Expanded Government Hacking Powers Need Accompanying Safeguards
When should the government engage in “remote searches” of computers—i.e., government “hacking” to seize, infiltrate and/or search digital devices—and when should it use less invasive investigative methods? Changes to Rule 41 of Federal Rules of Criminal Procedure went into effect on Dec. 1, making it easier than ever for law enforcement to obtain warrants to hack into digital devices but without answering fundamental questions about how to protect individual privacy and security in the face of these sophisticated search techniques. At a time when courts are already struggling to place appropriate limits on law enforcement’s hacking authority, this amendment was a mistake. The changes will have serious consequences for privacy across the board, not just for “bad guys.” They also open the door to “forum shopping” and have effectively allowed an unelected advisory committee—rather than Congress—to expand the government’s hacking capabilities.
The old rule allowed federal magistrate judges to issue warrants to search and seize property located in the judicial districts where they sit, with limited exceptions. The new Rule 41 gets rid of this jurisdictional constraint in two circumstances, allowing magistrates to issues warrants to remotely search digital devices located outside their districts (a) whenever the device’s physical location is “concealed through technological means,” or (b) during an investigation of a botnet involving computers in five or more districts that have been “damaged without authorization” pursuant to the Computer Fraud and Abuse Act. (Botnet, a portmanteau of “robot” and “network,” refers to a network of private computers or devices infected with malicious software and controlled without the owners’ knowledge.)
This expansion is broad. The first provision permits issuance of warrants to access, seize or copy data from computers outside a judge’s district if a computer uses a privacy-protective tool to conceal one’s location—including via some fairly common and lawful tools, such as Tor or VPNs. And because this provision permits hacking when the government doesn’t actually know the device’s location, this provision will inevitably implicate devices and searches located outside the United States—which means the executive branch will be asking magistrates to sign off on activities that could violate international law and the laws of foreign nations, and potentially circumvent the Mutual Legal Assistance Treaty process governing how U.S. law enforcement must pursue access to overseas data, and vice versa.
The second provision allows magistrates to issue warrants to search and infiltrate computers that may be unwittingly part of a botnet—not just computers of those suspected of creating or controlling the botnet. This means innocent third parties, whose computers have already been infected, may have their computers hacked a second time, by their government. The new rule potentially exposes a wide range of third parties’ unrelated, sensitive data to law enforcement—yet it contains no privacy protections. It also raises security concerns; the government’s malware may leave a targeted device vulnerable to further attack or simply work improperly, causing direct, unplanned damage to the device. This provision will implicate all sorts of devices; in the age of the “Internet of Things,” everything from coffee makers to thermostats is being turned into a device vulnerable to hacking.
The rule change also authorizes magistrates to issue a single warrant to hack multiple computers across the country, or even the world. If this raises red flags for you regarding the Fourth Amendment’s particularity requirement, you are not alone.
The new rule also raises forum-shopping concerns. This is already a problem within districts. For instance, Magistrate Judge Stephen Wm. Smith of the Southern District of Texas, known for carefully scrutinizing government applications to seize data, noted during a panel this year that he received “zero” applications during his last two days of criminal duty, while the next judge got an “extra helping.” Under the new rule, this is going to be a problem across districts. Law enforcement can now take their warrant applications to sympathetic or unquestioning districts — more inclined to approve applications — so long as “activities related to the crime may have occurred” there. In the case of botnets, potentially involving millions of computers in every district across the country, this vague language provides no meaningful limit.
If these new powers had been proposed via legislation, the law would not have passed through Congress without significant debate regarding the need for protections. But instead, they were proposed by an advisory committee to the Judicial Conference of the United States as a change to the Federal Rules of Criminal Procedure, which typically sets the day-to-day procedural ground rules for criminal prosecutions, such as court holidays or how to correct clerical errors. They were then passed through the Supreme Court and became law after Congress failed to act. At the eleventh hour, three senators—Ron Wyden (D-Ore.), Steve Daines (R-Mont.) and Chris Coons (D-Del.)—urged the Senate to delay or prevent the changes to avoid, in Daines words, granting “unlimited power for unlimited hacking.” But Sen. John Cornyn (R-Tex.) prevented debate on bills opposing immediate adoption. And on Dec. 1, the new Rule 41 went into effect.
The FBI has used a single warrant to hack into many computers before. The recent Playpen investigation, which resulted in hundreds of criminal prosecutions, involved the largest known hacking operation in U.S. law enforcement history and was conducted via a single warrant. But almost every court to address the question outside the district that issued the warrant found that the warrant violated the old Rule 41. With the rule change, we’ll soon see many more expansive hacking operations—in a wide range of cases. Courts are already struggling to place appropriate limitations on law enforcement hacking, with one court going so far as to hold that a defendant had no “reasonable expectation of privacy” in his personal computer, located inside his home. See United States v. Matish, No. 4:16CR16, 2016 WL 3545776 (E.D. Va. June 23, 2016). In this context, vastly expanding law enforcement’s hacking authority without any accompanying safeguards is the last thing we should be doing.
This op-ed was originally published by the Daily Journal on December 13, 2016 and is reprinted here with permission.