Access Now calls for a rejection of proposed U.S. botnet investigation rule

Today, Access Senior Policy Counsel Amie Stepanovich testified on behalf of Access Now and the Electronic Frontier Foundation (EFF) in front of the U.S. Advisory Committee on Criminal Rules. Her testimony urged the Committee to reject a proposed amendment to Rule 41 of the Federal Rules of Criminal Procedure. The Committee is considering several changes to the Rule that would substantively expand the instances in which a government could search or seize control of an individual’s computer. The amendment would also remove the requirement to serve physical warrants in these cases, allowing service to be made electronically.

In addition to the testimony of Access Now and EFF, the Committee heard from policy and technology experts at the American Civil Liberties Union, the Center for Democracy and Technology, as well as the Electronic Privacy Information Center, New America Foundation’s Open Technology Institute, and University of California, Hastings College of the Law.

Access Now and EFF’s testimony focused on one specific change in the proposed amendment, which is designed to grant law enforcement stronger investigative power over botnets. Botnets are created when malware is deployed to link computers back to a central location. This central “command-and-control” location can be used to manipulate the output of these “zombie” devices. Botnets are often employed, for instance, to effectuate denial-of-service attacks. Botnets can include several million computers – estimates are that the Conficker botnet system infected between nine and fifteen million.

The testimony points out that the amendment would permit greater intrusion into victims’ devices as well as computers that are part of lawful botnet-like systems. Law enforcement deserves adequate authority to investigate computer-related crimes, but this proposed Rule would unduly harm users. The language of the proposed change is overly broad. It covers an investigation into potential crime when damaged computers are “located in five or more districts.” The proposed language covers other, lawful systems, including cloud computing structures, which would be subject to an investigation under the proposed rule if simply infected with a virus.

The Federal Rules of Criminal Procedure, as the name suggests, are procedural rules that govern the implementation of the law. Rules are not supposed to have substantive impact or either grant or restrict user rights. However, despite this the proposed change would greatly expand the current substantive reach of the law, including the Computer Fraud and Abuse Act (CFAA), which is already overbroadly interpreted by the Department of Justice. For example, law enforcement have used the CFAA to prosecute research into website vulnerabilities and violations of website terms-of-service, effectively turning shrinkwrap agreements into criminal code. The relevant sections of the CFAA under the proposed rule were used to aggressively prosecute Aaron Swartz, leading to a subsequent call to reform the law’s scope.

Access Now and EFF are calling on the Committee to reject the proposed rule, effectively an end-run around Congress, and instead to allow the substantive changes of law to occur as part of an accountable and public legislative process. There should be a real, open debate as to whether the change is appropriate and how it fits into the protections provided by the U.S. Constitution and international law.