The Federal Rules of Criminal Procedure govern the criminal trials that take place in all federal courts around...
the nation. While these rules are often quite dry and don't often contain controversial provisions, they are extremely important to the conduct of criminal trials and contain the procedural rules that govern not only the conduct of a trial but also the conduct of law enforcement personnel who gather evidence that may be used at trial.
The U.S. Supreme Court just took a major step regarding one of the FRCP rules -- Rule 41 -- which could expand the authority of federal law enforcement to remotely access and control users' computing devices and systems. Let's take a closer look at Rule 41, why privacy advocates oppose it and what it could mean for enterprises.
What is Rule 41?
On April 28, 2016, the U.S. Supreme Court submitted proposed amendments to the FRCP that cover a variety of changes to criminal trial procedures. One of those in particular is of great interest to information security and privacy experts. Rule 41 governs the search and seizure of evidence that may be used in a criminal proceeding. The text of the proposed rule change reads:
"A magistrate judge with authority in any district where activities related to a crime may have occurred has authority to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information located within or outside that district if: (A) the district where the media or information is located has been concealed through technological means; or (B) in an investigation of (a computer crime)…the media are protected computers that have been damaged without authorization and are located in five or more districts."
On its face, the proposed language sounds like a benign attempt to ensure that federal courts have the authority to act in cases where the correct jurisdiction is unclear. Privacy advocates, however, point out that the new rules could have much more sinister applications. Rainey Reitman, activism director for the Electronic Frontier Foundation issued a statement claiming, in part, that "the change to Rule 41 isn't merely a procedural update." She claims that "it significantly expands the hacking capabilities of the United States government without any discussion or public debate by elected officials."
It does seem fair to equate the powers being granted to federal judges by this change to hacking. After all, how will law enforcement officials gain "remote access to search" suspect computer systems without resorting to hacking tools and techniques?
Privacy advocates also point out that the first clause in this proposed change allows any magistrate judge anywhere in the country to issue a warrant in a case where the system's location has been "concealed through technological means." This clause would certainly apply to systems running Tor or other privacy software, but it also might be interpreted to any system using a VPN, proxy server or other privacy technology. This clause allows for "venue shopping" where law enforcement officials may find a friendly judge willing to issue a warrant and ask that judge to issue warrants that may then apply anywhere in the country.
The second clause seems to directly apply to botnets that include infected systems in five or more districts. The authority granted by this clause allows a federal judge to authorize law enforcement officials to surreptitiously gain access to the innocent systems that are members of the botnet. These are not the systems belonging to hackers but, in most cases, computers belonging to private individuals that have been infected by bots. Government agents would then have access to all of the information stored on that system, perhaps compounding the effects of one security compromise by causing a second incident.
The Supreme Court does have the authority to amend the FRCP's Rule 41, but Congress does also play a role in the process. If Congress does not act, the proposed changes will take effect on December 1, 2016. However, Congress does have the seldom-used authority to reject or modify the proposed changes. The EFF and other activists are lobbying Congress to do just that. We'll have to wait and see whether Congress chooses to take action.
In the meantime, until Rule 41 is either finalized, rejected or altered, there's not much practical effect on enterprise cybersecurity. Certainly, organizations should be aware that law enforcement officials may obtain warrants that allow them to hack into enterprise systems, but the controls used to defend against those attacks are similar to the controls that organizations should already have in place to defend against any advanced persistent threat.
Learn more about APT-style attacks and how to prevent them
Find out how FTC security lawsuits affect enterprises
Discover what you need to know about increased regulations from DFS