Author: Jon Kelly, Associate Member, University of Cincinnati Law Review
The state of modern technology has created many challenges for the existing legal framework.[1] The Committee on Rules of Practice and Procedure of the Judicial Conference of the United States (Advisory Committee) is currently deliberating two proposed changes to the search and seizure requirements of Federal Rule of Criminal Procedure 41. The changes, if enacted, would allow courts to issue search warrants permitting the remote access, search, and seizure of electronic data when the location of the targeted computer or server is not identifiable. The Department of Justice (DOJ) has argued that these changes only address jurisdictional issues created by anonymous computer attacks.[2] However, Google is among those arguing against the amendments, claiming that the new rule would threaten Fourth Amendment protections and that the issue is better left to Congress.[3] Google’s concerns are valid; the amendments to Rule 41 give little assurance that warrants authorized under the new rule would remain limited. The amendments threaten Fourth Amendment protections and compromise diplomacy with foreign nations without offering any safeguards to assuage these concerns. Therefore, the amendments should be rejected and the issue left to Congress, where there can be a more rigorous discussion of the merits and the addition of proper safeguards should the rule be approved.
Changes to Rule 41
As the Federal Rules stand now, magistrates may not issue warrants for searches outside the district in which they sit unless activity relating to the crime occurred within the district and the criminal act is either (1) an act of terrorism or (2) the property is on federal land/territory.[4] The proposed amendments would allow a magistrate, in a jurisdiction where activity relating to a crime occurred, to issue a warrant for a search and seizure by remote access if, “(A) the district where the media or information is located has been concealed through technological means; or (B) in an investigation of a violation of 18 U.S.C. § 1030(a)(5) [concerning computer fraud and related activity], the media are protected computers that have been damaged without authorization and are located in five or more districts.”[5] The comments relay that the changes will assist in authorizing searches where any type of technology has been used to hide the location of the computer and to ease the burden of securing a multitude of warrants when the criminal activity affects many districts.[6] The comments also deny that the amendments address any Fourth Amendment concerns, leaving that task to the common law.[7]
In re Warrant is an instructive case involving an application by federal agents to hack into a computer with an unknown location or user in order to extract data from the targeted computer.[8] All that was known about the computer was that the computer’s last registered IP address was in a foreign country and that it had been used to commit identity theft and bank fraud, among other crimes.[9] The court denied the warrant, both for not satisfying the conditions of any existing authority under Rule 41(b) and for failing to meet the Fourth Amendment particularity requirement.[10] The court held that the searches could not be categorized as taking place within the district, and that the lack of specificity for how the data would be extracted did not adequately protect against unlawful access to the private information of non-criminal users.[11]
Location identifying information on a computer is known as the internet protocol (IP) address. Often, anonymizing software will mask the true IP address by routing through several “innocent” computers.[12] This creates an issue when federal agencies must necessarily go through those innocent computers to reach the target. Even if the target computer is accessed, there is no way to know whether the person(s) committing the illegal activity are the sole recipients of the search.[13] Computers on the same network, persons sharing a computer, or those accessing public computers could all become susceptible to searches and seizure of personal information despite having no involvement in the criminal activity.[14] The issues discussed by the court in In re Warrant have become the main points of contention by opponents of the amendments to Rule 41.
Concerns Raised and Dismissed
Various entities, including Google, have submitted their opposition to the Rule 41 changes.[15] The main objections stem from the absence of language that would limit the scope of searches under the new rule or to set a requirement of specificity needed to ensure constitutional protections and protect international relations.[16] The Fourth Amendment requires that warrants specify the “place to be searched, and the persons or things to be seized.”[17] This specificity requirement is understandably compromised when a federal agency’s warrant request does not specify the location of the search, the methods in which the search will take place, or the scope of such a search.[18] The scope of a search and seizure against an anonymized computer holds serious risks, especially given the relatively undefined term “remote access.”[19] There are many ways to access and collect electronically stored information; the DOJ has identified network intervention techniques (NIT)—installing software on targeted computers, which then relays data to law enforcement—as one potential method.[20] NIT is still an opaque term since it is more of a broad description rather than a specific method of data extraction and offers no explanation for how those methods will remain limited to the targeted computer.[21] Paragraph (B)’s broad language does not alleviate the concern that the Rule 41 amendments unjustifiably allow access to innocent computers considering computers “damaged” by criminal conduct could potentially encompass millions of Americans.[22]
There are other potential collateral consequences of broad searches where the final destination of the targeted computer is unknown. As the National Association of Criminal Defense Lawyers (NACDL) notes, 85% of anonymous software is used outside of the United States. Given that searches performed under the amended Rule 41 would occur precisely because the location of the targeted computer is unknown, there is a serious chance that NIT hacks could affect a computer in another country. Unauthorized intrusions into other countries violates the sovereignty of those nations and threatens the United States’ diplomatic relations with those countries.[23]
