Wyden: Untested Government Mass Hacking Techniques Threaten Digital Security, Critical Infrastructure
At Open Technology Institute, Wyden Warns Against Massive Expansion of Government Surveillance and Hacking Power; Calls on Congress to Block Rule 41
Washington, D.C. – Speaking at the Open Technology Institute today, Sen. Ron Wyden, D-Ore., warned that proposed changes to expand government hacking and surveillance powers pose a dangerous threat to the security of power plants and other critical infrastructure connected to the internet, as well as Americans’ digital devices.
“Our PCs aren’t the only devices connected to the internet. Factories, power plants, transportation grids and all kinds of critical infrastructure can be accessed online. If untested, sloppy hacking techniques are unleashed by the FBI on a broad scale, there’s no telling what kind of damage could result,” Wyden said.
“Nobody can see years into the future to tell us what mass hacking by criminals or by law enforcement will be capable of doing. And if these changes go into effect, there will be no guidelines in place to ensure that the privacy and security of Americans are being protected.”
Wyden, Sen. Rand Paul, R-Ky., and bipartisan senators introduced the Stopping Mass Hacking (SMH) Act in May to protect millions of law-abiding Americans from government hacking. The Stopping Mass Hacking (SMH) Act prevents recently approved changes to Rule 41 from going into effect. The changes would allow the government to get a single warrant to hack an unlimited number of Americans’ computers if their computers had been affected by criminals, possibly without notifying the victims.
Sens. Tammy Baldwin, D-Wis., Steve Daines, R-Mont., and Jon Tester, D-Mont., are original co-sponsors of the Senate bill.
At the request of the Department of Justice (DOJ) the U.S. Federal Courts recommended an administrative change to Rule 41 of the Federal Rules of Criminal Procedure which were approved by the Supreme Court earlier this year.
The amendments to Rule 41 would make it easier for DOJ to obtain warrants for remote electronic searches. The amendments would allow a single judge to issue a single warrant authorizing government hacking of an untold number of devices located anywhere in the world. The amendments would take effect on December 1, 2016 absent Congressional action.
Wyden’s full remarks, as prepared for delivery, are below.
Senator Ron Wyden
Rule 41 Remarks at the Open Technology Institute
June 30, 2016
As Prepared for Delivery
It’s a pleasure for me to be here with you today, and I promise I will keep this a filibuster-free zone this morning so that we can get to our excellent panel.
I know that at this moment, the pending changes to Rule 41 of the Federal Rules of Criminal Procedure are not exactly dinner table conversation in homes across America. But let’s recognize that Rule 41 is now at the center of a major, ongoing debate about security in this country.
It is a dangerous world out there, and Americans face real threats from people who do not wish us well. Those of us who serve on the Senate Intelligence Committee are acutely aware of that fact. The attacks in Orlando, San Bernardino and now Istanbul are stark reminders. And I take a back seat to nobody when it comes to making sure that our law enforcement and intelligence officers have the tools they need to keep Americans safe.
Right now, Americans are looking for security and liberty, but these changes to rule 41 don’t get you much of either. This would be a massive expansion of government hacking, jeopardizing our liberty. There’s no telling what kind of impact secretive government malware could have on our devices or the networks that run our hospitals, electrical grids, and transportation systems. There’s a danger these Rule 41 changes leave Americans even more exposed to threats -- not less.
Now in my view, in order to have a complete discussion about the importance of this issue, you have to look at the broader context. So I’d like to begin there before getting into the weeds.
Before our lives went online, individual Americans were protected by the limits of technology. You were the keeper of your personal information – your bank statements, your tax returns, your health records, your photo albums. Places you visited, who you talked to, and what you said. Information you sought out and shared with others. If the government wanted to collect that information, law enforcement typically had to get a warrant, and in most cases, you were notified of what was happening. If thieves wanted to steal from you, they smashed a window and took your TV.
Today is different. Our lives are lived online. Much of our most private information is stored somewhere in the cloud. Electronic devices track our movements and our conversations. The kind of information you share and search for on the internet can paint a startlingly accurate picture of who you are and what your life is like on a day to day basis. The old reality, which went a long way to protecting the security of your family and your personal information, no longer exists. Today a thief can do a lot worse than steal your stuff - they can take control of your bank account or your whole online identity, and you might not even know you’ve been robbed.
The choice Americans have today is between less security and more security.
That brings me to Rule 41. A few months ago, at the behest of the Department of Justice, the Supreme Court approved changes to the rule that governs search and seizure. If you’ll bear with me, here’s how the changes break down.
