The EEF is a campaign group supporting people's rights in the digital world. The group writes:
The US government hacking into phones and seizing computers remotely? It's not the plot of a dystopian blockbuster summer movie. It's a proposal from an obscure committee that proposes changes to court procedures--and if we do nothing, it will go
into effect in December.
The proposal comes from the advisory committee on criminal rules for the Judicial Conference of the United States. The amendment
would update Rule 41 of the Federal Rules of Criminal Procedure, creating a sweeping expansion of law enforcement's ability to engage in hacking and surveillance. The Supreme Court just passed the proposal to Congress, which has until December 1
to disavow the change or it becomes the rule governing every federal court across the country. This is part of a statutory process through which federal courts may create new procedural rules, after giving public notice and allowing time for
comment, under a "rules enabling act." 1
The Federal Rules of Criminal Procedure set the ground rules for federal criminal prosecutions. The rules cover everything from correcting clerical errors in a judgment to which holidays a court will be closed on --all the day-to-day procedural
details that come with running a judicial system.
The key word here is "procedural." By law, the rules and proposals are supposed to be procedural and must not change substantive rights. But the amendment to Rule 41 isn't procedural at all. It creates new avenues for government hacking
that were never approved by Congress.
The proposal would grant a judge the ability to issue a warrant to remotely access, search, seize, or copy data when the district where the media or information is located has been concealed through technological means or when the media are
on protected computers that have been damaged without authorization and are located in five or more districts. It would grant this authority to any judge in any district where activities related to the crime may have occurred.
To understand all the implications of this rule change, let's break this into two segments.
The first part of this change would grant authority to practically any judge to issue a search warrant to remotely access, seize, or copy data relevant to a crime when a computer was using privacy-protective tools to safeguard one's location. Many
different commonly used tools might fall into this category. For example, people who use Tor, folks running a Tor node, or people using a VPN would certainly be implicated. It might also extend to people who deny access to location data for
smartphone apps because they don't feel like sharing their location with ad networks. It could even include individuals who change the country setting in an online service, like folks who change the country settings of their Twitter profile in
order to read uncensored Tweets.
There are countless reasons people may want to use technology to shield their privacy. From journalists communicating with sources to victims of domestic violence seeking information on legal services, people worldwide depend on privacy tools for
both safety and security. Millions of people who have nothing in particular to hide may also choose to use privacy tools just because they're concerned about government surveillance of the Internet, or because they don't like leaving a data trail
If this rule change is not stopped, anyone who is using any technological means to safeguard their location privacy could find themselves suddenly in the jurisdiction of a prosecutor-friendly or technically-na´ve judge, anywhere in the country.
The second part of the proposal is just as concerning. It would grant authorization to a judge to issue a search warrant for hacking, seizing, or otherwise infiltrating computers that may be part of a botnet . This means victims of malware could
find themselves doubly infiltrated: their computers infected with malware and used to contribute to a botnet, and then government agents given free rein to remotely access their computers as part of the investigation. Even with the best of
intentions, a government agent could well cause as much or even more harm to a computer through remote access than the malware that originally infected the computer. Malicious actors may even be able to hijack the malware the government uses to
infiltrate botnets, because the government often doesn't design its malware securely . Government access to the computers of botnet victims also raises serious privacy concerns, as a wide range of sensitive, unrelated personal data could well be
accessed during the investigation. This is a dangerous expansion of powers, and not something to be granted without any public debate on the topic.
Make no mistake: the Rule 41 proposal implicates people well beyond U.S. borders. This update expands the jurisdiction of judges to cover any computer user in the world who is using technology to protect their location privacy or is unwittingly
part of a botnet. People both inside and outside of the United States should be equally concerned about this proposal.
The change to Rule 41 isn't merely a procedural update. It significantly expands the hacking capabilities of the United States government without any discussion or public debate by elected officials. If members of the intelligence community
believe these tools are necessary to advancing their investigations, then this is not the path forward. Only elected members of Congress should be writing laws, and they should be doing so in a matter that considers the privacy, security, and
civil liberties of people impacted.
Rule 41 seeks to sidestep the legislative process while making sweeping sacrifices in our security. Congress should reject the proposal completely.
Unless someone makes a challenge in Congress, new enhance snooping powers have been decreed for the US authorities.
