Whether they’re threatening to spill the deets on the Game of Thrones finale or pilfering confidential BigLaw client data for insider trading, cybercriminals are using increasingly sophisticated methods to wreak havoc on businesses. The law, for the most part, has been struggling to catch up. Last year, however, the Judicial Conference Committee on Rules of Practice and Procedure formally amended Rule 41 of the Federal Rules of Criminal Procedure to lessen the procedural burdens the government would face in order to legally remote-hack suspects’ computers. These suggested changes were officially incorporated into the Federal Rules in December 2016.
These changes could have an impact well beyond removing a few procedural hurdles for warrants. Detractors of the changes claim that this type of surveillance the revisions authorize could impact the overall security of users’ computers and intrude on Fourth Amendment safeguards that have protected computer users in the past. As Wired recently observed, the FBI has already been subpoenaing studies from research universities designed to patch network and software security flaws, and is using them to further their remote hacking investigations. How magistrate judges and courts will react to amended Rule 41 going forward will play a major role in determining the future of user privacy.
Prior to the 2016 amendments, Rule 41 was structured so that any warrant through which the government sought to obtain data from a suspect’s computer would be limited to those computers within the magistrate judge’s district. This is because Rule 41(b) had only permitted the government to conduct searches and seizures outside the judicial district where the warrant was issued if:
i. the property would be removed before execution of the warrant;
ii. the warrant was for tracking devices installed in the district which may move across districts;
iii. the warrant was being used in an investigation of international terrorism; or
iv. the warrant was for property located in a U.S. territory, embassy or consular mission.
Because criminal suspects would often conceal the location of their computers using anonymous proxy servers and other obfuscating technology, Rule 41 became a procedural hurdle for government investigators. As a result, Rule 41 was inconsistently used to suppress or admit similar types of evidence, and government agents investigating botnets—widespread networks of multiple infected computers—often had to wait for multiple jurisdictional warrants to process before they could remote hack infected computers covered under the same criminal matter.
This was the case in the FBI’s recent Playpen investigation, where some criminal suspects, living outside the districts where the FBI received its warrants at the time, were able to successfully challenge their convictions on Rule 41 grounds. One federal judge in the Southern District of Texas, in suppressing evidence obtained via remote hacking under Rule 41, suggested that the time was ripe to amend the rule, writing that there “may well be a good reason to update the territorial limits of that rule in light of advancing computer search technology.”
Enter amended Rule 41, which brings these warrant procedures up to date with the government’s modern needs. Under new Rule 41(b)(6), a magistrate judge located in any district where activities related to the criminal matter concerned occurred can issue a warrant allowing the government to access data stored remotely either within or outside the judge’s district if:
a. the district where the media or information is located has been concealed through technological means; or
b. in an investigation of a violation of 18 U.S.C. § 1030(a)(5)—which covers fraud and other criminal activity connected with computers—the media are protected computers that have been damaged without authorization and are located in five or more districts.
While the FBI is only recently starting to test the boundaries of Rule 41’s amended language with respect to criminal botnet investigations, it remains to be seen whether the new rule will grant the government greatly expanded search powers.
Naturally, there has been debate over whether amended Rule 41 materially and unconstitutionally limits Fourth Amendment protections against unreasonable searches and seizures. Similarly contested is whether the government’s flexible remote hacking warrant privileges could disincentivize cybersecurity improvements.
Some—including the Department of Justice—believe that the Rule does not materially affect criminal defendants’ Fourth Amendment rights. Any search warrant made, the DOJ asserts, would have to comport to the Fourth Amendment anyway. Similarly, remote hacking warrants have been issued in the past, without offending the Fourth Amendment. Assistant Attorney General Leslie R. Caldwell, of the DOJ’s Criminal Division, noted in a blog post that amended Rule 41(b)(6) would only apply in limited circumstances, namely to iron out venue inconsistencies in cases where the suspect has masked the location of his computer, and to streamline warrant processing where the suspect is operating a hacking or fraud scheme using five computers or more.
Others, however, argue that the amended language will give the government free rein to significantly erode user privacy rights. The main contention here is that the revisions give the government overly broad powers to infiltrate the computers of innocent parties who were victimized by illegal botnets and other cybercriminal activity without outlining specific procedures that would protect these users’ cybersecurity and privacy rights.
Since government-authorized remote hackings often rely on techniques and software similar to that used by malicious hackers, detractors have also argued that the revisions would discourage the government from proactively helping report and fix major security flaws, which would in turn open the gates for cybercriminals to compromise computers using the same techniques. This argument has only gained strength following the recent WannaCry and Petya outbreaks, global ransomware cyberattacks that relied on a cybersecurity flaw first identified and exploited by the U.S. government.
Technology companies such as Google, PayPal and Evernote, along with groups such as the ACLU and National Association of Criminal Defense Lawyers, joined the Electronic Frontier Foundation in opposing the Rule 41 changes and the potential threats they brought to Internet users’ ordinary Fourth Amendment rights. They raised these concerns in a letter to Congress urging them to pass the Stopping Mass Hacking Act, which would have prevented the Rules Committee’s proposed changes from going into effect. Although initial efforts stalled in the Senate, the bill was reintroduced for consideration in the House of Representatives earlier this year.
As the Rule 41 revisions turn one year old in December, it will be interesting to see how federal courts will balance the investigatory interests of the government and the privacy interests of its citizens when analyzing the validity of warrants and determining whether to suppress evidence obtained from government remote hacking. In the meantime, the issues surrounding revised Rule 41 continue to illustrate the statutory struggles lawyers, legislators and judges will face when grappling with the new realities posed by advanced cybercrime.