In a defeat for privacy advocates, Senate leaders rebuffed a last-ditch effort by a bipartisan group of senators Wednesday to allow a vote to block a new rule that allows federal agents armed with a single search warrant to hack millions of Americans’ computers or smartphones at once.
That rule will now take effect Thursday.
“By sitting here and doing nothing, the Senate has given consent to this expansion of government hacking and surveillance,” said Wyden, who vowed to introduce a bill in the next Congress to repeal the rule. “Law-abiding Americans are going to ask ‘what were you guys thinking?’ when the FBI starts hacking victims of a botnet hack. Or when a mass hack goes awry and breaks their device, or an entire hospital system and puts lives at risk.”
The Justice Department, which sought the rule, says it’s necessary to keep up with changes in the technology used by criminals, especially the growing use of “botnets.” These are clusters of computers infected by malware that can be controlled remotely and used by hackers to steal financial data.
Under existing rules, FBI agents must go to magistrates in every judicial district where infected computers are known to be located and request warrants to hack into those machines, which may number in the thousands or even the millions and be scattered across the country. The change to Rule 41 of the Federal Rules of Criminal Procedure would allow them to go to just one judge to get a warrant to access all those computers.
Congress has not held any hearings on the new rule, which was approved by the Supreme Court last spring and takes effect automatically on Dec. 1 without congressional action.
Opponents of the new rule, including Google and other big tech companies, say it would hurt crime victims twice by letting the government hack them after they’ve already been hit by criminal hackers. The government could potentially damage victims’ computers and smartphones and destroy their data, critics say.
Federal agents must make “reasonable efforts” under the new rule to tell law-abiding Americans that their devices have been hacked by the government, but privacy advocates said that requirement is weak and victims may never be told about the intrusion.
“We can’t give unlimited power for unlimited hacking — putting Americans’ civil liberties at risk,” Daines said.
Federal agents already hack into victims’ computers to thwart criminals, but the government could greatly expand that power under the new rule.
“This change would not permit indiscriminate surveillance of thousands of victim computers,” wrote Assistant Attorney General Leslie Caldwell of the Criminal Division in a blog post.
Coons said Congress is allowing the new rule to take effect without really knowing what it does.
“While the proposed changes are not necessarily bad or good, they are serious, and they present significant privacy concerns that warrant careful consideration and debate,” Coons said. “It is our responsibility to do our jobs and thoroughly evaluate the merits and ramifications of the proposed changes.”