Times are changing.
WASHINGTON — Federal agents armed with a single search warrant will be able to hack millions of Americans' computers unless Congress blocks a new rule from taking effect in December.
Sen. Ron Wyden, D-Ore., said the change to federal criminal procedures is a huge increase in government surveillance authority and treats victims of cyber crime like attackers by making it easier for agents to hack their computers to gain evidence. He said Congress should weigh in on such a major policy change, and he will introduce a bill this month to block the rule.
"People ought to care because it's a dramatic expansion of the government's hacking and surveillance authority," said Wyden, who serves on the Senate Intelligence Committee.
Wyden, along with privacy advocates, civil liberties groups and tech companies, is scrambling to inform members of Congress about the new rule, which was sought by the Justice Department, adopted by the U.S. Federal Courts, and approved on April 28 by the Supreme Court without much fanfare.
The Justice Department said the rule change is needed for two reasons: to help catch criminals who use technology to conceal their identities while engaging in crime on the Internet; and to investigate criminals' use of "botnets", a collection of computers that have been infected with malicious software and are controlled remotely by people seeking to steal financial data or other personal information.
Currently, the FBI must go to magistrates in every judicial district in which infected computers are known to be located to seek search warrants authorizing them to gain remote access to those machines, which may number in the millions and be scattered throughout the country. The change to Rule 41 of the Federal Rules of Criminal Procedure would allow agents to go to just one judge to get a warrant to hack into all of those computers.
"Coordinating simultaneous warrant applications in many districts — or perhaps all 94 districts — requires a tremendous commitment of resources by investigators, and it also imposes substantial demands on many magistrate judges," the U.S. Courts Advisory Committee on Criminal Rules wrote in support of the Justice Department's request.
Critics worry that federal agents could go to the most sympathetic judges and bypass those who are more skeptical of government intrusion into Americans' privacy.
"We could definitely see the government go forum-shopping for judges," said Robyn Greene, policy counsel at New America's Open Technology Institute. "The bigger question here is should the government be engaged in hacking at all, and, if so, what should the rules of the road be? That's something Congress should decide."
Google, Inc., which opposes the new rule, said government hacking could inadvertently damage innocent Americans' computer systems and make them more vulnerable to future cyber attacks.
"The use of various forms of (hacking)...are more invasive than other searches because they often have unknown, widespread, and sometimes destructive consequences," Richard Salgado, Google's director of law enforcement and information security, wrote last year in a letter to the Judicial Conference Advisory Committee on Criminal Rules.
Deputy Assistant Attorney General David Bitkower, in a letter to the advisory panel, said the Justice Department "is mindful of the potential impact of remote search techniques on computer systems and is careful to avoid collateral damage."
Salgado said the new rule also weakens the requirement for the government to notify people that their computers have been searched. The revised rule says that federal law enforcement must only "make reasonable efforts" at notifying people that their property was searched or that their information was seized or copied, Salgado said.
Bitkower said the notice requirement recognizes the challenges of conducting remote searches of computers when the physical location of the machines is being concealed.
"Even after officers conduct a remote search, they may still lack sufficient information to identify or contact the owner of the searched computer," he wrote.
A cybersecurity expert at the International Computer Science Institute in Berkeley, Calif., said the rule changes seem to make sense.
"We are talking about targeted hacking which, even if affecting many systems, are done with probable cause and judicial oversight," said Nicholas Weaver, an institute researcher who specializes in network security issues, including botnets. "You can argue the government shouldn't be able to hack at all. But if the government is allowed to do such hacking with a warrant, the changes themselves appear to me quite reasonable."
Wyden said the debate underscores the need for Congress to act.
"These are big issues; this is not just a garden-variety federal rule change," Wyden said. "We're talking about mass hacks. I'm doing everything I can to get members of Congress interested."