On Dec. 1, an amendment to “Rule 41” of the Federal Rules of Criminal Procedure, which regulates legal search and seizure, went into effect. Never heard of Rule 41? That’s no coincidence. The change drastically expands the U.S. government’s hacking powers and was purposefully kept under the radar due to the controversial cybersecurity and online privacy infringements the order allows.

If you’re thinking it can’t be that big of a deal, think again. The passing of Rule 41, with no limitations proposed by Congress, could signify the end of online privacy for not only hackers but victims of hacking as well. Here’s an in-depth look at exactly what Rule 41 entails, why it matters, and the implications it has on the future of cybersecurity and online privacy.

So, What is Rule 41?

Rule 41 softens the legal requirements for obtaining search and seizure warrants. It grants the government remote access to search, seize, and copy data of devices actively hiding their location that are believed to be involved in a crime or have been damaged without authorization AKA hacked through malware.

Rule 41 essentially allows the FBI and other law enforcement agencies to hack anywhere from five to millions of computers or devices across the U.S. with a single warrant. The argument for Rule 41 was to give the government more power to crack down on cyber crimes that are becoming harder and harder to legally identify and successfully prosecute. Specifically, proponents for the change argued it would give the government the ability to target “botnets,” which are networks of devices infected with malware that are then controlled remotely by a hacker.

The Impact on Cybersecurity & Online Privacy

Rule 41 is significant for several reasons, but mostly because of the impact it has on the current and future federal regulation of cybersecurity and online privacy. The ever-evolving tech-driven world we live in today presents new challenges to law enforcement when trying to identify cyber criminals. However, numerous laws are being passed to expand the government’s abilities to target these criminals without the necessary provisions to protect innocent American’s rights to privacy.

With only one search warrant, law enforcement officials will now be able to remotely access devices believed to be involved in a botnet, which means victim’s devices. If your device is infected with malware the government is tracking, they will then hack into your computer using private hacking software shrouded in secrecy and lacking proper independent evaluation.

This extends to business networks as well. So if an employee’s device at your company is infected with malware involved in a criminal investigation, the government won’t even be required to tell you they are remotely accessing that device. Which puts all of your business’ sensitive data at risk without you being aware it’s even happening. As we saw with the Internet outage of 2016, complex cyber attacks can be spread across millions of devices which can easily extend to vulnerable devices at a business, hospital, or school. 

Since the FBI often does not disclose information about the hacking software they use, the private and sensitive data they are remotely accessing on hundreds to millions of devices could then be stolen by criminals co-opting the software for their own purposes. Think that’s just paranoia? It’s not. It’s happened before when the FBI’s digital wiretapping tool Carnivore had weaknesses which allowed hackers to hijack government searches.

Rule 41 presents itself as a way to protect Americans from dangerous hackers and cyber criminals, but it tramples on the rights of innocent Americans in the process and puts U.S. civilians’, businesses’, and organizations’ sensitive data and right to privacy at risk. While this amendment was passed with the intention of finally being able to identify and prosecute the worst cyber criminals, like distributors of online child pornography, it quickly crossed into dangerous territory by allowing the online privacy of innocent Americans to be violated without consent or due cause. Blanket laws like Rule 41, while created with the best intentions, often result in unintended or unimagined consequences and pave the way for similar laws to be passed that further enhance the power of the government and limit the rights of the people. 

In an age where we are just beginning to identify the importance of restrictions on the government’s access to private data and online activity, Rule 41 drastically expands the government’s surveillance powers and delivers a massive blow to the Fourth Amendment which could have repercussions for years, if not decades, to come. 

Looking Ahead

Given President-elect Trump’s comments stating he wanted the power to hack his political opponents throughout the presidential election, Rule 41 might be the first of many new amendments, bills, and laws heralding in an era where online privacy rights as we know them are transformed in the name of law and order.

This possibility presents a significant problem to American business owners that rely on a network of various devices to manage, store, and access sensitive data. A crash resulting from what Rule 41 legally allows the government to do could shut a business down for a few hours to days. Now more than ever businesses must be diligent in protecting their devices and networks from hackers, a group which now includes the government.

If you lack the cybersecurity talent you need to protect your business from these emerging online threats, contact Mondo today. We’ll match you with the specialized cybersecurity professionals your business is missing.