Even as ECPA reform moves towards a full vote on the floor of Congress, there is a specter of expansive government authority for the issuance of warrants lingering on the horizon.
Sometime this summer—possibly very soon—the Supreme Court is set to issue a ruling on proposed changes to Rule 41 of the Federal Rules of Criminal Procedure. This rule limits a judge’s ability to issue warrants outside his or her district, but the proposed changes could have significant ramifications for warrants issued in cases involving computers and distributed networks.
The rule change would stipulate that:
a magistrate judge with authority in any district where activities related to a crime may have occurred has authority to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information located within or outside that district if: (A) the district where the media or information is located has been concealed through technological means; or (B) in an investigation of a violation of 18 U.S.C. § 1030(a)(5), the media are protected computers that have been damaged without authorization and are located in five or more districts. (emphasis mine)
(For clarification, this language is taken from U.S. Courts Agenda Books; See Advisory Committee on Rules of Criminal Procedure – April 2016, pgs. 67-68. The reference to 18 U.S.C. § 1030(a)(5) is the Computer Fraud and Abuse Act)
This change does not address the constitutionality of underlying warrant requirements for access to digital communications and content—which is slated to be updated if/when the House and Senate pass the Email Privacy Act (H.R. 699) recently forwarded, unanimously, through the House Judiciary Committee.
The Department of Justice (DOJ) maintains such changes are necessary primarily to enable law enforcement to better investigate botnets and criminal activity occurring under anonymization techniques (e.g. Tor web browsers, encryption). Although the proposed rule changes have not yet gone into effect, that hasn’t stopped the government from operating as though they have.
- A failure to define what constitutes a “remote search” or under what conditions it would be appropriately exercised;
- Authorizing remote searches on computers in unknown locations violates the particularity requirement under the Fourth Amendment;
- An expansive authority that could result in warrants applying to jurisdictions outside the United States;
- A failure to assess the impact of ongoing efforts to improve intra-governmental mutual legal assistance treaties (MLATs);
- Not accounting for the fact that “concealed through technological means” does not by itself indicate criminal activity (think encryption, or virtual private networks utilized by businesses to protect proprietary data flows), and is as similarly vague in its definition as “remote search”; and
- A failure to recognize that the supposed limitation to “computers that have been damaged without authorization” would technically apply to systems infected by malware or botnets, broadening the authority to many thousands, likely millions, of computers not involved in criminal activity;
Perhaps most unnerving is that, as Richard Salgado of Google pointed out, this proposed rule change “carries with it the specter of government hacking without any Congressional debate or democratic policymaking process.”
Of course, it is entirely possible that a more explicit legal hacking authority for law enforcement agencies would help address many of the issues the DOJ has sought to remedy, especially related to encryption. A legal hacking regime could be just the compromise the encryption debate needs. However, that discussion ought to occur in the public forum, sanctioned by Congress through the legislative process, not by a surreptitious change in the criminal procedure left to the auspices of a court Advisory Committee Last week, a House Energy and Commerce subcommittee hearing on encryption touched on this issue. It seems as though “lawful systems access” could now be on the table for further discussion. Getting the rules of the game established is the next step.
Permitting the Judicial Conference’s Advisory Committee on the Federal Rules of Criminal Procedure to be the incipient source of a “lawful systems access” regime is not the appropriate path forward on this issue. There are many competing issues at stake here. That is why it is all the more vital that any such changes to Rule 41 ought to occur with appropriate input from the public, civil society, industry, and other relevant stakeholders. Like so many other issues related to the digital ecosystem, the landscape and concerns are complicated. The issue of Rule 41, like concerns related to encryption, ought to be dealt with by Congress, not the courts.