Congress has one more shot to delay government hacking expansion
© Getty Images

On Thursday, changes to Rule 41 of the Federal Rules of Criminal Procedure go into effect unless Congress passes a bill to delay their implementation.

ADVERTISEMENT
For that reason, Sens. Ron WydenRonald (Ron) Lee WydenScrutiny ramps up over Commerce secretary's stock moves Hillicon Valley: Justices require warrants for cellphone location data | Amazon employees protest facial recognition tech sales | Uber driver in fatal crash was streaming Hulu | SpaceX gets contract to launch spy satellite On The Money — Sponsored by Prudential — Supreme Court allows states to collect sales taxes from online retailers | Judge finds consumer bureau structure unconstitutional | Banks clear Fed stress tests MORE (D-Ore.) and Chris CoonsChristopher (Chris) Andrew CoonsSenate moderates hunt for compromise on family separation bill All the times Horowitz contradicted Wray — but nobody seemed to notice Hillicon Valley: Trump hits China with massive tech tariffs | Facebook meets with GOP leaders over bias allegations | Judge sends Manafort to jail ahead of trial | AT&T completes Time Warner purchase MORE (D-Del.) will call for unanimous consent to pass the Stopping Mass Hacking Act (S. 2952, H.R. 5321), the Review the Rule Act (S.3475, H.R.6341), and the Stalling Damaging Mass Hacking Act.

Each bill would delay the implementation of the rule change permanently, for seven months, or to coincide with the bill to provide the government with short-term funding, respectively.

Previous Congresses have passed similar delays when imminent changes were significant and raised particular concerns that required more time for consideration and amendment. The 93rd and 94th Congresses passed three such delays, and this Congress must do the same and pass one of these bills.

It is critical that, before these substantive and substantial changes take effect, Congress debate them and demand answers from the Department of Justice (DOJ) to basic questions that members have asked, and to which no response has been issued.

Congressional inaction that permits these rule changes to go into effect will result in a significant expansion of government hacking into suspects' and victims' computers alike.

The changes remove current jurisdictional requirements, which will invite forum shopping — a situation in which the government applies for warrants from judges who are considered to be "prosecutor friendly" and thus more likely to issue a warrant with less scrutiny of the government's request.

The change would also allow a judge to issue a single warrant to remotely access thousands — potentially millions — of devices.

The increase in government hacking raises new and significant concerns for cybersecurity.

Risks associated with hacking can include inadvertently damaging the device or destroying data stored on it. Misattribution, which can cause the government to accidentally hack into the device of an innocent third-party instead of the targeted criminal suspect, is also of concern. Additionally, if the malware that is used somehow gets into the hands of a malicious actor, it can be used for criminal purposes.

Beyond cybersecurity concerns, government hacking poses a unique threat to privacy.

It is more privacy invasive than wiretapping, since by accessing someone's device, you gain access not only to their immediate communications, but to every aspect of a person's life, from their photos and videos, to diaries, to medical and financial records, and to writing and correspondences.

Despite this, Congress has never considered whether the government should be hacking into devices, let alone prescribing a set of procedures and protections, as it did with the Wiretap Act.

The DOJ argues that these changes received "long consideration and substantial public debate." However, it did not seek new legislative authority from Congress, as it should have.

Instead, it sought substantive rule changes from the little-known Advisory Committee on the Federal Rules of Criminal Procedure, which is only authorized to issue procedural rule changes. Companies and civil society organizations, including New America's Open Technology Institute (OTI), attended meetings convened by the committee and raised concerns about the rule changes.

The final rule issued by the Committee did not address the significant concerns that had been raised.

For these reasons, OTI and other groups and companies have repeatedly called on Congress to pass bills to delay the implementation of the rule change. They deserve a true open debate before Congress so that privacy and cybersecurity concerns can be publicly aired and addressed through legislation.

Members should follow in the steps of their predecessors and pass a delay so that relevant committees can take the time necessary to hold hearings and consider the best path forward.

Robyn Greene is policy counsel of the New America Foundation's Open Technology Institute.


The views expressed by contributors are their own and not the views of The Hill.