Extra spying powers are set to be granted by Congressional inaction over an update to Rule 41 of the Federal Rules of Criminal Procedure. These changes will kick in on December 1.
The rule tweak, which was cleared by the Supreme Court in April, will allow the FBI to apply for a warrant to a nearby US judge to hack any suspect that's using Tor, a VPN, or some other anonymizing software to hide their whereabouts, in order to find
the target's true location.
Normally, if agents want to hack a PC, they have to ask a judge for a warrant in the jurisdiction where the machine is located. This is tricky if the location is obscured by technology. With the changes to Rule 41 in place, investigators can get a
warrant from any handy judge to deploy malware to find out where the suspect is based -- which could be anywhere in America or the world.
The rule change also allows the authorities to just obtain one warrant in case that cross multiple jurisdictions.
The House of Representatives cast a deeply disappointing vote today to extend NSA spying powers for the next six years by a 256-164 margin. In a
related vote, the House also failed to adopt meaningful reforms on how the government sweeps up large swaths of data that predictably include Americans' communications.
Because of these votes, broad NSA surveillance of the Internet will likely continue, and the government will still have access to Americans' emails, chat logs, and browsing history without a warrant. Because of these votes, this surveillance will
continue to operate in a dark corner, routinely violating the Fourth Amendment and other core constitutional protections.
This is a disappointment to EFF and all our supporters who, for weeks, have spoken to defend privacy. And this is a disappointment for the dozens of Congress members who have tried to rein NSA surveillance in, asking that the intelligence
community merely follow the Constitution.
Today's House vote concerned S. 139, a bill to extend Section 702 of the Foreign Intelligence Surveillance Act (FISA), a powerful surveillance authority the NSA relies on to sweep up countless Americans' electronic communications. EFF vehemently
opposed S. 139 for its failure to enact true reform of Section 702.
As passed by the House today, the bill:
Endorses nearly all warrantless searches of databases containing Americans' communications collected under Section 702.
Provides a narrow and seemingly useless warrant requirement that applies only for searches in some later-stage criminal investigations, a circumstance which the FBI itself has said almost never happens.
Allows for the restarting of "about" collection, an invasive type of surveillance that the NSA ended last year after being criticized by the Foreign Intelligence Surveillance Court for privacy violations.
Sunsets in six years, delaying Congress' best opportunity to debate the limits NSA surveillance.
Sadly, the House's approval of S. 139 was its second failure today. The first was in the House's inability to pass an amendment--through a 183-233 vote--that would have replaced the text of S. 139 with the text of the USA Rights Act, a bill that
EFF is proud to support. You can read about that bill here
The amendment to replace the text of S. 139 with the USA Rights Act was introduced by Reps. Justin Amash (R-MI) and Zoe Lofgren (D-CA) and included more than 40 cosponsors from sides of the aisle. Its defeat came from both Republicans and
S. 139 now heads to the Senate, which we expect to vote by January 19. The Senate has already considered stronger bills
to rein in NSA surveillance, and we call on the Senate to reject this terrible bill coming out of the House.
This week, Senators Hatch, Graham, Coons, and Whitehouse introduced a bill that diminishes the data privacy of people around the world.
The Clarifying Overseas Use of Data ( CLOUD
) Act expands American and foreign law enforcement's ability to target and access people's data across international borders in two ways. First, the bill creates an explicit provision for U.S. law enforcement (from a local police department to
federal agents in Immigration and Customs Enforcement) to access "the contents of a wire or electronic communication and any record or other information" about a person regardless of where they live or where that information is located
on the globe. In other words, U.S. police could compel a service provider--like Google, Facebook, or Snapchat--to hand over a user's content and metadata, even if it is stored in a foreign country, without following that foreign country's privacy
Second, the bill would allow the President to enter into "executive agreements" with foreign governments that would allow each government to acquire users' data stored in the other country, without following each other's privacy laws.
For example, because U.S.-based companies host and carry much of the world's Internet traffic, a foreign country that enters one of these executive agreements with the U.S. to could potentially wiretap people located anywhere on the globe (so long
as the target of the wiretap is not a U.S. person or located in the United States) without the procedural safeguards of U.S. law typically given to data stored in the United States, such as a warrant, or even notice to the U.S. government. This is
an enormous erosion of current data privacy laws.