The DOJ has responded to these criticisms with assurances that the new rule would change little in terms of what is already allowed under current law. It asserts that the amendment refers strictly to venue concerns, specifically the problem created when crime is spread among more than five districts or when the location for the source of the crime is unknown.[24] DOJ asserts that the particularity requirements are met because the Supreme Court has upheld warrants that do not specify a physical location when the location is itself the information desired, so long as the object to be searched is specified.[25] For the DOJ, most of the objections to the rule are objections to remote access techniques, which the DOJ is already authorized to practice under the existing rules when the location of the computer is known.[26] Therefore, according to the DOJ, the issue is limited to loosening venue restrictions.[27]
Let Congress Decide
The DOJ makes a convincing argument, as the comments to the amendment attempt to limit it to the rule’s supposed two instances of applicability. There is also room for argument that the courts are capable of delineating the limits for search and seizure requirements. For instance, the recent Supreme Court decision in Riley v. California imposed a categorical limitation on the (albeit warrantless) search of cell phone contents incident to an arrest.[28] However, Riley was not decided until well after the arrival of smartphones, and the scope involved in tracking anonymized computers is far more expansive than any search of a single electronic device. The internet is a vast expanse of networks and computers, many of which lie outside the jurisdiction of the United States. Enlarging the authority of judges to grant broad access to this network in search of an offender requires more than a simple rule change. After all, under the amendments the scope of computer crimes would likely allow law enforcement agencies the convenience of choosing magistrates more favorable to their requests, or simply running to a more favorable magistrate when one turns them down. The very fact that many of these searches could conceivably reach a targeted computer in another country requires that Congress become actively involved in the deliberation of the amendments’ merit. As the amendments are now written, the constitutional sufficiency of warrant requests will depend on the issuing judge. However, Congress would be better able to determine what exactly should be expected from law enforcement agencies hoping to track down the culprits of cyber-crime. These amendments to Rule 41 need more substance in order to adequately protect innocent American citizens; for instance, a better amendment might include a requirement that warrant requests detail the exact method and expected scope of an NIT search, or a requirement that a warrant request, if denied once, cannot be re-submitted to another magistrate without substantially resolving the identified issues.
It is clear, even from the testimony of Google, that search and seizure warrants must evolve with current technology and address the capabilities of anonymous computer crime. Anonymous computer crime poses new challenges to the traditional understanding of jurisdiction, especially when the criminal activity has the potential to come from any corner of the world. And that is precisely why such a complicated issue deserves serious consideration and debate through Congress. Congress has the ability to bring in expert opinion, debate the costs and benefits of expanded warrant authority, and prioritize the interests of U.S. citizens and foreign policy. The amendments to Rule 41 should not be enacted and Congress should take the reins to determine the procedure for warrants concerning anonymous computer crime, because Congress is better suited to ensure Fourth Amendment protections under such a broad grant of authority.
[1] E.g. Riley v. California, 134 S.Ct. 2473 (2014) (concerning the ability of officers to conduct warrantless searches of cell phone content incident to arrest).
[2] David Bitkower, Response to Comments Concerning Proposed Amendment to Rule 41, U.S. Department of Justice (submitted Dec. 22, 2014).
[3] Richard Salgado, Google Inc. Comments on the Proposed Amendment to Federal Rule of Criminal Procedure 41, Google Inc. (Feb. 13, 2015).
[4] Fed. R. Crim. P. 41(b)(3) & (5). See also Fed. R. Crim. P. 41(b)(2) & (4) (allowing for warrants to extend beyond the magistrate’s jurisdiction, but only if the property is within the jurisdiction at the time of the warrant’s issue and may move outside).
[5] Fed. R. Crim. P. 41(b)(6), 10-11 (Preliminary Draft 2014).
[6] Fed. R. Crim. P. 41 advisory committee’s note (Preliminary Draft 2014).
[7] Id.
[8] 958 F.Supp. 2d 753 (S.D. Tex. 2013).
[9] Id. at 755.
[10] Id. at 757. The particularity requirement of the Fourth Amendment refers to the requirement that warrants cannot be issued without, “particularly describing the place to be searched, and the persons or things to be seized.” U.S. Const. amend. IV.
[11] Id. at 757-759
[12] Id. at 759.
[13] Id.
[14] Id.
[15] See Proposed Amendments to the Federal Rules of Criminal Procedure, Regulations.gov, http://www.regulations.gov/#!docketBrowser;rpp=25;po=0;D=USC-RULES-CR-2014-0004 (last visited Mar. 9, 2015) (submitted comment access).
[16] Salgado, supra note 3; Peter Goldberger, Comments of the National Association of Criminal Defense Lawyers on the Proposed Amendment to Rule 41, National Association of Criminal Defense Lawyers (Feb. 17, 2015).
[17] U.S. Const. amend. IV.
[18] Salgado, supra note 3, at 6.
[19] Goldberger, supra note 16, at 2-4.
[20] Salgado, supra note 3, at 6.
[21] Id.
[22] Botnets—automated malware programs that infect vulnerable computers—can have networks numbering in the millions. Id. at 13 (quoting Botnets 101, Federal Bureau of Investigation (June 5, 2013, 7:00 AM), http://www.fbi.gov/news/news_blog/botnets-101/botnets-101-what-they-are-and-how-to-avoid-them).
[23] Salgado, supra note 3, at 3-4.
[24] Bitkower, supra note 2, at 2.
[25] Id. at 4.
[26] Id. at 2.
[27] Id. at 2.
[28] Riley v. California, 134 S.Ct. 2473 (2014).
