Civil and Political Rights, and/or other well-accepted international law.”
Access, CDT, as well as other advocacy groups commenting against the rule argued that the appropriate venue for such substantive changes to criminal procedure rules should be the legislative branch.
“The proposed rule changes should be enacted through Congress where a full airing of the concerns can be had and enshrined in clear, unambiguous enabling legislation,” said CDT’s Hall.
