At a meeting April 7 and 8 in Louisiana, a group of lawyers and academics prepared the rules for when law enforcement is allowed to hack people’s computers for a dramatic, and troubling, expansion. Government hacks – the FBI’s secretly accessing your hard drive, email, webcam, and more – which have unfolded in headlines as a push and pull between privacy-concerned judges and activists and secrecy-obsessed law enforcement, appear poised to see the strict judicial restrictions on their use loosened. As is often the case with wide-reaching changes to the criminal law, the law at issue is not a big-name bill, like the Affordable Care Act, but rather one more closely held to the legal system – here, Rule 41(b) of the Federal Rules of Criminal Procedure.
The Federal Rules are the procedural guidelines for courts, lawyers, and investigators guiding important parts of investigations and trials. They determine, for example, who gets to take a plea, and how, or who gets screwed, and how, by a federal grand jury. Currently, they place limits on warrant authority in addition to constitutional protections and other restrictions, generally requiring that for the FBI to receive a warrant to perform a domestic hack, computers to be infected must be inside the jurisdiction of the court issuing the warrant and must each receive a warrant. This concern for place and emphasis on conservativism in warrant authorizations is one of the many ways a colonial memory abhorring general warrants has refracted into the set of legal protections that, inadequate as they are, provide safeguards on privacy today.
Federal hacking, while not a wholly new phenomenon, is of rising interest in domestic policing. In the past decade, well-publicized domestic instances of law enforcement use of malware have not provided a clear set of standards for the technology’s use, and – typical of questions of police procedure and technology – find transparency at the center of the fight about the operation of the law.
Last year, the debate went into overdrive when Federal Magistrate Judge Steven Smith, of the Southern District of Texas, denied an FBI warrant application to hack a suspect’s computer, and, challenging the normal secrecy that surrounds domestic hacking, rendered the decision publicly.
The order laid bare the FBI’s plans to use quasi-targeted spam email to install a Remote Administration Tool, or RAT, capable of activating the webcam, searching messages and the hard drive and logging location to further a fraud investigation. One of Magistrate Judge Smith’s many reasons for denying the application, in a thoughtful, vitally important opinion, was the fact that the FBI had no idea of where the computer it wanted to hack was, and had no guarantee that the hack or even the search of the contents itself would take place within his authority. Recognizing that malware-aided electronic searches do not “take place in the airy nothing of cyberspace,” he denied the warrant, chiding the agency along the way for the lack of detail it provided about the operations of its hacking units. Magistrate Judge Smith noted, particularly, that video surveillance is known as “a potentially indiscriminate and most intrusive method of surveillance.” Worth remembering in the context of this debate is that federal judges have jurisdiction over clearly delineated geographic areas only – judicial authority in a region does not mean the extension of that authority over the country writ large.
All of this, then, leaves the agency in something of a quandary. Assuming it as simultaneously true that a) federal law enforcement fundamentally operates in good faith and with respect for constitutional and other safeguards and b) that there may be legitimate uses for forms of remote exploitation less invasive than webcam spying, the ruling presents an invitation to rethink the way that Rule 41(b) – the portion of federal criminal procedure that limits warrant authority to a single judicial district – works on the web. And indeed, just months after the decision in In Re Warrant to Search a Target Computer, the government began to do just that.
The Department of Justice’s Advisory Committee on Criminal Rules, one of many judicial sub-bodies whose internal deliberations contribute to the patchwork of American regulation and legal procedure, has for almost a year considered the question, via subcommittee, recently arriving – though with subcommittee membership divided – at proposed language that would vastly expand judicial authority to authorize the use of invasive malware in routine law enforcement. Removing the requirement that warrants be limited to a given magistrate judge’s district, the proposed change, Rule 41(b)(6) would expand existing regulation to allow magistrate judges “… to issue a warrant to use remote access to search electronic storage media and to seize electronically stored information located within or outside that district.”
Things Unwritten, Things Unsaid
There are three telling things about the proposed change. First is the language itself, which removes the traditional territorial restriction in the rules, an expansion of federal power. Currently, with concerns both constitutional and other in mind, investigators seeking to prosecute in many districts must obtain authorization everywhere they seek to execute search warrants. Criminal law is crucially and irreconcilably tied to geography – without these restrictions, rules of the most permissive jurisdiction would, de facto, be the rules of the land. Second, and as important, are the DOJ’s asserted justifications for such an expansion, which allow a valuable look at potential uses for this expanded power.
In addition to computers whose whereabouts are in fact unknown because of anonymizing technology or otherwise, the DOJ envisions having authority to search “computers in many districts simultaneously,” giving as an example a botnet controlling computers in many places at once. In a different and similarly asserted justification, the DOJ foresees that a single warrant could provide probable cause for searches of data held in different districts by multiple cloud-based services, a leaping end-run around established warrant practices already in place in, for example, the Electronic Communications Privacy Act (ECPA). These rationales are considerably more expansive than the question raised by the In Re Warrant to Search a Target Computer RAT denial … the subcommittee is trying to backdoor the law in favor of more back doors.
Third, sample warrant materials provided in the subcommittee’s reportings to aid in deliberations lack specificity as to the means of malware deployment, couch the agency’s planned hacking in euphemism, and – importantly – showcase forms of malware far less invasive than ones that the FBI has already publicly attempted to use. In this way, the asserted justifications do not address Magistrate Judge Smith’s concerns about recklessness in malware installation – arising partially due to agency omission in its applications – that simply emailing a malicious link to an email address may violate the privacy of more people than the suspect only and indeed may not hack the correct person or computer at all! The DOJ examples also vastly downplay the nature of what the agency and the DOJ actually seek to turn loose – in secret, in many cases(1) – on citizens. Although the FBI has and has previously sought to use tools allowing for the remote activation of webcams, the committee is treated to a heavily sanitized, choirboy set of promises for its deliberations about Rule 41 expansion – nowhere in their example materials does the DOJ describe remote webcam activation, even as it was a warrant for precisely that technology that precipitated proposed changes in the first place.
Forum Shopping Spree
A primary reason these changes are so dangerous: By expanding authority for a single judge to issue warrants for computers and data located outside of their district, prosecutors and feds can “forum shop,” seeking out a court where its arguments are likely to be received favorably due to known biases or predispositions of magistrate judges there. So, even as the committee repeatedly ensured that the changes to the rule do not affect constitutional protections, by allowing the FBI to forum shop in its applications – and for warrants applying not to one, but up to all 94 judicial districts – the proposed change is a drastic blow to the constitutional safeguards in place for privacy and other civil liberties. The ACLU noted the many problems with the proposed changes in a memo.
Together, the language and justifications presented in favor of the expansion of the practice of state hacking presage a radical expansion in police power and a blow to privacy. Americans are in danger of being subject to more remote access policing, more virtual invasions of privacy, and more omissions on the part of law enforcement. Non-singular, non-territorially-linked warrant authority makes government malware for domestic policing the new normal, anywhere and everywhere people use computers. Offered law professor and author Lori Andrews of the constitutional problems posed by using a RAT to activate a computer’s webcam without knowledge of its location, “If there’s one thing the Fourth Amendment protects, it is your privacy in your home. The DOJ’s desire to secretly view you at home through your webcam runs contrary to one of the basic principles of our democracy.”
Whether the proposed changes are adopted will depend in part on how much sun these deliberations see as they make their way to Congressional bodies, and how much rancor greets their consideration. For now, keep your eyes open.
(1) Another aspect of the DOJ’s proposal was tweaking the notice requirements under Rule 41, arguably lowering the effort law enforcement must make to inform a user that their computer is subject to remote-access search.