Connect with us

Hi, what are you looking for?


Tracking & Law Enforcement

FBI, GCHQ Get Foreign Hacking Authority

UK's GCHQ Building

UK's GCHQ Building

Changes to Rule 41 of the federal rules of criminal procedure come into force today, giving the FBI (with a judicially granted search warrant) authority to hack computers in any jurisdiction, and potentially overseas. This happened just two days after the UK’s Investigatory Powers Act (IPA) was granted royal assent and became law. The latter gives Britain’s Government Communications Headquarters (GCHQ) the legal authority to ‘mass hack’ outside of the UK.

Democratic Senator Ron Wyden repeatedly tried to delay the changes to Rule 41. His last attempt in the Senate failed on Tuesday. Speaking from the floor he described the changes as “one of the biggest mistakes in surveillance policy in years,” adding that the government would have “unprecedented authority to hack into Americans’ personal phones, computers and other devices.”

A major concern for Wyden is that these changes effectively came via the backdoor without requiring congressional approval. It evolved from a regular review of criminal procedure conducted by a conference of federal judges. After several years considering the rule with a public comment period, the conference submitted the suggested change to the Supreme Court — which approved it to go into effect today.

The changes to the Rule 41 effectively expands the US government’s hacking powers, allowing even magistrate judges to grant investigative agencies with the authority to conduct mass hacking operations on computers potentially located in any part of the globe. Previously, Rule 41 laws restricted such authorizations, with magistrate judges only authorized to issue warrants within the jurisdiction of their court.

Although this is a major expansion of FBI authority, it is merely an expansion of existing authority. This is not the case with the UK’s Investigatory Powers Act. It has been known since Snowden’s revelations that GCHQ hacks into computers; but it had been doing so illegally.

“The investigatory powers tribunal,” reported the Guardian in October, “which is the only court that hears complaints against MI5, MI6 and GCHQ, said the security services operated an illegal regime to collect vast amounts of communications data, tracking individual phone and web use and other confidential personal information, without adequate safeguards or supervision for 17 years.”

The new IPA (PDF) now makes this legal. It does not use the term ‘hacking’ but describes it as ‘equipment interference’. It requires judicial oversight with a warrant from both the Secretary of State and a panel of judges. There are two categories: targeted and bulk. Bulk hacking is only authorized for foreign targets, but could involve hacking whole towns or even taking down whole geographic areas if perceived as a threat.

Advertisement. Scroll to continue reading.

Targeted local hacking is also a bit of a misnomer. The Act contains the concept of a ‘general warrant’ where the target could be a group or an organization or a location rather than an individual even within the UK. If GCHQ believed a terrorist threat was imminent in a particular town, it could obtain a warrant that could effectively cover everyone in that town.

Hacking, however, is not the only new or expanded surveillance capability provided by the IPA. Two that are causing particular concern are the retention of everybody’s internet data by ISPs for 12 months, and the provision for what amounts to a general encryption backdoor.

Critics point to recent ISP breaches, including Three Mobile and TalkTalk. With so much more personal data being held, the ISPs will become prime targets for cyber criminals and even foreign states — and the suggestion is that some of these ISPs will undoubtedly and inevitably be breached.

The encryption backdoor is fittingly backdoored into the legislation. Tucked away in Part 9 under the title ‘Miscellaneous and General Provisions’ subtitled ‘Technical capability notices’ is the statement, “The Secretary of State may give a relevant operator a technical capability notice” where the obligations include “the removal by a relevant operator of electronic protection applied by or on behalf of that operator to any communications or data…”

Any such notice would be given with an accompanying gagging order. What this would mean in practice is that an FBI/Apple San Bernardino tussle would not happen in the UK. In theory, the UK government could simply legally require the device operator to provide assistance in gaining access to an encrypted device, while simultaneously preventing that operator from disclosing the fact.

“In general,” Sophos senior security advisor John Shier told SecurityWeek, “governments are trying to formalize in law mass surveillance and hacking in an attempt to better protect states and citizens. Some believe this is fine since it ‘might’ help catch hackers, terrorists and other criminals. Others,” he added, “believe this is gross government overreach. Political (and personal) ideology will determine which side is determined to be ‘right.’ Our concern is more practical than political. This storage of personal data and opening of special access through backdoors only gives the massive cybercrime industry more opportunity to steal it, and places an increased burden on those companies required to collect the data to protect it. High profile data leaks occur all too often, so why put more data at risk?”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.


Spanish Court agreed to extradite Joseph James O’Connor to he U.S., who allegedly took part in the July 2020 hacking of Twitter accounts of...


US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...


A hacker who reportedly posed as the CEO of a financial institution claims to have obtained access to the more than 80,000-member database of...

Application Security

Virtualization technology giant Citrix on Tuesday scrambled out an emergency patch to cover a zero-day flaw in its networking product line and warned that...