In addition to difficult questions concerning the Fourth Amendment, Rule 41, and the limits of government hacking, the Playpen cases raise an important question about the future of digital rights: whether, to what extent, and under what circumstances the government must disclose to criminal defendants how the government carried out its hacking.
In the Playpen cases, the government has provided some information to the accused about how the “network investigative technique,” or “NIT,” operated. But, critically, the government refuses to produce the exploit it used to allegedly take control of suspects' computers.
That refusal—in addition to all the other problems with the Playpen cases—violates the rights of the accused. And, as at least one court has correctly found, the refusal to disclose the exploit to the defense requires suppression of evidence obtained as a result.
At its core, the government's argument is: “You don’t need to know how we got into your computer (the exploit) because it does not change the information that we took from your computer (the private information copied and transmitted by the payload). Just trust us on this.”
Fortunately, criminal defense attorneys and their clients, are not required to take the government at its word, as we explain below.
Defendants' right to access the government’s evidence.
More in this series:
The Story of the FBI’s Unprecedented and Illegal Hacking Operation
Some Fourth Amendment Basics and Law Enforcement Hacking
Rule 41 and Global Hacking Warrants
Why the Warrant to Hack in the Playpen Case Was an Unconstitutional General Warrant
The Constitution and the Federal Rules of Criminal Procedure both require the government to turn over evidence in its possession to those accused of crimes.
Criminal defendants have a constitutional right, rooted in the 5th Amendment's Due Process Clause and the 6th Amendment's Confrontation Clause, to review any exculpatory and impeachment evidence possessed by the prosecution. Exculpatory evidence is evidence that would weigh in favor of excusing, justifying or exonerating the accused. Impeachment evidence is evidence that could be used to contradict or undermine the credibility of the government's case. Withholding this type of evidence violates due process when the evidence is material—either to guilt or to punishment. When a prosecutor receives a specific request for this kind of evidence, failure to produce the requested evidence is punishable by suppression and potential sanctions for prosecutorial misconduct.
Some argue that the government’s failure to disclose the exploit is not a constitutional issue, but a procedural one governed by Rule 16 of the Federal Rules of Criminal Procedure, which provides another vehicle for obtaining evidence for criminal defendants. Rule 16 mandates disclosure of evidence where “the item is within the government’s possession, custody or control and the item is material to preparing the defense.” The issue then comes down to the materiality of the exploit code to the defense.
Evidence is material under Rule 16 as long as there is an indication that it will play a role in uncovering admissible evidence, aiding witness preparation, corroborating testimony, or assessing impeachment or rebuttal. The materiality standard under Rule 16 is broader than constitutional disclosure obligations because “[i]nformation that is not exculpatory or impeaching may still be relevant to developing a possible defense.” For example, evidence can be “material” if it causes a defendant to “completely abandon . . . [a] defense and take an entirely different path.” Ultimately, “criminal defendants should not have to rely solely on the government’s word that further discovery is unnecessary.”
The Government's Excuse: “Serious damage to national security”
Despite the generous Constitutional and statutory mandates for disclosing evidence helpful to the defense in criminal cases, the government continues to hide the exploit from defendants in the Playpen cases. Why? That’s classified. Or, at least, the exploit is.
The government has claimed that disclosing the exploit—even to defense experts with security clearance—could damage national security.
There are plenty of problems with this argument. It’s hard to plausibly justify the threat to national security, especially when defense experts are already cleared to receive classified information and there is no threat of public disclosure. But, even assuming the excuse is legitimate; it doesn’t explain why a tool the government deems necessary to defend national security was used in an otherwise wholly domestic law enforcement prosecution. Criminal prosecutions carry due process requirements, and one of those requirements is the disclosure of material evidence to the defense. If the government is really concerned about maintaining the secrecy of its exploit, then it shouldn’t have used the exploit to pursue domestic investigations and prosecutions. Period.
But even setting those objections aside, courts must grapple with the dilemma of choosing whose interest is more important: an individual’s Constitutional right to due process or the government’s national security interest?
As we’ll explain, the defendant's Constitutional rights trump the government's national security interest here because the exploit is material to the defense, so it must be disclosed.
Practical reasons the defense needs access to the exploit
Let's start by using a helpful analogy, suggested by Susan Hennessey and Nicholas Weaver at Lawfare, to explain why access to the exploit is needed:
The exploit could be likened to opening a window in the owner’s house that the owner believed was locked but which can be removed from the frame. The exploit removes the window and lets the payload in to conduct the search.
With this analogy in mind, it's obvious how the exploit—the method law enforcement used to gain access to the evidence—could affect the accuracy, reliability, and integrity of the information collected, making it material to the defense.
In the context of a criminal trial, for example, if a police officer testified that he had entered a suspect’s home through a window, the defense would be able to confront and cross-examine the officer about when, where, and how he obtained entry. That way, a defendant could test—and a fact-finder, like a judge or jury, could weigh—if the officer’s actions, demeanor, and credibility affected the substance and reliability of his observations.
For example, do we believe the officer when he says he entered the house through a window if the defense can show that the house had no windows? Or did the cop break glass or knock over furniture or otherwise disturb relevant evidence when he removed and then crawled through the window? In the physical world, the defense would have the opportunity to review and test this kind of information.
The same is true for the exploit. Access to the code could yield exculpatory and impeachment evidence, or provide avenues for alternative defenses. For example, if an expert analysis showed that the exploit only worked against Windows PCs, a defendant who exclusively used a Mac OS X could argue that the defendant must have been misidentified.
Overall, the defense’s need for the exploit breaks down into three main categories:
- To ensure the search was not more expansive than the warrant allowed: Access to the exploit will allow the defense to verify that the government’s malware operated in a way that was consistent with the search warrant and that additional information was not seized and transmitted to the FBI or some other party.
- To ensure the integrity of the evidence seized: Access to the exploit allows the defense to verify that the exploit did not cause memory corruptions or other types of alterations to the data seized from a suspect’s computer, potentially resulting in misidentification or corruption of the chain of custody, which could render subsequent searches invalid or the evidence seized inadmissible.
- To allow for the development of alternative defenses based on increased vulnerability to attack: Access to the exploit will allow the defense to understand how the FBI’s malware worked and whether the malware exposed a suspect’s computer to other attacks that could have resulted in the placement of illegal material on the computer.
While some of these scenarios may seem unlikely, remember that evidence is material to the defense even if it allows the defense to assess—and abandon—a defense theory. Moreover, it is ultimately up to the fact-finder in criminal cases—normally a jury—to decide whether a particular alternative defense is plausible or not. The government cannot and must not be allowed to usurp the factfinder's role to decide the issue for the defendant.
And although we may consider some of these scenarios unlikely—like a third-party planting evidence—it is important that the correct precedent governing defense access to evidence be established in government hacking cases at the outset. We do not want a world where the government is permitted to keep evidence secret and then rely on such "secret" evidence to prosecute its citizens.
Because the exploits are material to the defense, the government must disclose them. If the government refuses, there are consequences and, as at least one court has correctly determined, that consequence is suppression of the evidence obtained using the malware. As with all the issues in the Playpen cases, it’s important that we reach the right results now.