This bill would also moot legal proceedings now before the U.S. Supreme Court. In the spring, the Court will decide whether or not current U.S. data privacy laws allow U.S. law enforcement to serve warrants for information stored outside the
United States. The case, United States v. Microsoft
(often called "Microsoft Ireland"), also calls into question principles of international law, such as respect for other countries territorial boundaries and their rule of law.
Notably, this bill would expand law enforcement access to private email and other online content, yet the Email Privacy Act
, which would create a warrant-for-content requirement, has still not passed the Senate, even though it has enjoyed
in the House for the past two years
The CLOUD Act and the US-UK Agreement
The CLOUD Act's proposed language is not new. In 2016, the Department of Justice first proposed
legislation that would enable the executive branch to enter into bilateral agreements with foreign governments to allow those foreign governments direct access to U.S. companies and U.S. stored data. Ellen Nakashima at the Washington Post
the story that these agreements (the first iteration has already been negotiated with the United Kingdom) would enable foreign governments to wiretap any communication in the United States, so long as the target is not a U.S. person. In
, the Justice Department re-submitted the bill for Congressional review, but added a few changes: this time including broad language to allow the extraterritorial application of U.S. warrants outside the boundaries of the United States.
In September 2017, EFF, with a coalition of 20 other privacy advocates, sent a letter
to Congress opposing the Justice Department's revamped bill.
The executive agreement language in the CLOUD Act is nearly identical to the language in the DOJ's 2017 bill. None of EFF's concerns
have been addressed. The legislation still:
Includes a weak standard for review that does not rise to the protections of the warrant requirement under the 4th Amendment.
Fails to require foreign law enforcement to seek individualized and prior judicial review.
Grants real-time access and interception to foreign law enforcement without requiring the heightened warrant standards that U.S. police have to adhere to under the Wiretap Act.
Fails to place adequate limits on the category and severity of crimes for this type of agreement.
Fails to require notice on any level -- to the person targeted, to the country where the person resides, and to the country where the data is stored. (Under a separate provision regarding U.S. law enforcement extraterritorial orders, the bill
allows companies to give notice to the foreign countries where data is stored, but there is no parallel provision for company-to-country notice when foreign police seek data stored in the United States.)
The CLOUD Act also creates an unfair two-tier system. Foreign nations operating under executive agreements are subject to minimization and sharing rules when handling data belonging to U.S. citizens, lawful permanent residents, and corporations.
But these privacy rules do not extend to someone born in another country and living in the United States on a temporary visa or without documentation. This denial of privacy rights is unlike other U.S. privacy laws. For instance, the
Stored Communications Act
protects all members of the "public" from the unlawful disclosure of their personal communications.
An Expansion of U.S. Law Enforcement Capabilities
The CLOUD Act would give unlimited jurisdiction to U.S. law enforcement over any data controlled by a service provider, regardless of where the data is stored and who created it. This applies to content, metadata, and subscriber information --
meaning private messages and account details could be up for grabs. The breadth of such unilateral extraterritorial access creates a dangerous precedent for other countries who may want to access information stored outside their own borders,
including data stored in the United States.
EFF argued on this basis (among others) against unilateral U.S. law enforcement access to cross-border data, in our Supreme Court
in the Microsoft Ireland case.
When data crosses international borders, U.S. technology companies can find themselves caught in the middle between the conflicting data laws of different nations: one nation might use its criminal investigation laws to demand data located beyond
its borders, yet that same disclosure might violate the data privacy laws of the nation that hosts that data. Thus, U.S. technology companies lobbied for and received provisions in the CLOUD Act allowing them to move to quash or modify U.S. law
enforcement orders for extraterritorial data. The tech companies can quash a U.S. order when the order does not target a U.S. person and might conflict with a foreign government's laws. To do so, the company must object within 14 days, and undergo
a complex "comity" analysis -- a procedure where a U.S. court must balance the competing interests of the U.S. and foreign governments.
Failure to Support Mutual Assistance
Of course, there is another way to protect technology companies from this dilemma, which would also protect the privacy of technology users around the world: strengthen the existing international system of Mutual Legal Assistance Treaties (MLATs).
