The EEF is a campaign group supporting people's rights in the digital world. The group writes:
The US government hacking into phones and seizing computers remotely? It's not the plot of a dystopian blockbuster summer movie. It's a
proposal from an obscure committee that proposes changes to court procedures--and if we do nothing, it will go into effect in December.
The proposal comes from the advisory committee on criminal rules for the Judicial Conference
of the United States. The amendment would update Rule 41 of the Federal Rules of Criminal Procedure, creating a sweeping expansion of law
enforcement's ability to engage in hacking and surveillance. The Supreme Court just passed the proposal to Congress, which has until December 1 to disavow the change or it becomes the rule governing every federal court across the country. This is part of
a statutory process through which federal courts may create new procedural rules, after giving public notice and allowing time for comment, under a "rules enabling act." 1
The Federal Rules of Criminal Procedure set the
ground rules for federal criminal prosecutions. The rules cover everything from correcting clerical errors in a judgment to which holidays a court will be closed on --all the day-to-day procedural details that come with running a judicial system.
The key word here is "procedural." By law, the rules and proposals are supposed to be procedural and must not change substantive rights. But the amendment to Rule 41 isn't procedural at all. It creates new avenues for
government hacking that were never approved by Congress.
The proposal would grant a judge the ability to issue a warrant to remotely access, search, seize, or copy data when the district where the media or information is
located has been concealed through technological means or when the media are on protected computers that have been damaged without authorization and are located in five or more districts. It would grant this authority to any judge in any
district where activities related to the crime may have occurred.
To understand all the implications of this rule change, let's break this into two segments.
The first part of this change would grant
authority to practically any judge to issue a search warrant to remotely access, seize, or copy data relevant to a crime when a computer was using privacy-protective tools to safeguard one's location. Many different commonly used tools might fall into
this category. For example, people who use Tor, folks running a Tor node, or people using a VPN would certainly be implicated. It might also extend to people who deny access to location data for smartphone apps because they don't feel like sharing their
location with ad networks. It could even include individuals who change the country setting in an online service, like folks who change the country settings of their Twitter profile in order to read uncensored Tweets.
countless reasons people may want to use technology to shield their privacy. From journalists communicating with sources to victims of domestic violence seeking information on legal services, people worldwide depend on privacy tools for both safety and
security. Millions of people who have nothing in particular to hide may also choose to use privacy tools just because they're concerned about government surveillance of the Internet, or because they don't like leaving a data trail around haphazardly.
If this rule change is not stopped, anyone who is using any technological means to safeguard their location privacy could find themselves suddenly in the jurisdiction of a prosecutor-friendly or technically-na´ve judge, anywhere in
The second part of the proposal is just as concerning. It would grant authorization to a judge to issue a search warrant for hacking, seizing, or otherwise infiltrating computers that may be part of a botnet . This
means victims of malware could find themselves doubly infiltrated: their computers infected with malware and used to contribute to a botnet, and then government agents given free rein to remotely access their computers as part of the investigation. Even
with the best of intentions, a government agent could well cause as much or even more harm to a computer through remote access than the malware that originally infected the computer. Malicious actors may even be able to hijack the malware the government
uses to infiltrate botnets, because the government often doesn't design its malware securely . Government access to the computers of botnet victims also raises serious privacy concerns, as a wide range of sensitive, unrelated personal data could well be
accessed during the investigation. This is a dangerous expansion of powers, and not something to be granted without any public debate on the topic.
Make no mistake: the Rule 41 proposal implicates people well beyond U.S. borders.
This update expands the jurisdiction of judges to cover any computer user in the world who is using technology to protect their location privacy or is unwittingly part of a botnet. People both inside and outside of the United States should be equally
concerned about this proposal.
The change to Rule 41 isn't merely a procedural update. It significantly expands the hacking capabilities of the United States government without any discussion or public debate by elected officials.
If members of the intelligence community believe these tools are necessary to advancing their investigations, then this is not the path forward. Only elected members of Congress should be writing laws, and they should be doing so in a matter that
considers the privacy, security, and civil liberties of people impacted.
Rule 41 seeks to sidestep the legislative process while making sweeping sacrifices in our security. Congress should reject the proposal completely.
Unless someone makes a challenge in Congress, new enhance snooping powers have been decreed for the US authorities.
