Trust in Big Brother?
Everywhere I turn these days, I find plenty of bewildering bills and proposals related to privacy, security, and encryption from congressmen, senators, assemblymen and politicians of various colors who are in the business of introducing legislation in the U.S., EU, and other countries. Yet, I had to stand up and take notice when the United States Supreme Court made an update to a ruling (Rule 41) in late April that had the effect of allowing U.S. law enforcement agencies such as the FBI to expand their ability and scope when it comes to hacking into computers regardless of their location. Since the ruling would expand the powers of law enforcement, the U.S. Congress still needs to approve it before it becomes law. If other countries haven’t already approved such legislation formally, they can now point to a compelling precedence – assuming they even bother with the whole political conversation.
Prior to this ruling, federal judges in the U.S could only issue warrants for subject matters within their own jurisdiction, say one or more states within the U.S. This ruling eradicates any lines of jurisdiction and allows any federal judge to issue a warrant for searching computers, electronic devices, and to conduct remote surveillance anywhere in the world. It appears that such warrants would be agnostic to the location of the information. One cybersecurity researcher characterized the ruling succinctly:
“Why should the rule be ‘You can hack a computer with a warrant if you know where it is but not when you don’t?’”
While the reasons for this ruling have legitimate roots in criminal law enforcement, one has to wonder how this helps anyone promote individual civil rights, privacy of businesses and commercial interests, and potentially looks like sanctioned government hacking with little regulation.
Why should the average person or business care? Cybercriminals conduct their activities using malware and other means to take over computers of people and businesses who have no clue that they’ve been hacked. The new ruling gives a law enforcement agency conducting an investigation the ability, with a single warrant, to hack and search thousands or millions of computers and devices suspected of having any part in a cybercrime network at once. Yet, the vast majority of these computers and devices would belong to people or businesses who have not committed any crime.
What’s the upshot? While we have a multitude of tools for access control, intrusion detection, shadow service discovery, forensics, and reporting against all manners of breaches, their collective effectiveness may not amount to much in the face of advanced state-nation hacking techniques or legislated backdoors. The only reliable method of mitigating jurisdictional over-reach by any state-nation is to actively secure the data itself by strong encryption and keep the keys to yourself – and only to yourself. This was true two decades ago and is still true today.