nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Pressure mounts against Rule 41 – the FBI's power to hack Tor, VPN users on sight

Politicians reminded of deadline to halt changes

By Iain Thomson, 21 Jun 2016

The campaign against Rule 41 – which will give cops and Feds in America the power to hack people's computers around the world – has kicked up a gear.

Leaders of the US House of Representatives and Senate got a letter today urging them to block the rule change before it becomes permanent in December.

The proposed legislative tweak, quietly passed by an obscure committee and approved by the Supreme Court in April, would allow a US magistrate judge to grant law enforcement access to any stored data on a computer, phone, or any storage device around the world that was suspected of being "related" to a crime.

The amendment would also grant automatic legal approval for police hacking against those who use technology to conceal "the district where the media or information is located." Tor and VPN users, that means you: by accessing information remotely through an anonymizing or proxy service that hides where the information is truly stored, you'll be fair game to the authorities.

On Tuesday, 50 organizations – including Google, PayPal, the TOR Project, Data Foundry, the rather unfortunately named Hide My Ass VPN, the ACLU and the EFF – urged Congress to block the Rule 41 change, saying it was an undemocratic decision and an issue that elected representatives needed to debate rather than usher in via the backdoor.

"The rule changes attempt to sidestep the legislative process by using a process designed for procedural rules to expand investigatory powers," the open letter reads.

"The changes to Rule 41 will disproportionately undermine the privacy of those who have done the most to protect it. Specifically, the proposal would allow warrants for remote hacking in cases where privacy protective technologies obscure the location of a computer."

Congress didn't vote on Rule 41; the Department of Justice got judicial approval instead, and now Congress has until December 1 to pass legislation that would amend, or block, the rule change. Last month Senators Ron Wyden (D-OR) and Rand Paul (R-KY) tabled the Stopping Mass Hacking (SMH) Act to do just this.

"Like so many other proposals this amendment is a lose-lose: It won’t make our country safer, but it will take away crucial checks and balances that protect our freedom,” Wyden said. "If this proposal passes, FBI agents will be able to demand the records of what websites you look at online, who you email and chat with, and your text message logs, with no judicial oversight whatsoever."

Wyden pointed out that the FBI already has the powers for this kind of access under the Patriot Act, after getting judicial approval. In the event of a security emergency this can be granted weeks after the action by US courts who seldom turn down such applications.

"This isn’t about giving law-enforcement new tools, it’s about the FBI not wanting to do paperwork,” he told The Register in a statement.

The SMH legislation has bipartisan support, but with the US government currently involved in the election cycle it's going to come down to getting Congress motivated. To add pressure the Electronic Frontier Foundation has released embeddable code for website operators to add that makes it easier to petition Congress on its noglobalwarrants.org website.

But it's going to take a lot of public support to get this on legislator's radar. With the US locked in one of the most bizarre election in the country's history (the 1836 contest might give it a run for its money) getting congressional attention to something so seemingly mundane – yet so vital – could be difficult. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing