Congress has one more shot to delay government hacking expansion
© Getty Images

On Thursday, changes to Rule 41 of the Federal Rules of Criminal Procedure go into effect unless Congress passes a bill to delay their implementation.

ADVERTISEMENT
For that reason, Sens. Ron WydenRonald (Ron) Lee WydenHouse bill set to reignite debate on warrantless surveillance Senate confirms No. 2 spot at HHS, days after Price resigns Overnight Cybersecurity: Equifax CEO faces outraged lawmakers | Dem presses voting machine makers on cyber defense | Yahoo says 3 billion accounts affected by 2013 breach MORE (D-Ore.) and Chris CoonsChristopher (Chris) Andrew CoonsThis week: Congress gets ball rolling on tax reform Lift the Jones Act and similar restrictions for humanitarian crises Overnight Tech: White House unveils tech education initiative | Bannon reportedly sought to spy on Facebook | Uber CEO to appeal London ban | John Oliver rips AT&T-Time Warner merger MORE (D-Del.) will call for unanimous consent to pass the Stopping Mass Hacking Act (S. 2952, H.R. 5321), the Review the Rule Act (S.3475, H.R.6341), and the Stalling Damaging Mass Hacking Act.

Each bill would delay the implementation of the rule change permanently, for seven months, or to coincide with the bill to provide the government with short-term funding, respectively.

Previous Congresses have passed similar delays when imminent changes were significant and raised particular concerns that required more time for consideration and amendment. The 93rd and 94th Congresses passed three such delays, and this Congress must do the same and pass one of these bills.

It is critical that, before these substantive and substantial changes take effect, Congress debate them and demand answers from the Department of Justice (DOJ) to basic questions that members have asked, and to which no response has been issued.

Congressional inaction that permits these rule changes to go into effect will result in a significant expansion of government hacking into suspects' and victims' computers alike.

The changes remove current jurisdictional requirements, which will invite forum shopping — a situation in which the government applies for warrants from judges who are considered to be "prosecutor friendly" and thus more likely to issue a warrant with less scrutiny of the government's request.

The change would also allow a judge to issue a single warrant to remotely access thousands — potentially millions — of devices.

The increase in government hacking raises new and significant concerns for cybersecurity.

Risks associated with hacking can include inadvertently damaging the device or destroying data stored on it. Misattribution, which can cause the government to accidentally hack into the device of an innocent third-party instead of the targeted criminal suspect, is also of concern. Additionally, if the malware that is used somehow gets into the hands of a malicious actor, it can be used for criminal purposes.

Beyond cybersecurity concerns, government hacking poses a unique threat to privacy.

It is more privacy invasive than wiretapping, since by accessing someone's device, you gain access not only to their immediate communications, but to every aspect of a person's life, from their photos and videos, to diaries, to medical and financial records, and to writing and correspondences.

Despite this, Congress has never considered whether the government should be hacking into devices, let alone prescribing a set of procedures and protections, as it did with the Wiretap Act.

The DOJ argues that these changes received "long consideration and substantial public debate." However, it did not seek new legislative authority from Congress, as it should have.

Instead, it sought substantive rule changes from the little-known Advisory Committee on the Federal Rules of Criminal Procedure, which is only authorized to issue procedural rule changes. Companies and civil society organizations, including New America's Open Technology Institute (OTI), attended meetings convened by the committee and raised concerns about the rule changes.

The final rule issued by the Committee did not address the significant concerns that had been raised.

For these reasons, OTI and other groups and companies have repeatedly called on Congress to pass bills to delay the implementation of the rule change. They deserve a true open debate before Congress so that privacy and cybersecurity concerns can be publicly aired and addressed through legislation.

Members should follow in the steps of their predecessors and pass a delay so that relevant committees can take the time necessary to hold hearings and consider the best path forward.

Robyn Greene is policy counsel of the New America Foundation's Open Technology Institute.


The views expressed by contributors are their own and not the views of The Hill.