Cybersecurity & Tech Surveillance & Privacy

Rule 41: Resolving Procedural Debates to Face the Tough Questions on Government Hacking

Susan Hennessey
Thursday, December 1, 2016, 2:38 PM

As of midnight last night changes to Rule 41 of the Federal Rules of Criminal Procedure took effect. Opponents of the rule change failed in a last ditch effort in the Senate to block the change.

Published by The Lawfare Institute
in Cooperation With

As of midnight last night changes to Rule 41 of the Federal Rules of Criminal Procedure took effect. Opponents of the rule change failed in a last ditch effort in the Senate to block the change. Senator Steve Daines alleged the “proposed solution essentially gives our government a blank check to infringe upon our civil liberties.” Senator Ron Wyden called it “one of the biggest mistakes in surveillance policy in years.”

These are exceptionally strong terms in which to discuss a change to procedural rules regarding venue. Fortunately, the good senators need not be alarmed. The enactment of the Rule 41 changes merely concludes a rather frivolous debate over government hacking and paves the way for a far more substantive one.

First, a refresher on the previous state of affairs. Previously, Rule 41 included territorial venue provisions authorizing magistrate judges to issue warrants only within their district, except in a set of narrowly defined circumstances. Because prior to obtaining a warrant, authorities did not know the physical location of a computer using Tor or other anonymization services, it was unclear whether law enforcement could obtain such a warrant from any federal judge under those rules.

The language, as it previously existed, risked the absurd possibility that individuals within the United States would be permitted to use Tor and other anonymizing techniques to place themselves beyond the reach of any federal magistrate, effectively immunizing themselves from warrants.

And the risk here had actually begun to materialize. To date, judges in over twenty-five federal districts have presided over matters relating to prosecutions resulting from an investigation into a website dedicated to child sexual abuse and related images known as Playpen. A primary issue in those cases was whether the warrant for a network investigative technique designed to obtain the IP address of computers accessing contraband child sexual abuse materials, authorized in the Eastern District of Virginia, violated Rule 41 when applied to computers outside that district. Though courts diverged significantly in their analyses and conclusions, a majority found that the warrant at least technically violated Rule 41, but then relied on the good faith exception in declining to suppress evidence.

The good faith exception is, effectively, a one-time safety valve. Law enforcement would be foreclosed from relying in good faith on future warrants for computers where the location unknown under existing rules. This means those investigations—into incredibly serious criminal conduct—simply would not happen absent a change. Fortunately, today’s change effectively moots the issue for future investigations. Under the new language of Rule 41, a magistrate judge is authorized “to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information within or outside that district if: (A) the district where the media or information is located has been concealed through technological means.” The amendment is designed to authorize the issuance of precisely the kind of search warrant the FBI obtained in the Playpen operation.

The character of the criticisms surrounding the rule chance has, until now, been frivolous at best and actively disingenuous at worst. Critics purported to take issue with the process by which the Federal Rules are changed, describing the governing Rules Enabling Act as an “obscure bureaucratic process” and claiming that the procedures circumvented congressional input. As I’ve written previously, this is an inaccurate characterization. Under the Rules Enabling Act, Congress created a process by which subject-matter specific advisory committees propose rules to a Standing Committee, who in turn proposes changes to the Federal Rules to the Supreme Court. The Supreme Court then considers the proposals and annually promulgates new rules, which can be rejected or modified by an affirmative act of Congress. The Playpen cases and the Rule 41 change precisely demonstrate the need for this judicially-driven process.

As mentioned above and elsewhere, courts’ reliance on the good faith exception in declining to suppress evidence for a Rule 41 violation, means that absent a swift rule change, investigators would have been effectively unable to identify the physical locations of many individuals who consume and distribute child sexual abuse materials and in many cases offer (from the safety of their masked IP address) detailed confessions of ongoing “hands on” offenses against minor victims. The Playpen saga thus offers a rather compelling demonstration for why the Act shifts the burden to Congress to block rules the judiciary has deemed necessary and proper.

