In late April, the Electronic Frontier Foundation wrote about the proposed amendments to Rule 41, ending their post with:
“Rule 41 seeks to sidestep the legislative process while making sweeping sacrifices in our security. Congress should reject the proposal completely.”
Unfortunately, that didn’t happen, and several amendments to Rule 41 came into effect on December 1st. Those keeping up with the discussion surrounding the controversial change were left more than a little upset, but at this point, it seems that the Congress has made up its mind.
What is Rule 41?
If this is your first time hearing about Rule 41, you’re probably wondering about what it actually is. As the name suggests, Rule 41 is one of 61 Rules of Criminal Procedure in the United States and has been around for nearly 80 years.
The rule deals with the scope and limitation of search and seizure protocols in the United States. Based on that information alone you can probably already guess where this is going.
Today, Congress passed a very dangerous amendment to the legislature, which ultimately gives the US government overreaching surveillance powers. Now, let’s not kid ourselves – the fact that government agencies have the ability to spy on their citizens isn’t much of a surprise (especially in the wake of Snowden leaks), this amendment will make some of those abilities legal.
Rule 41 greatly expands the government’s search powers, and allows for remote hacking and seizing of personal computers and smartphones. Though there is no debate that the new powers will enable law enforcement agencies to fight cyber crime more efficiently, security experts and privacy advocates agree that it’s a double-edged sword.
Today’s change allows a magistrate judge to authorize the remote search and seizure of personal computer data in any district if the crime related data (or information) is “concealed through technological means,” “located in five or more districts,” or stored on computers that “have been damaged without authorization.” In short – as of December first, virtually any US judge can issue a warrant that will allow law enforcement agencies to hack into a computer or cell phone of anyone that can be linked to the crime in question – more on that later.
Additionally, government agencies will have the power to remotely access and search the computers of anyone using privacy-protective tools such as a VPN or Tor – assuming that they can actually be located and linked back to the crime.
This is where it gets interesting (read: terrifying). Since many of the most secure tools that people use in order to protect themselves online feature a privacy-protection component, their users may fall victim to this new piece of legislature despite not having committed any crime. In order to better understand how objectively innocent people may be trapped by Rule 41, let’s look at an example – Tor.
There are many legitimate reasons for wanting to use Tor – privacy, anonymity, and access to geographically specific content are just a few such examples. Despite not doing anything nefarious, these users’ computers are now fair game for United States’ law enforcement agencies.
Tor is cleverly designed to separate a user’s identity from their IP address by encrypting and routing their request through a vast network of relays (nodes) around the world. While this method does a great job at protecting the identity of each individual user, the traffic needs to move around quite a bit – hopping from user to user, node to node, until eventually reaching the Internet. This spider-web-like nature of Tor is exactly what provides substance for Rule 41.
Since other users can (unbeknownst to them) transmit data relevant to a crime, the entire chain of computers can now be searched with a single warrant. The same idea can be applied to VPN or anything else that may spoof your real IP address.
While this controversial amendment paints a very bleak picture of what lies ahead, the EFF remains hopeful. Their spokesperson stated that despite passing the bill, Congress will be able to change or reverse the decision after it goes into effect.
Though it’s good to hold on to any remaining glimmer of hope, optimism may not be the best response to this gross overreach by the government. If you don’t want to give up your online privacy while maintaining the integrity of your data, make sure to use a VPN. If you’re not sure where to start, check out our detailed guide.