First, even when law enforcement doesn’t know the location of a device it wants to search, whether it’s in this country or abroad, it will be allowed to hack into that device.
Second, law enforcement will be allowed to access to any device that a suspected hacker is believed to have broken into. Let’s focus on the implications of this proposition for a moment. This rule change says the government can search potentially millions of computers with one single warrant issued by one single judge. There is no difference, in terms of law enforcement access, between the victims of a hack and the perpetrator himself. If your computer or phone has been hacked by a bad guy, the government can get a green light to break into it, plant malware and collect information. Your security and your privacy are afterthoughts.
To me, this is a real head-scratcher. In my view, no law should authorize the government to penalize victims of hacking, making them victims twice over. You wouldn’t punish the victims of a tax scam or a Ponzi scheme with a painful audit.
Furthermore, under these changes, law enforcement is required to make only “reasonable efforts” to notify people that their devices were searched. Dr. Bellovin and our panel can dive into this issue deeper than I will today. But to me, it raises big questions. What constitutes a reasonable effort? Is it a letter or an email or a pop-up notification that says “I’m from the government, I’ve hacked your computer, and I’m here to help”?
What happens if the government breaks into someone’s computer and is then unable to notify them? And what’s to stop a criminal from abusing the system, creating fraudulent notification letters or emails, and stealing data belonging to individual Americans?
In my view, these rule changes leave too much ambiguity and create too many unknowns. When law enforcement sets out on one of these mass hacks, chances are they won’t know anything about the devices they’re breaking into other than potentially their IP addresses. I’ll leave it to the experts to get into the details of what can happen as a result of these mass hacks. But in short, there’s no way to know for sure how a device belonging to a typical American – somebody who’s done nothing wrong – will be affected by the government hack. It might turn off protections and leave the door open to other attackers. It could break your computer, or worse.
Let’s remember, our PCs aren’t the only devices connected to the internet. Factories, power plants, transportation grids and all kinds of critical infrastructure can be accessed online. If untested, sloppy hacking techniques are unleashed by the FBI on a broad scale, there’s no telling what kind of damage could result.
Nobody can see years into the future to tell us what mass hacking by criminals or by law enforcement will be capable of doing. And if these changes go into effect, there will be no guidelines in place to ensure that the privacy and security of Americans are being protected.
In my view, the limits of search and seizure are unquestionably an issue for Congress to debate. The Justice Department should not have the power to change the practical meaning of the fourth amendment without the public’s elected leaders weighing in.
I mentioned earlier that Rule 41 of the Federal Rules of Criminal Procedure may not exactly be dinner-table conversation across America. But here’s what I know to be true – just about everybody in this country uses a computer, a smartphone, or a tablet on a regular basis. And when you’re talking about incredibly sensitive personal information – your finances, your health records, your travel, your texts, your emails – Americans want to be protected.
Again and again, these attempts to curb privacy, to weaken security, and infringe on liberty in our digital lives are coming up. Again and again, nobody gives us a chance to stop them. But Americans are starting to hear us. Secret mass surveillance was proven to be a loser. The crusade to undermine strong encryption, I believe, has proven to be a loser. And the Senate scored a win last week when it said the FBI couldn’t hoover up email metadata and browser histories without a court order.
Too often, the scale of these massive proposals is downplayed to make them easier to sneak by. Undermining encryption for millions of Americans’ devices – you’re told it’s all about one phone in San Bernardino. Broad new unprecedented access to browsing histories, chat logs, and email records without getting warrants – it’s just fixing a typo. A huge expansion of government hacking – it’s just an update to a procedural rule.
In order to stop these Rule 41 changes from going into effect on December 1st, we are all going to have to keep beating the drum for more security as loudly as we can.
Last month, I introduced the Stopping Mass Hacking Act, a bipartisan bill co-sponsored by my colleagues Senator Paul from Kentucky, Senator Baldwin from Wisconsin, and Senators Daines and Tester from Montana. It’s a very simple bill – it’s just one line. It says the changes to Rule 41 shall not go into effect. There is already a bipartisan companion bill in the House. We’re going to need your support to get it passed.
If you flipped the script on Rule 41, and Congress had to take a proactive vote on whether to green-light these troubling rule changes, I don’t think there’s any way they’d make it through. But the challenge we’re facing is much tougher. Inaction is easy, and December will be here before you know it. So forget that the election and the conventions are eating up headlines. Forget that there aren’t many legislative days on the calendar to spare. We’ve got to get Congress to act by December 1st.
Thank you again for having me here today. I’ll turn it over to our fantastic panel.
Next Article Previous Article