Extra spying powers are set to be granted by Congressional inaction over an update to Rule 41 of the Federal Rules of Criminal
Procedure. These changes will kick in on December 1.
The rule tweak, which was cleared by the Supreme Court in April, will allow the FBI to apply for a warrant to a nearby US judge to hack any suspect that's using Tor, a VPN, or some other
anonymizing software to hide their whereabouts, in order to find the target's true location.
Normally, if agents want to hack a PC, they have to ask a judge for a warrant in the jurisdiction where the machine is located. This is tricky if the
location is obscured by technology. With the changes to Rule 41 in place, investigators can get a warrant from any handy judge to deploy malware to find out where the suspect is based -- which could be anywhere in America or the world.
change also allows the authorities to just obtain one warrant in case that cross multiple jurisdictions.
The House of Representatives cast a deeply disappointing vote today to extend NSA spying powers for the next six years by a 256-164 margin. In a related vote, the House also failed to adopt meaningful reforms on how the government sweeps up large swaths
of data that predictably include Americans' communications.
Because of these votes, broad NSA surveillance of the Internet will likely continue, and the government will still have access to Americans' emails, chat logs, and
browsing history without a warrant. Because of these votes, this surveillance will continue to operate in a dark corner, routinely violating the Fourth Amendment and other core constitutional protections.
This is a disappointment
to EFF and all our supporters who, for weeks, have spoken to defend privacy. And this is a disappointment for the dozens of Congress members who have tried to rein NSA surveillance in, asking that the intelligence community merely follow the
Today's House vote concerned S. 139, a bill to extend Section 702 of the Foreign Intelligence Surveillance Act (FISA), a powerful surveillance authority the NSA relies on to sweep up countless Americans' electronic
communications. EFF vehemently opposed S. 139 for its failure to enact true reform of Section 702.
As passed by the House today, the bill:
Endorses nearly all warrantless searches of databases containing Americans' communications collected under Section 702.
Provides a narrow and seemingly useless warrant requirement that applies only for
searches in some later-stage criminal investigations, a circumstance which the FBI itself has said almost never happens.
Allows for the restarting of "about" collection, an invasive type of surveillance that the NSA
ended last year after being criticized by the Foreign Intelligence Surveillance Court for privacy violations.
Sunsets in six years, delaying Congress' best opportunity to debate the limits NSA surveillance.
Sadly, the House's approval of S. 139
was its second failure today. The first was in the House's inability to pass an amendment--through a 183-233 vote--that would have replaced the text of S. 139 with the text of the USA Rights Act, a bill that EFF is proud to support. You can
read about that bill here .
The amendment to replace the text of S. 139 with the USA Rights Act was
introduced by Reps. Justin Amash (R-MI) and Zoe Lofgren (D-CA) and included more than 40 cosponsors from sides of the aisle. Its defeat came from both Republicans and Democrats.
S. 139 now heads to the Senate, which we expect to
vote by January 19. The Senate has already considered stronger bills to rein in NSA surveillance, and we call on the Senate to
reject this terrible bill coming out of the House.
This week, Senators Hatch, Graham, Coons, and Whitehouse introduced a bill that diminishes the data privacy of people around the world.
The Clarifying Overseas Use of Data (
CLOUD ) Act expands American and foreign law enforcement's ability to target and access people's data
across international borders in two ways. First, the bill creates an explicit provision for U.S. law enforcement (from a local police department to federal agents in Immigration and Customs Enforcement) to access "the contents of a wire or
electronic communication and any record or other information" about a person regardless of where they live or where that information is located on the globe. In other words, U.S. police could compel a service provider--like Google, Facebook, or
Snapchat--to hand over a user's content and metadata, even if it is stored in a foreign country, without following that foreign country's privacy laws.
Second, the bill would allow the President to enter into "executive
agreements" with foreign governments that would allow each government to acquire users' data stored in the other country, without following each other's privacy laws.
For example, because U.S.-based companies host and carry
much of the world's Internet traffic, a foreign country that enters one of these executive agreements with the U.S. to could potentially wiretap people located anywhere on the globe (so long as the target of the wiretap is not a U.S. person or located in
the United States) without the procedural safeguards of U.S. law typically given to data stored in the United States, such as a warrant, or even notice to the U.S. government. This is an enormous erosion of current data privacy laws.
This bill would also moot legal proceedings now before the U.S. Supreme Court. In the spring, the Court will decide whether or not current U.S. data privacy laws allow U.S. law enforcement to serve warrants for information stored
outside the United States. The case, United States v. Microsoft (often called "Microsoft Ireland"), also calls into
question principles of international law, such as respect for other countries territorial boundaries and their rule of law.
Notably, this bill would expand law enforcement access to private email and other online content, yet the
Email Privacy Act , which would create a warrant-for-content requirement, has still not passed the Senate, even though it has enjoyed
unanimous support in the House for the past
two years .
The CLOUD Act and the US-UK Agreement
Act's proposed language is not new. In 2016, the Department of Justice first proposed legislation that would
enable the executive branch to enter into bilateral agreements with foreign governments to allow those foreign governments direct access to U.S. companies and U.S. stored data. Ellen Nakashima at the Washington Post
broke the story that these agreements (the first iteration has already been negotiated with the United Kingdom) would enable foreign governments to wiretap any communication in the United States, so long as the target is not a U.S. person. In
2017 , the Justice Department re-submitted the bill for Congressional review, but added a few changes: this time including broad
language to allow the extraterritorial application of U.S. warrants outside the boundaries of the United States.
In September 2017, EFF, with a coalition of 20 other privacy advocates, sent a
letter to Congress opposing the Justice Department's revamped bill.
The executive agreement language in
the CLOUD Act is nearly identical to the language in the DOJ's 2017 bill. None of EFF's concerns have been addressed. The
Includes a weak standard for review that does not rise to the protections of the warrant requirement under the 4th Amendment.
Fails to require foreign law enforcement to seek individualized and prior
Grants real-time access and interception to foreign law enforcement without requiring the heightened warrant standards that U.S. police have to adhere to under the Wiretap Act.
Fails to place adequate limits on the category and severity of crimes for this type of agreement.
Fails to require notice on any level -- to the person targeted, to the country where the person resides, and to the country where the data is stored. (Under a separate provision regarding U.S. law enforcement extraterritorial
orders, the bill allows companies to give notice to the foreign countries where data is stored, but there is no parallel provision for company-to-country notice when foreign police seek data stored in the United States.)
The CLOUD Act also creates an unfair two-tier system. Foreign nations operating under executive agreements are subject to minimization and sharing rules when handling data belonging to U.S. citizens, lawful permanent residents, and
corporations. But these privacy rules do not extend to someone born in another country and living in the United States on a temporary visa or without documentation. This denial of privacy rights is unlike other U.S. privacy laws. For instance, the
Stored Communications Act protects all members of the "public" from the unlawful disclosure of their personal communications.
An Expansion of U.S. Law Enforcement Capabilities
The CLOUD Act would give unlimited jurisdiction to U.S. law enforcement over any data controlled by a service provider, regardless of where the data is stored and who
created it. This applies to content, metadata, and subscriber information -- meaning private messages and account details could be up for grabs. The breadth of such unilateral extraterritorial access creates a dangerous precedent for other countries who
may want to access information stored outside their own borders, including data stored in the United States.
EFF argued on this basis (among others) against unilateral U.S. law enforcement access to cross-border data, in our
Supreme Court amicus brief in the Microsoft Ireland case.
When data crosses international
borders, U.S. technology companies can find themselves caught in the middle between the conflicting data laws of different nations: one nation might use its criminal investigation laws to demand data located beyond its borders, yet that same disclosure
might violate the data privacy laws of the nation that hosts that data. Thus, U.S. technology companies lobbied for and received provisions in the CLOUD Act allowing them to move to quash or modify U.S. law enforcement orders for extraterritorial data.
The tech companies can quash a U.S. order when the order does not target a U.S. person and might conflict with a foreign government's laws. To do so, the company must object within 14 days, and undergo a complex "comity" analysis -- a procedure
where a U.S. court must balance the competing interests of the U.S. and foreign governments.
Failure to Support Mutual Assistance
Of course, there is another way to protect technology companies from
this dilemma, which would also protect the privacy of technology users around the world: strengthen the existing international system of Mutual Legal Assistance Treaties (MLATs). This system allows police who need data stored abroad to obtain the data
through the assistance of the nation that hosts the data. The MLAT system encourages international cooperation.