Rule changes are intended to promote the use of warrants, in part by making warrants easier to obtain. But rulemaking cannot alter constitutional requirements of a warrant, nor does it deprive Congress of the power to later impose statutory constraints. Following the rule change, we are now in the far more desirable situation of having a clear mechanism by which law enforcement can seek a warrant—subject to constitutional constraints—as opposed to the prior circumstances whereby law enforcement was unable to obtain a warrant even where it was clearly constitutionally permissible.

That is a good thing.

But it in no way resolves the substantive debate regarding the concerns critics have raised. With the faux-kerfuffle over the Rules Enabling Act behind us we can now turn to those specific substantive concerns.

First, there are outstanding legal questions regarding the precise nature in which warrants like those authorized in Playpen meet constitutional requirements such as probable cause and particularity. There are warrants which would have been impossible without the rule change that plainly satisfy all of these requirements, without any real controversy. Conversely, there are hypothetical warrants the government could possibly seek consistent with venue that unquestionably would violate constitutional requirements and which no judge would issue. Within those extremes are a great many shades of gray and the judicial branch will make the legal determinations based on specific facts of cases in controversy, as is their role and prerogative. No rule change, nor any statute, can alter those fundamental protections the Constitution offers.

Second, there are questions regarding what additional limitations might be placed on lawful hacking either as a matter of policy or statute. The executive branch had wide latitude to develop policy constraints on federal investigations. It is possible many concerns regarding specific use can be addressed through rules requiring particular equities balancing for the temporary facilitation of criminal conduct or obligations to exhaust all less intrusive investigative methods before using hacking tools. And if Congress determines executive policy limitations are insufficient in substance or should be more firmly entrenched, then it may pass legislation codifying these requirements in law. For example, many privacy and civil liberties advocates have called for the creation of a Title III for government hacking to address interrelated matters comprehensively.

Much has been made of the fact that the Rule 41 change now authorizes the issuance of warrants for operations that are likely to inadvertently search computers located outside the United States. This morning on Lawfare, Susan Landau asserted that the rule change allowed the FBI “to use a single warrant to hack into victims' machines no matter where they may be.” (Emphasis original). But the rule change authorizes no such thing. A procedural rule cannot create extraterritorial application of a law, nor create new authorities for searches. The change only designates a federal judge who can, in theory, issue a warrant for computers when the location is unknown—and therefore could be located outside the United States. The question of how handle the specific instances in which a computer located outside the United States is searched remains open.

The international dimensions at issue are undeniably complex. For any number of crimes, but especially the child sexual exploitation offenses at issue in existing warrants, relevant data is increasingly likely to be stored both in multiple jurisdictions and in jurisdictions outside of the primary investigating body. Both offenders and victims are located all over the world. And manifestations of the going dark problem specifically challenge traditional methods of establishing primary jurisdiction and respecting national sovereignty when executing computer searches.

Considering the urgency and international agreement regarding the nature of existing problems, any number of potential solutions might emerge. We might develop reciprocal norms regarding inadvertent violations of sovereignty that include obligations to notify the relevant jurisdiction and cease any search, triggered as as soon as evidence regarding probable jurisdiction is available. International joint investigations—through Interpol, Europol and others—are already commonplace and could provide another mechanism. We might develop international offense-specific rules, allowing for these searches only for commonly-defined serious crimes. We might address these matters in treaties such as the Budapest Convention. The reality may simply be that continually evolving technologies are a moving target, and so we may never reach a stable long-term understanding as laws and institutions adapt and instead cycle through short-term fixes.

All these questions—legal, policy, and international—are significant and need to be addressed. Congress will no doubt have a strong role in setting the discussion and debating the merits of proposed solutions.

The rule change means law enforcement is now able to do the jobs we all, without question, want them to be able to do. The enactment of the changes resolves those immediate and untenable problems which venue was never intended to create. Now we can turn to the work of convincing one another on the genuine merits of how and where to limit government hacking. That’s certainly a more difficult debate, but it is the one actually worth having.

Susan Hennessey was the Executive Editor of Lawfare and General Counsel of the Lawfare Institute. She was a Brookings Fellow in National Security Law. Prior to joining Brookings, Ms. Hennessey was an attorney in the Office of General Counsel of the National Security Agency. She is a graduate of Harvard Law School and the University of California, Los Angeles.

Subscribe to Lawfare