Unless Congress acts before Dec. 1, 2016, amendments to Rule 41 of the Federal Rules of Criminal Procedure will take effect, authorizing federal judges to grant extraterritorial remote access computer search warrants in two increasingly common cybercrime contexts. The House and Senate have introduced bills — both titled the Stopping Mass Hacking Act — aimed at preventing these amendments from taking effect. The bills address procedural changes to Rule 41, but do not address deeper concerns members of Congress and privacy advocates have with law enforcement's use of remote access computer searches.
FBI investigators use remote access searches — often referred to as network investigative techniques (NITs) — to surreptitiously access and collect information stored on a target device through an Internet connection, without ever physically seizing it. To effectuate these searches, the FBI covertly installs software on a target's device, often bypassing security programs and exploiting software vulnerabilities, to collect data stored on the target's computer or device. While NITs represent a valuable instrument to investigate and prosecute cybercriminals, if their use is unchecked, they could become a pervasive means of surveillance used to hack and covertly collect data from millions of individuals.
NITs require a warrant. Rule 41's venue requirements restrict a federal judge's authority to issue warrants to search a target beyond that judge's district. The pending amendments to Rule 41 would establish two new exceptions, permitting judges to issue out-of-district remote access computer search warrants: when suspects conceal their online location and identity, engaging in cybercrime anonymously; and when malware affects innocent users in five or more districts. As amended, a federal judge in any district "where activities related to a crime may have occurred" could authorize a remote access search warrant in these two contexts.
The first exception would eliminate a jurisdictional hurdle frustrating the investigation of crimes committed by individuals utilizing digital techniques to hide their identity and location. Currently, federal judges can only issue warrants to search devices they know to be in their district. When the court does not know the device's location — such as when the suspected criminal uses an anonymizing tool to hide his or her device's IP address — no judge in the country has authority to issue a search warrant for that device. The amendments would authorize federal judges to grant out-of-district warrants, permitting law enforcement to utilize a NIT to collect identifying and personal information from the target device.
The second exception would assist law enforcement in its investigation of botnets. A botnet is a network of computers infected with malicious software that enables simultaneous command by a single "master." Masters utilize these networks of compromised computers or "zombies" to accomplish any number of illegal and harmful activities. Remote access searches enable law enforcement to gather information on these infected computers, which can amass evidence of the crimes and map patterns of activity. Currently, the government must apply for a separate warrant in each jurisdiction where a set of zombies is located. This requirement presents a significant hurdle because a single botnet can affect millions of computers, which are likely spread throughout many judicial districts. The amendments would allow a single court to issue multi-district, multi-computer remote access search warrants for all computers infected by a piece of malware.
Critics raise many legal and policy concerns about the Rule 41 amendments, some of which highlight the potential harms of remote access searches generally. In response, the Department of Justice maintains that the proposed changes would not generate a new law enforcement search tool. Even without the amendments, the government can obtain remote access search warrants to search devices whose location information is known — law enforcement must simply go to a federal judge in the proper district — and the government has used NITs for over 15 years. But NITs are a powerful tool that can severely undermine basic privacy rights (including accessing computers of individuals that are not the targets of an investigation). The public discourse and congressional debate should focus less on the merits of the Rule 41 amendments and more on the relative values and ills of remote access searches.
Remote access searches provide law enforcement with intrusive capabilities that go far beyond collecting a user's identifying information. NITs can also access, seize and copy personal information — such as browser history, bookmarks and Internet searches — and actual content — like documents, emails and photographs. They can even actively enable computer functions, turning on the device's GPS, microphones and webcams.
These intrusive capabilities are particularly concerning because of the lack of transparency and minimization procedures required in the warrant application process. The government's applications for remote access search warrants routinely fail to include technological explanations of how the NIT will invade the target device, what information it will collect and how many devices it will infect. Instead, they refer to ambiguous "computer instructions" and often withhold the NIT's commands, processes and capabilities as classified. Without suitable transparency, the judiciary cannot adequately oversee the warrant application process. This can lead to unintended consequences — like when a NIT inadvertently altered every website hosted on a particular server and collected information on thousands of law-abiding Internet users simply trying to check their email.
That NITs may expose target devices to security vulnerabilities and disrupt their functionality is also troubling. Research reveals that intentional backdoors and flaws in remote access search software may permit third parties to penetrate the users' systems and that a failure to properly encrypt the data in transit could expose the users' personal information to third-party collection.
Without sufficient transparency, judges are also left ill-equipped to consider important Fourth Amendment questions. While the judiciary is well suited to tackle complex questions of particularity, reasonableness and probable cause in the traditional warrant arena, the cybercrime context introduces unfamiliar and powerful technologies and new legal gray areas. Courts will need to address whether the government can establish probable cause that every device to be searched contains information related to criminal activity. Courts will also need to determine the circumstances in which the amplified burdens required under Title III apply and whether the Fourth Amendment analysis differs for remote access searches of mobile devices. These concerns are especially troubling because remote access search warrant applications are virtually always reviewed ex parte and judicial opinions related to these warrants often go unpublished and are commonly sealed.
These concerns are only intensified because of the amendments' second exception, which streamlines the government's ability to intrusively search devices of millions of innocent users to combat botnets. Requiring the FBI to apply for separate warrants in each judicial district may be inefficient, but, in many ways, it serves as a proper and necessary check on the government's ability to perform invasive searches of botnet-infected devices owned and used by individuals whose only connection to the underlying crime is being its victim. Moreover, Congress must consider whether law enforcement should be able to conduct remote access searches of innocent users, scrutinizing why falling victim to a botnet justifies a search and seizure of an individual's browser history, photographs and emails.
The risks to civil liberties from government-sanctioned hacking are too great to be ignored. Accordingly, Congress should support the Stopping Mass Hacking Act and, more importantly, encourage legislative and public scrutiny of remote access searches generally.
Zach Lerner is a fellow at ZwillGen PLLC in Washington, DC. He joined the firm after graduating from Harvard Law School and works on a variety of legal matters affecting Internet-based companies including federal and state regulatory compliance, data privacy, data security and complex class action defense. He can be reached at email@example.com.