Posted by Richard Salgado, Legal Director, Law Enforcement and Information Security

At the request of the Department of Justice, a little-known body -- the Advisory Committee on the Rules of Criminal Procedure -- is proposing a significant change to procedural rules that could have profound implications for the privacy rights and security interests of everyone who uses the Internet.  Last week, Google filed comments opposing this change.

It starts with the Federal Rule of Criminal Procedure 41, an arcane but important procedural rule on the issuance of search warrants.  Today, Rule 41 prohibits a federal judge from issuing a search warrant outside of the judge’s district, with some exceptions.  The Advisory Committee’s proposed change would significantly expand those exceptions in cases involving computers and networks.  The proposed change would allow the U.S. government to obtain a warrant to conduct “remote access” searches of electronic storage media if the physical location of the media is “concealed through technological means,” or to facilitate botnet investigations in certain circumstances.  

The implications of this expansion of warrant power are significant, and are better addressed by Congress.  

First, in setting aside the traditional limits under Rule 41, the proposed amendment would likely end up being used by U.S. authorities to directly search computers and devices around the world.  Even if the intent of the proposed change is to permit U.S. authorities to obtain a warrant to directly access and retrieve data only from computers and devices within the U.S., there is nothing in the proposed change to Rule 41 that would prevent access to computers and devices worldwide.

The U.S. has many diplomatic arrangements in place with other countries to cooperate in investigations that cross national borders, including Mutual Legal Assistance Treaties (MLATs).  Google supports ongoing efforts to improve cooperation among governments, and we are concerned that the proposed change to Rule 41 could undermine those efforts.  The significant foreign relations issues associated with the proposed change to Rule 41 should be addressed by Congress and the President, not the Advisory Committee.

Second, the proposed change threatens to undermine the privacy rights and computer security of Internet users.  For example, the change would excuse territorial limits on the use of warrants to conduct “remote access” searches where the physical location of the media is “concealed through technological means.”  The proposed change does not define what a “remote search” is or under what circumstances and conditions a remote search can be undertaken; it merely assumes such searches, whatever they may be, are constitutional and otherwise legal.  It carries with it the specter of government hacking without any Congressional debate or democratic policymaking process.  

Likewise, the change seemingly means that the limit on warrants is excused in any instance where a Virtual Private Network (VPN) is set up.  Banks, online retailers, communications providers and other businesses around the world commonly use VPNs to help keep their networks and users’ information secure.  A VPN can obscure the actual location of a network, however, and thus could be subject to a remote search warrant where it would not have been otherwise.   

 

The Advisory Committee is entertaining a dramatic change to electronic surveillance rules.  Congress is the proper body to determine whether such changes are warranted, and we urge the Committee to respect Congress’ traditional role in prescribing the substantive rules governing electronic surveillance.

Earlier this week, Leviathan Security released their latest piece of research, called the Value of Cloud Security. This research takes a close look at cloud infrastructure security and how it's impacted by forced data localization. Google commissioned the study and discussed the results with Leviathan, but Leviathan alone is responsible for the analysis and conclusions.

When companies take advantage of cloud services, they get more secure systems as a result. Many countries, however, have proposed laws requiring that companies keep the data of that country’s users within national borders. This idea, known as “data localization,” purports to keep citizen users safer and out of the hands of spying governments and hackers. The report found that forced data localization actually undermines many of the benefits that come from cloud services:

• Cloud services provide much better resiliency and redundancy than local services in the face of disasters of all sizes, from small transformer explosions that affect 30,000 users up to superstorms the size of Thaiphoon Haiyan that can interrupt entire countries. If data has to stay in one place by law, that redundancy is lost.
  
• Security expertise is in short supply and tends to congregate in large organizations and sharing what expertise there is is better for everyone as a whole. E.g. - There are currently over a million unfilled security positions open worldwide and all of the GCHQ-led cybersecurity programs together will graduate just 66 PhD's per year starting in 2017. Small companies that are forced to host their own data will find it hard to compete to hire qualified security engineers.

If policymakers are thinking about the perceived benefits of datalocalization, they should carefully examine this study and take into account the cybersecurity of their country’s enterprises.You can check out  the full studies on Leviathan’s blog.

Last summer, students from all over the US and Canada gathered to explore pressing questions at the intersection of technology and policy. Whether working on data security standards at the National Consumers League or innovation economy issues at the R Street Institute, students gained hands-on experience tackling critical technology policy questions.

2015 is just beginning, but these issues show no signs of slowing down. We’re excited to announce the 8th annual Google Policy Fellowship, which connects students interested in emerging technology policy issues with leading nonprofits, think tanks, and advocacy groups.

Applications are open today for North America, and students of all levels and disciplines are welcome to apply before Thursday, March 12th.

This year’s organizations include: 

• American Association of People with Disabilities
• American Enterprise Institute
• American Library Association
• Center for Democracy and Technology
• Center for Data Innovation
• Electronic Frontier Foundation
• Engine
• Future of Music Coalition
• Georgetown Center on Privacy & Technology
• Global Network Initiative
• Internet Education Foundation
• Internet Keep Safe Coalition
• Mercatus
• National Consumers League
• National Hispanic Media Coalition
• Open Technology Institute, New America Foundation
• Public Knowledge
• R Street Institute
• Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic
• TechFreedom
• Technology Policy Institute
• The Citizen Lab
• US Hispanic Chamber of Commerce

More fellowship opportunities in Asia, Africa, and Europe will be coming soon. You can learn about the program, application process and host organizations on the Google Public Policy Fellowship website.