It also advances data privacy. When foreign police seek data stored in the U.S., the MLAT system requires them to
adhere to the Fourth Amendment's warrant requirements. And when U.S. police seek data stored abroad, it requires them to follow the data privacy rules where the data is stored, which may include important "
necessary and proportionate " standards. Technology users are most protected when police, in the pursuit of cross-border data, must satisfy the privacy
standards of both countries.
While there are concerns from law enforcement that the MLAT system has become too slow, those concerns should be addressed with improved resources, training, and streamlining.
The CLOUD Act raises dire implications for the international community, especially as the
Council of Europe is beginning a process to review the MLAT system that has been supported for the last two
decades by the Budapest Convention. Although Senator Hatch has in the past introduced legislation that would support the MLAT system, this new
legislation fails to include any provisions that would increase resources for the U.S. Department of Justice to tackle its backlog of MLAT requests, or otherwise improve the MLAT system.
A growing chorus of privacy groups in the
United States opposes the CLOUD Act's broad expansion of U.S. and foreign law enforcement's unilateral powers over cross-border data. For example, Sharon Bradford Franklin of
OTI (and the former executive director of the U.S. Privacy and Civil Liberties Oversight Board) objects that the CLOUD Act will move law
enforcement access capabilities "in the wrong direction, by sacrificing digital rights." CDT and
Access Now also oppose the bill.
major U.S. technology companies and legal scholars support the legislation. But, to set the
record straight, the CLOUD Act is not a " good start ." Nor does it do a "
remarkable job of balancing these interests in ways that promise long-term gains in both privacy and security." Rather,
the legislation reduces protections for the personal privacy of technology users in an attempt to mollify tensions between law enforcement and U.S. technology companies.
Legislation to protect the privacy of technology users from
government snooping has long been overdue in the United States. But the CLOUD Act does the opposite, and privileges law enforcement at the expense of people's privacy. EFF strongly opposes the bill. Now is the time to strengthen the MLAT system, not
US Congress passes an unscrutinised bill to allow foreign countries to snoop on US internet connections, presumably so that GCHQ can pass the data back to the US, so evading a US ban on US snooping on US citizens
On Thursday, the US House approved the omnibus government spending bill, with the unscrutinised CLOUD Act attached, in a 256-167 vote. The Senate followed up late that night with a 65-32 vote in favor. All the bill requires now is the president's
U.S. and foreign police will have new mechanisms to seize data across the globe. Because of this failure, your private emails, your online chats, your Facebook, Google, Flickr photos, your Snapchat videos, your private
lives online, your moments shared digitally between only those you trust, will be open to foreign law enforcement without a warrant and with few restrictions on using and sharing your information. Because of this failure, U.S. laws will be bypassed on
As we wrote before, the CLOUD Act is a far-reaching, privacy-upending piece of legislation that will:
Enable foreign police to collect and wiretap people's communications from U.S. companies,
without obtaining a U.S. warrant.Allow foreign nations to demand personal data stored in the United States, without prior review by a judge.Allow the U.S. president to enter executive agreements that empower police in foreign nations that have weaker
privacy laws than the United States to seize data in the United States while ignoring U.S. privacy laws.Allow foreign police to collect someone's data without notifying them about it.Empower U.S. police to grab any data, regardless if it's a U.S.
person's or not, no matter where it is stored.
And, as we wrote before, this is how the CLOUD Act could work in practice:
London investigators want the private Slack messages of a Londoner they suspect of
bank fraud. The London police could go directly to Slack, a U.S. company, to request and collect those messages. The London police would not necessarily need prior judicial review for this request. The London police would not be required to notify U.S.
law enforcement about this request. The London police would not need a probable cause warrant for this collection.
Predictably, in this request, the London police might also collect Slack messages written by U.S. persons
communicating with the Londoner suspected of bank fraud. Those messages could be read, stored, and potentially shared, all without the U.S. person knowing about it. Those messages, if shared with U.S. law enforcement, could be used to criminally charge
the U.S. person in a U.S. court, even though a warrant was never issued.
This bill has large privacy implications both in the U.S. and abroad. It was never given the attention it deserved in Congress.