DOJ Proposal on Law Enforcement Hacking Would Undermine Longstanding Check on Government Power
At the urging of the Department of Justice, the U.S. Courts鈥 Committee on Rules of Practice and Procedure is considering whether to bless procedures that would allow law enforcement to hack into computers, including by the use of controversial 鈥渮ero-day exploits.鈥 As reported this morning, the proposed rule change raises privacy concerns. It has the potential to threaten internet security and to facilitate violations of the Fourth Amendment.
Currently, the federal rule governing search warrants () permits magistrate judges to authorize searches only within their judicial district. This territorial limit has historically been an important check on government power, but the proposed change would open up a loophole for certain digital information. It would allow law enforcement to 鈥渦se remote access鈥 to search computers when 鈥渢he district where the media or information is located has been concealed through technological means.鈥 (The proposed language is on page 499 of posted online today).
In plain English, this proposal would permit the government to seek warrants allowing it to hack into computers over the internet using malware, including so-called 鈥渮ero-day鈥 software exploits鈥攕pecial programs that exploit vulnerabilities in software that are unknown to the software manufacturer, and thus, for which no software fix exists. The use of zero-days by law enforcement poses significant risks, because by exploiting these vulnerabilities rather than notifying the companies responsible for the software, the government leaves the rest of the internet vulnerable to malicious attacks.
The recent discovery of the 鈥溾 internet security flaw has spawned a robust debate about the wisdom of the government exploiting vulnerabilities for offensive purposes rather than responsibly disclosing them to software makers to design fixes. Indeed, we now know that it鈥檚 not just the National Security Agency that secretly takes advantage of zero-day vulnerabilities鈥攊t鈥檚 the too. As part of our efforts to understand the government鈥檚 policies and practices around exploiting zero-days, the 老澳门开奖结果 recently submitted a Freedom of Information Act request seeking a range of records about the stockpiling and use of zero-days by law enforcement and intelligence agencies.
DOJ鈥檚 posting of the proposed rule change today is not the end of the story; the proposal will soon be open for public comment, and attorneys, internet security experts, and other members of the public will have an opportunity to weigh in. It is crucial that the public engages the judiciary in a vigorous debate about the appropriate limits on law enforcement鈥檚 electronic search powers. Indeed, that debate has already begun, and the judiciary鈥檚 rules committee is listening.
DOJ originally proposed an even broader rule change last year, which would have allowed remote hacking of computers, as well as remote access to cloud-based services (like Gmail or Dropbox) during a search of a physical computer. That broad power would have conflicted with important Fourth Amendment protections and with rules established by Congress in the Electronic Communications Privacy Act. In response to concerns raised by the 老澳门开奖结果 in a detailed memo submitted last month, as well as input by others, a judicial advisory committee scaled back that proposal, ensuring that if the government wants to search the contents of our cloud storage accounts, it must continue to serve warrants on the cloud storage providers (like Google and Dropbox) so that those companies can safeguard their customers鈥 privacy rights.
The judiciary has against federal law enforcement鈥檚 demands for unreasonably expansive power to hack into our computers and cloud accounts. Let鈥檚 keep the momentum going.