The US Supreme Court has approved a change in Rule 41 of the Federal Rules of Criminal Procedure, so judges across the country now have the authority to issue warrants for remote electronic searches outside their district.
That means that a judge can grant an FBI agent in, say, New York, permission to hack into a computer in San Francisco, or potentially any city in the world, in order to further their investigation.
The court documents pertaining to the matter indicate that a warrant will be granted if a suspect uses tools to hide their identity, such as Tor.
The amendment, first introduced in 2014, seems intended as a step towards keeping pace with the ever-changing world of cyber crime, but it raises privacy and security issues that tech firms like Google say require further debate.
It comes just a week after a Massachusetts judge dismissed evidence obtained by the FBI using a network investigative technique in a case involving a Dark Web site that distributed images of child sexual abuse. It was Rule 41 that rendered the FBI’s findings invalid in court.
The US Department of Justice’s spokesperson Peter Carr told Motherboard:
Criminals now have ready access to sophisticated anonymizing technologies to conceal their identity while they engage in crime over the Internet, and the use of remote searches is often the only mechanism available to law enforcement to identify and apprehend them.
This amendment ensures that courts can be asked to review warrant applications in situations where is it currently unclear what judge has that authority. The amendment makes explicit that it does not change the traditional rules governing probable cause and notice.
Privacy advocates are concerned that the government is attempting to grant itself this kind of power to snoop on just about anyone while disguising it as a procedural rule.
It’s a problem because, as Oregon Senator Ron Wyden, who has vowed to mobilize opposition to the update notes, “This rule change could potentially allow federal investigators to use one warrant to access millions of computers, and it would treat the victims of the hack the same as the hacker himself.”
However, the change is yet to come into play – Congress has until December 1 to share its thoughts on the matter. If it fails to do so, the amended rule will become law. The trouble is, both chambers of Congress have to agree on how to address it, and that seems unlikely, given the current gridlock in the legislature ahead of the presidential election.