Washington is coming for your personal data

Little-noticed change to judicial rules gives the FBI greater powers to conduct remote searches, and the 'zombie bill' CISA is on the fast track to a Senate vote

zombie businessman ts3
Credit: Thinkstock

To judge by recent events in Washington, the already massive scale of surveillance is not enough. In order to keep us safe, the government believes it needs greater access to our computers, even if that means steamrolling over privacy -- and constitutional -- concerns.

Most recently, a little-noticed change to judicial rules would give the FBI greater powers to conduct remote searches, and CISA (Cybersecurity Information Sharing Act) -- the "zombie bill" that refuses to stay dead -- breezed through a committee vote in the Senate. PCNA (Protecting Cyber Networks Act), a companion bill in the House, unanimously passed committee on Thursday..

The Department of Justice set in motion a proposal to change Rule 41 of Civil Procedure, which governs how judges issue search warrants on electronic devices. Under the updated rule, the FBI could obtain blanket warrants entitling it to remotely examine computers located anywhere, without specific justification and without being required to give users notice of its searches. The current rule lets judges approve warrants only for specific material within their judicial district.

The FBI wants expanded authority to infiltrate computer networks and install tracking software. But privacy groups -- and others vested in Fourth Amendment constitutional rights -- are opposed to the change.

"The rule itself would be an acknowledgement that remote access searches are valid without notice, without special justification," Alan Butler, general counsel for the Electronic Privacy Information Center, told Gizmodo. "Notice is one of the essential procedural protections of the Fourth Amendment. Validating a rule that implies that notice will never happen does not comport with the Fourth Amendment." 

Google also came out against the proposed change, saying it "could have profound implications for the privacy rights and security interests of everyone who uses the Internet." Because the new rule does not define the circumstances and conditions under which a remote search could be undertaken, "it carries with it the specter of government hacking without any Congressional debate or democratic policymaking process," Google said.

The tech giant asserted that the new rule could be used not only in botnet investigations, but could affect any business that works with a VPN to keep users' information secure. Because a VPN can obscure the actual location of a network, Google said, it could be subject to a remote search warrant under the new rule, where it would not have been otherwise.

"The Advisory Committee is entertaining a dramatic change to electronic surveillance rules. Congress is the proper body to determine whether such changes are warranted, and we urge the Committee to respect Congress' traditional role in prescribing the substantive rules governing electronic surveillance," Google concluded.

The DOJ's Deputy Assistant Attorney General David Bitkower issued a rebuttal to Google's claims, stating that because warrants for remote searches are issued under the federal rules in question, Congressional approval was unnecessary. 

But Hanni Fakhoury, staff counsel for the Electronic Frontier Foundation, disagreed, telling Gizmodo, "Basically, we think this is a substantive legal change masquerading as a mere procedural rule change. The government is essentially pushing for approval of the idea that it should have the power to deploy malware and execute remote searches. To us, it seems like that's a decision Congress should make."

Congress, meanwhile, is already busy resurrecting its own take on the spying game: CISA, which encourages data collecting and sharing between private companies and government agencies to prevent cyber attacks. In a closed-door session, the Senate Intelligence Committee this month approved the bill by a 14-to-1 vote, with Senator Ron Wyden (D-Ore.) the lone holdout because the bill "does not include adequate privacy protections." Wyden called CISA simply a "surveillance bill by another name."

Other names for it are CISPA 3.0 or CISA 2.0, as the same cyber-security-cum-surveillance bill has been repeatedly cycled through Congress since 2011. Last year, CISA failed to reach the Senate floor for a vote after being denounced by civil liberties groups. But Committee Chairman Richard Burr (R-N.C.) told The Hill that he expects this CISA bill to be "expedited" for a floor vote, perhaps as early as April.

PCNA,  the near mirror-image bill that the House Intelligence Committee passed this week, is even more amenable to surveillance, critics say. PCNA allows the collection of data "to investigate a lot of crimes that may not even be happening imminently or threatening anyone’s life," said Open Technology Institute policy counsel Robyn Greene. "The Protecting Cyber Networks Act would explicitly undermine every rule that is currently in place to protect Americans' Internet privacy, and replaces them with dangerously weak protections." 

The White House promised to veto CISA when in surfaced last year, but Sen. Diane Feinstein (D-Calif.) believes President Obama will come around to the new bill, which could make it easier to go after whistleblowers -- a cause dear to the administration's heart. "I see CISA as another attempt at expanding all the powers that the government already has," former NSA whistleblower J. Kirk Wiebe told Dissent NewsWire.

Supporters of the bill say CISA is needed to combat data breaches in the wake of recent hacks against companies from Sony to Home Depot. But opponents argue its true mission is to make it easier for government, hand-in-glove with corporations, to spy on Internet users and eavesdrop on communications.

CISA would grant companies wide immunity from prosecution -- trumping privacy laws like the Electronic Communication Privacy Act of 1986 and the Privacy Act of 1974, for example -- and provide zero incentive not to overshare personal information. As TechCrunch noted, "If corporations are legally protected when they share data into the government, where does the individual user look for recourse?"

All that information sent to the DHS would automatically be shared with the NSA, the Department of Defense, and the Director of National Intelligence. "Given what we know of intelligence agencies' willingness to stretch every privacy law to its limits, CISA could potentially authorize a staggering amount of new surveillance," Evan Greer, the campaign director for privacy advocacy group Fight for the Future, told Gizmodo.

The Center for Democracy & Technology sent a letter to members of the Senate, signed by a long list of security experts and privacy advocates, outlining their objections to CISA. Internet users are also urged to let Congress know -- again -- that they find these kinds of privacy-trampling, vaguely worded, loophole-laden legislation unacceptable.

To comment on this article and other InfoWorld content, visit InfoWorld's LinkedIn page, Facebook page and Twitter stream.
From CIO: 8 Free Online Courses to Grow Your Tech Skills
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.