The constitutional cost of keeping up with cyber criminals
The “warrant rule” of the Federal Rules of Criminal Procedure was recently changed to make it easier to investigate online criminal activity, but some believe the change comes at the price of constitutional rights.
With rapidly evolving technology and an increasingly sophisticated internet, prosecutors and law enforcement officials are fighting an ongoing battle to keep pace with those who use the internet and technology for criminal purposes. Specifically, it has become more difficult to trace conduct on the internet to a particular person or a specific physical location, thanks to programs that make online activity anonymous or make it appear that certain activities are attributable to another computer or user.
This poses problems for those seeking warrants to investigate criminal activity occurring online because it can be impossible to determine in which jurisdiction to seek a warrant when the location of the person or thing to be searched cannot always be known. But recent changes to Rule 41 of the Federal Rules of Criminal Procedure—the rule governing the issuing of warrants—have, according to some, made it easier for law enforcement to obtain warrants and investigate online criminal activity. According to others, the changes to Rule 41 are troubling and expand the investigative powers of the government.
The amended Rule 41 is a product a few years in the making. In 2015, the Federal Bureau of Investigation (FBI), as part of Operation Pacifier, sought a warrant to search an unlimited number of computers anywhere in the world in the investigation of an online child pornography ring. With warrant in hand, the FBI was able to hack a popular child pornography site and track visitors remotely using malware. The search involved some 8700 IP addresses in roughly 120 countries; and 214 individuals where charged as a result of the investigation; however, federal judges in at least three jurisdictions have taken issue with the warrant supplied to the FBI, as it violated Rule 41 as it existed in 2015 and some have even suppressed evidence obtained under the warrant. At the same time, other jurisdictions have found no fault with the warrant.
Essentially, as amended, the Rule allows for warrants to remotely access and search electronically stored data.
In an earlier case, the Department of Justice (DOJ), while investigating possible online fraud in Texas, applied for a warrant to install malware on a computer to get a location and gather information. The warrant was denied by a federal magistrate judge primarily because the warrant named no specific location or person to be searched. Also, because the location of the computer was unknown, the warrant would likely be executed outside the territorial jurisdiction of the court, in violation of Rule 41 as it existed in 2013. The magistrate judge who denied the warrant in that case stated some changes to Rule 41 may be necessary given the evolution of technology.
Subsequent to these cases, a three-year rulemaking process began involving public comment, committee hearings, Supreme Court approval, and finally, passage by Congress. In December of 2016, Rule 41, as amended, took effect to allow for warrants to be issued under a lessened territoriality standard. Essentially, as amended, the Rule allows for warrants to remotely access and search electronically stored data. It also allow warrants to be issued in any jurisdiction in which activity relating to a crime has occurred if either (1) the location of the data has been concealed using technological means; or (2) a cybercrime is being investigated, the protected computers are damaged without authorization, and the computers are located within at least five different jurisdictions.
Some fear that the amended Rule 41 does away with the particularity and territoriality standards in cases of cybercrime investigations.
Those who called for the changes to Rule 41 say the amendments are necessary given the advancement of technology and the use of those technologies to commit anonymized crime. The two cases above demonstrate the need for clarity for investigators posed with the question of which jurisdiction to list when applying for a warrant when the location of the data to be searched cannot be known. In a blog post for the Department of Justice, then Assistant Attorney General, Leslie Caldwell, used the above child exploitation case to illustrate the difficulty investigators faced under the old Rule 41. Caldwell stated the changes would ensure there will always be at least one jurisdiction in which investigators can obtain a lawful warrant and have the investigation supervised by a judge in anonymized cyber-crime cases.
Others fear the amended Rule 41 threatens the Fourth Amendment. Warrants, under the Fourth Amendment, must satisfy a particularity requirement, meaning that the warrant must identify the person or property to be searched and its location. Historically, Rule 41 has included a territoriality standard for warrants, which required a warrant to be issued in the jurisdiction in which the subject of the warrant is located. Some fear that the amended Rule 41 does away with the particularity and territoriality standards in cases of cybercrime investigations. According to Wayne Brough of FreedomWorks in Washington, D.C., the amended rule cannot be constitutional given its expanded breadth with respect to cyber-crime warrants. He went on to note the rule now runs the risk of ensnaring innocent individuals into an investigation and subjecting their devices and data to be searched because of how criminals have manipulated their devices and data.
This has already been the case for some users of the PlayStation network and Twitter. Others, like the American Civil Liberties Union, are concerned that the removal of the territoriality requirement for electronically stored data will encourage forum shopping by law enforcement to find jurisdictions favorable of more broad warrants. Many, like Federal Public Defender Colin Fieman, are less concerned with the changes of Rule 41 itself, but are more concerned with the behavior of law enforcement following the rule change and the risk of abusing their hacking powers. Others not only take issue with the substantive changes to Rule 41, but also with the procedure by which the amendments were made.
Assistant Attorney General Caldwell attempted to ease some of these concerns in his DOJ blog post. In the post, he clarified that the changes to Rule 41 did not allow anything not already permissible under existing law and not already being done. He also stated that nothing would be allowed that was not in compliance with the Fourth Amendment and that constitutional requirements of warrants, such as the probable cause requirement, would continue to ensure there is no violation of civil liberties.
The amended Rule 41 has not persisted without challenge. Within Congress, a group of Senators, including Sen. Ran Paul (R. KY) and Sen. Ron Wyden (D. OR), proposed the Stop Mass Hacking Act, which would have prevented the changes made to Rule 41, but the bill never received a vote in the Senate. Moving forward, it is not yet entirely clear what success any challenge to the amended Rule 41 may have given the new administration. In an opinion piece for the Wall Street Journal, Mike Pompeo, President Trump’s pick to head the CIA, wrote about the issue, “legal and bureaucratic impairments to surveillance should be removed.” There will almost certainly be additional constitutional challenges to the amended rule in the coming years, but for now, it seems yet another level of complexity has been added to the Fourth Amendment’s warrant requirement.