This system allows police who need data stored abroad to obtain the data through the assistance of the nation that hosts the data. The MLAT system encourages international cooperation.
It also advances data privacy. When foreign police seek data stored in the U.S., the MLAT system requires them to adhere to the Fourth Amendment's warrant requirements. And when U.S. police seek data stored abroad, it requires them to follow the
data privacy rules where the data is stored, which may include important " necessary and proportionate
" standards. Technology users are most protected when police, in the pursuit of cross-border data, must satisfy the privacy standards of both countries.
While there are concerns from law enforcement that the MLAT system has become too slow, those concerns should be addressed with improved resources, training, and streamlining.
The CLOUD Act raises dire implications for the international community, especially as the Council of
is beginning a process to review the MLAT system that has been supported for the last two decades by the Budapest Convention. Although Senator Hatch has in the past introduced
that would support the MLAT system, this new legislation fails to include any provisions that would increase resources for the U.S. Department of Justice to tackle its backlog of MLAT requests, or otherwise improve the MLAT system.
A growing chorus of privacy groups in the United States opposes the CLOUD Act's broad expansion of U.S. and foreign law enforcement's unilateral powers over cross-border data. For example, Sharon Bradford Franklin of
(and the former executive director of the U.S. Privacy and Civil Liberties Oversight Board) objects that the CLOUD Act will move law enforcement access capabilities "in the wrong direction, by sacrificing digital rights."
and Access Now
also oppose the bill.
Sadly, some major U.S. technology companies
and legal scholars support the legislation. But, to set the record straight, the CLOUD Act is not a " good
." Nor does it do a " remarkable job
of balancing these interests in ways that promise long-term gains in both privacy and security." Rather, the legislation reduces protections for the personal privacy of technology users in an attempt to mollify tensions between law
enforcement and U.S. technology companies.
Legislation to protect the privacy of technology users from government snooping has long been overdue in the United States. But the CLOUD Act does the opposite, and privileges law enforcement at the expense of people's privacy. EFF strongly
opposes the bill. Now is the time to strengthen the MLAT system, not undermine it.
US Congress passes an unscrutinised bill to allow foreign countries to snoop on US internet connections, presumably so that GCHQ can pass the data back to the US, so evading a US ban on US snooping on US citizens
On Thursday, the US House approved the omnibus government spending bill, with the unscrutinised CLOUD Act attached, in a 256-167
vote. The Senate followed up late that night with a 65-32 vote in favor. All the bill requires now is the president's signature.
U.S. and foreign police will have new mechanisms to seize data across the globe. Because of this failure, your private emails, your online chats, your Facebook, Google, Flickr photos, your Snapchat videos, your private lives online, your moments
shared digitally between only those you trust, will be open to foreign law enforcement without a warrant and with few restrictions on using and sharing your information. Because of this failure, U.S. laws will be bypassed on U.S. soil.
As we wrote before, the CLOUD Act is a far-reaching, privacy-upending piece of legislation that will:
Enable foreign police to collect and wiretap people's communications from U.S. companies, without obtaining a U.S. warrant.Allow foreign nations to demand personal data stored in the United States, without prior review by a judge.Allow the U.S.
president to enter executive agreements that empower police in foreign nations that have weaker privacy laws than the United States to seize data in the United States while ignoring U.S. privacy laws.Allow foreign police to collect someone's data
without notifying them about it.Empower U.S. police to grab any data, regardless if it's a U.S. person's or not, no matter where it is stored.
And, as we wrote before, this is how the CLOUD Act could work in practice:
London investigators want the private Slack messages of a Londoner they suspect of bank fraud. The London police could go directly to Slack, a U.S. company, to request and collect those messages. The London police would not necessarily need prior
judicial review for this request. The London police would not be required to notify U.S. law enforcement about this request. The London police would not need a probable cause warrant for this collection.
Predictably, in this request, the London police might also collect Slack messages written by U.S. persons communicating with the Londoner suspected of bank fraud. Those messages could be read, stored, and potentially shared, all without the U.S.
person knowing about it. Those messages, if shared with U.S. law enforcement, could be used to criminally charge the U.S. person in a U.S. court, even though a warrant was never issued.
This bill has large privacy implications both in the U.S. and abroad. It was never given the attention it deserved in Congress.