This article originally appeared on the International Business Times.
Changes to a little-discussed rule have expanded the United States government’s surveillance capabilities despite several attempts to halt the rule change.
The changes in question to Rule 41 of the Federal Rules of Criminal Procedure grant judges the ability to issue warrants that would allow for remote access, search, seizure, or copying of data when the location of said data has “been concealed through technological means” or when the information is located on protected devices and have been “damaged without authorization and are located in five or more districts.”
The rule grants this power to any judge in any district where activities related to the crime in question may have taken place.
On its face, the rule change may seem innocuous, but privacy advocates had been arguing for Congress to disavow the amended clause since it was first presented in April.
The primary concern is the potentially overextending power the rule would grant judges issuing search warrants. The rule could be used to issue remote access warrants that would allow the FBI the ability to hack devices that are physically located out of their jurisdiction or overseas.
On a more fundamental level, privacy organizations like the Electronic Frontier Foundation (EFF) and Access Now believe the rule may present a threat to just about anyone using basic privacy tools like Virtual Private Networks (VPNs) or the Tor browser that can conceal a user's location and online activities.
In a blog post, EFF’s activism director Rainey Reitman warned the rule could be applied to even more basic levels than that, stating it could extend to “people who deny access to location data for smartphone apps because they don’t feel like sharing their location with ad networks” or to those who change their country setting in an online service like Twitter.
The rule could also have implications for users who are compromised by malicious software and made the victim of someone else’s activity.
For example, the botnet that took down major web services earlier this year via distributed denial of service attacks utilized hacked Internet of Things devices to deploy its bombardment. The changes to Rule 41 could give federal agents the ability to remotely access any computers or devices—and all the personal information stored within—used in that attack as part of an investigation, even if the device owner merely fell victim to a hack.
The ill-defined parameters of the tweaked Rule 41 leaves a considerable amount of room for overreach, leaving much to the jurisdiction of a judge who may or may not know exactly how much leeway they are granting to government agencies.
“It's unfortunate that Congress refused to consider changes to Rule 41 before they go into effect, but this is far from the end of the conversation,” said Nathan White, the senior legislative manager at Access Now. “Changes to Rule 41 were sought to make it easier for law enforcement to conduct hacking operations. However, Congress has never explicitly authorized government hacking at all. In fact, in many cases hacking is inconsistent with human rights and the United States' international treaty obligations.”
White called for the incoming Congress to consider legislation that places limits on the government’s hacking ability and encouraged them to take into account the rights and responsibilities of the parties involved in hacking cases.
“Access Now has begun the discussion by publishing a report on the human rights implications of government hacking, but it's time for Congress to do its job,” he said. “Law enforcement must adapt to the digital world. It's a shame we have to drag Congress into a conversation it should be leading.”