Proposed change to U.S. federal criminal procedure Rule 41 would harm user privacy

Access and EFF urge the Advisory Committee on Criminal Rules to reject a rules change that would give law enforcement more tools to violate computer users’ privacy

Washington, D.C. – Today Amie Stepanovich, Senior Policy Counsel at Access, testified before the Advisory Committee on Criminal Rules on behalf of Access and the Electronic Frontier Foundation (EFF), urging it to reject changes to Rule 41 of the Federal Rules of Criminal Procedure on the Search and Seizure of electronic data. The proposed changes are substantive, and not procedural, and must be implemented as part of an open and accountable legislative process.

The U.S. Advisory Committee on Criminal Rules is considering an amendment to Rule 41 of the Federal Rules of Criminal Procedure that would substantively expand the instances in which a government could search or seize control of an individual’s computer, no matter where in the world the user was located. The amendment would also remove the requirement to serve physical warrants in these cases, allowing service to be made electronically.

The testimony of Access and EFF focused on one specific part of the amendment that grants law enforcement greater investigative power over unlawful “botnets.” Botnets are created when malware is deployed to link computers, which may number in the millions, back to a central location, from which they can be used and controlled. While the term “botnet” is typically used for unlawful networks, several botnet-like structures are used around the world for positive, lawful activities.

“Unilaterally-adopted rule changes are not the way to approach policies that substantively impact users’ privacy,” said Amie Stepanovich, Senior Policy Counsel at Access. “This proposed amendment would violate not only the privacy rights, as guaranteed under the Fourth Amendment, of those of us in the United States, but also users around the world in contravention of international law,” Stepanovich continued. “Law enforcement cannot use procedural rules to end-run around the legislative process.”

The language of the proposed change is overly broad. The testimony points out that the amendment would permit greater intrusion into victims’ devices as well as computers that are part of lawful botnet-like systems. Law enforcement deserves adequate authority to investigate computer-related crimes, but an appropriate solution, compliant with the U.S. Constitution and international human rights laws, should be found through the legislative process.

The change would greatly expand the current substantive reach of the law, including the Computer Fraud and Abuse Act (CFAA), which is already over-broadly interpreted by the Department of Justice. For example, law enforcement have used the CFAA to prosecute research into website vulnerabilities and violations of website terms-of-service, effectively turning shrinkwrap agreements into criminal code.

Such a modification of the means of conducting investigations is not a procedural but a substantive change. Access supports a statutory solution enacted through the legislative process.