GET THE FREE NATIONAL CYBER SECURITY APP FOR YOUR PHONE AND TABLET
Typically, the process for amending the Federal Rules of Criminal Procedure is a sleepy affair. Proposed amendments wend their way through a series of judicial committees and, if approved by the Supreme Court, take effect automatically by the end of the year. Theoretically, Congress may choose to intervene and block the change – but it does so rarely. This year, however, a proposed amendment has caught the congressional eye.
Over the past several days, legislators in both the Senate and the House of Representatives have introduced legislation to block a proposed change to Rule 41 of the Federal Rules of Criminal Procedure, which regulates the issuance of search warrants in federal criminal investigations. Law enforcement already uses Rule 41 routinely to obtain warrants to search computers recovered from physical premises or otherwise taken into law enforcement custody. The proposed amendment addresses a different scenario: when law enforcement has identified a computer being used to perpetrate a crime but cannot determine where it is located. With the proliferation of anonymizing technologies used by hackers and other criminals operating on the Internet, this fact pattern is increasingly common. The rule change under consideration would enable law enforcement to obtain a warrant in such circumstances to search the target computer “remotely” – that is, by hacking into it.
Rule 41 as it currently stands doesn’t specifically prohibit such searches, but it doesn’t provide a practical mechanism for law enforcement to obtain warrants for them. The hitch is that, under the current rule, a search warrant generally must be obtained from a magistrate judge in the judicial district where the property to be searched is located. But if the location of a computer is unknown, the rule fails to specify any district where a warrant to remotely search the computer may be obtained – even though the search may otherwise be legally unobjectionable. In several instances, courts have rejected or invalidated warrants seeking permission to remotely search a computer on this very basis.
The proposed amendment to Rule 41 seeks to bridge this gap. It provides that, in any case where the true location of data relevant to a criminal investigation has been “concealed through technological means,” law enforcement may apply to a magistrate judge in any district “where activities related to [the] crime may have occurred,” in order to obtain a warrant to search the data using “remote access,” regardless of where the data may be physically stored. This would mean, for example, that if a hacker connects to a proxy computer in Utah in order to control malicious software on a victim machine in Vermont, then the proposed amendment would permit law enforcement to apply to a magistrate judge in either Utah or Vermont for a warrant to “remotely access” the hacker’s own computer, wherever it may be.
Proponents of the proposed amendment argue that it is merely procedural, not substantive. The use of computer hacking as a law enforcement tool, they point out, does not by itself violate US law. The federal anti-hacking statute – the Computer Fraud and Abuse Act – already makes an exception for lawfully authorized investigative activity of a US law enforcement agency. Thus, in theory, just as law enforcement may breach the door of a house to execute a lawfully authorized physical search (even though such conduct would otherwise qualify as trespass), federal law recognizes that law enforcement may be justified in taking comparable action in executing a lawfully authorized search of a computer.
But opponents argue that, in effect, the proposed amendment would make it much easier for law enforcement to obtain authorization to engage in computer hacking for investigative purposes and, as a result, vastly expand law enforcement’s use of such methods. (To emphasize the point, the Senate bill introduced to block the rule change has been titled the “Stop Mass Hacking Act.”) This normalization of computer hacking as a law enforcement tool, critics contend, would open up a Pandora’s box of privacy problems. Among other things, opponents point out that any security exploits used by law enforcement could be reverse-engineered by bad actors and used maliciously; or they could end up infecting innocent computers by accident (as happened, for example, with the Stuxnet worm deployed against Iranian nuclear facilities, which ultimately propagated onto the broader Internet). Beyond these practical concerns, opponents of the amendment cite legal implications arising beyond US borders. Even if law-enforcement use of hacking may not violate US laws, hacking a computer whose location is unknown potentially means breaking the laws of an unknown foreign country where the computer may reside. Indeed, the Department of Justice itself has cautioned victims of computer intrusions against “hacking back” based on precisely such worries.
Given these potential consequences, critics argue that any decision to loosen the constraints on law-enforcement use of hacking – procedural or otherwise – should not be made through judicial rulemaking, but should only be made through legislation, after thorough congressional consideration. With the introduction of the House and Senate bills, congressional consideration of the issue is at least initially underway. Under the rule amendment process, Congress has until December 1 of this year to block the change before it automatically takes effect.
The debate over the amendment presents an interesting twist on the larger issue of whether and how the physical location of data should act as a constraint on law enforcement. In particular, it will be instructive to see how lawmakers grapple with these questions: Should US courts have the power to authorize law enforcement to access data stored on any computer in the world, regardless of its location? What consideration, if any, should be given to the laws of foreign jurisdictions – particularly when the specific jurisdiction where the target computer is located is initially unknown? And what constraints, if any, should be placed on the means used by law enforcement to gain access?