Changes to Rule 41 of the federal rules of criminal procedure come into force today, giving the FBI (with a judicially granted search warrant) authority to hack computers in any jurisdiction, and potentially overseas. This happened just two days after the UK’s Investigatory Powers Act (IPA) was granted royal assent and became law. The latter gives Britain’s Government Communications Headquarters (GCHQ) the legal authority to ‘mass hack’ outside of the UK.
Democratic Senator Ron Wyden repeatedly tried to delay the changes to Rule 41. His last attempt in the Senate failed on Tuesday. Speaking from the floor he described the changes as “one of the biggest mistakes in surveillance policy in years,” adding that the government would have “unprecedented authority to hack into Americans’ personal phones, computers and other devices.”
A major concern for Wyden is that these changes effectively came via the backdoor without requiring congressional approval. It evolved from a regular review of criminal procedure conducted by a conference of federal judges. After several years considering the rule with a public comment period, the conference submitted the suggested change to the Supreme Court — which approved it to go into effect today.
The changes to the Rule 41 effectively expands the US government’s hacking powers, allowing even magistrate judges to grant investigative agencies with the authority to conduct mass hacking operations on computers potentially located in any part of the globe. Previously, Rule 41 laws restricted such authorizations, with magistrate judges only authorized to issue warrants within the jurisdiction of their court.
Although this is a major expansion of FBI authority, it is merely an expansion of existing authority. This is not the case with the UK’s Investigatory Powers Act. It has been known since Snowden’s revelations that GCHQ hacks into computers; but it had been doing so illegally.
“The investigatory powers tribunal,” reported the Guardian in October, “which is the only court that hears complaints against MI5, MI6 and GCHQ, said the security services operated an illegal regime to collect vast amounts of communications data, tracking individual phone and web use and other confidential personal information, without adequate safeguards or supervision for 17 years.”
The new IPA (PDF) now makes this legal. It does not use the term ‘hacking’ but describes it as ‘equipment interference’. It requires judicial oversight with a warrant from both the Secretary of State and a panel of judges. There are two categories: targeted and bulk. Bulk hacking is only authorized for foreign targets, but could involve hacking whole towns or even taking down whole geographic areas if perceived as a threat.
Targeted local hacking is also a bit of a misnomer. The Act contains the concept of a ‘general warrant’ where the target could be a group or an organization or a location rather than an individual even within the UK. If GCHQ believed a terrorist threat was imminent in a particular town, it could obtain a warrant that could effectively cover everyone in that town.
Hacking, however, is not the only new or expanded surveillance capability provided by the IPA. Two that are causing particular concern are the retention of everybody’s internet data by ISPs for 12 months, and the provision for what amounts to a general encryption backdoor.
Critics point to recent ISP breaches, including Three Mobile and TalkTalk. With so much more personal data being held, the ISPs will become prime targets for cyber criminals and even foreign states — and the suggestion is that some of these ISPs will undoubtedly and inevitably be breached.
The encryption backdoor is fittingly backdoored into the legislation. Tucked away in Part 9 under the title ‘Miscellaneous and General Provisions’ subtitled ‘Technical capability notices’ is the statement, “The Secretary of State may give a relevant operator a technical capability notice” where the obligations include “the removal by a relevant operator of electronic protection applied by or on behalf of that operator to any communications or data…”
Any such notice would be given with an accompanying gagging order. What this would mean in practice is that an FBI/Apple San Bernardino tussle would not happen in the UK. In theory, the UK government could simply legally require the device operator to provide assistance in gaining access to an encrypted device, while simultaneously preventing that operator from disclosing the fact.
“In general,” Sophos senior security advisor John Shier told SecurityWeek, “governments are trying to formalize in law mass surveillance and hacking in an attempt to better protect states and citizens. Some believe this is fine since it ‘might’ help catch hackers, terrorists and other criminals. Others,” he added, “believe this is gross government overreach. Political (and personal) ideology will determine which side is determined to be ‘right.’ Our concern is more practical than political. This storage of personal data and opening of special access through backdoors only gives the massive cybercrime industry more opportunity to steal it, and places an increased burden on those companies required to collect the data to protect it. High profile data leaks occur all too often, so why put more data at risk?”
