On December, 1, the revised version of Federal Rule of Criminal Procedure 41 went into effect. The Department of Justice, which first proposed an earlier (and more expansive) version of the rule change in September 2013, has described the amendment as a much-needed procedural update in light of the growing use of anonymization tools and multi-jurisdictional cybercrime.   Specifically, it grants courts jurisdiction to issue remote search warrants when the location of a sought-after device or data has been concealed due to technological means, and it allows for the issuance of multi-jurisdictional remote search warrants in certain circumstances.

But a range of privacy groups and outside observers—on both this site and elsewhere—have decried the changes as much more than that. They have accused the Judicial Conference, the policy-making arm of the federal judiciary, of pushing through sweeping substantive changes in the guise of a procedural amendment. The rule has been described as resurrecting “general warrants,” authorizing “mass hacking,” and enabling “the broadest expansion of extraterritorial surveillance power since the FBI’s inception.” Senator Ron Wyden (D-OR) and Respresentative Ted Poe (R-TX) introduced “Stopping Mass Hacking” Acts in their respective chambers of Congress that, had it been adopted, would have prevented adoption.   And the day before it went into effect Senators Wyden, Steve Daines (R-MT) and Chris Coons took to the floor warning of “unlimited power for unlimited hacking” and urging the Senate to take action to delay or prevent the rule change.

But while the changes are clearly more than the mere procedural updates suggested by the Judicial Conference and government, they are not nearly as sweeping or dramatic as the anti-rule-change rhetoric suggests. That said, they do carry the risk of unintended side effects, with potentially significant implications for both security and privacy, as well as foreign policy.   Careful judicial scrutiny of sought-after warrants and additional statutory controls are needed to prevent the rhetoric from becoming reality.

The background

The key amendments are four-fold:

First, for the first time the rules explicitly authorize the use of “remote access” search warrants, albeit in limited situations only (as detailed in the second and third points below). While remote search warrants have been authorized numerous times in the past (see examples listed on pp. 2-4 here), the federal rules themselves have never explicitly authorized such searches. At least one judge has raised constitutional questions about the use of such tools in situations where the target device is unknown.

Such a rule change, however, does not in any way resolve the underlying constitutional questions or establish the legitimacy of a requested search in any particular cases. The government must still establish probable cause in order to conduct the search; and courts can—and in fact must— separately ensure that any warrant it issues satisfies constitutional muster. And just in case that wasn’t already obvious, the Committee that promulgated the rule made it explicit in an accompanying note: “The amendment does not address constitutional questions, such as the specificity of description that the Fourth Amendment may require . . . leaving the application of this and other constitutional standards to ongoing case law development.”   Both before and after this amendment, courts must deny any request that is akin to a general warrant or fails to satisfy the constitution’s particularity requirement.

Second, the revised rule authorizes the use of such remote access searches in situations when the location of a sought-after device or data is unknown and “has been concealed through technological means.” This responds to the problem that both cyber-criminals increasingly employ anonymization tools to hide their location. Because courts generally can generally only issue warrants for property located within in their district, some judges have ruled that they lack jurisdiction to issue a warrant in such circumstances. The amendment is in many ways a direct response to these rulings. It also means that in at least some situations the government will be remotely searching data or a device that is located extraterritorially; after all, if the location is unknown there is no way to ensure that it is within the United States’ borders.  This, however, is not the same thing as authorizing a massive expansion of extraterritorial surveillance; in fact, the Department of Justice has explicitly stated that any such warrant will not have any effect if it turns out that the target device or data is located outside the nation’s jurisdiction.

Third, the revised amendment authorizes the issuance of multi-device, multi-district searches in the investigation of certain computer fraud crimes, so long as the fraud has resulted in the damage of protected computers located in at least five different districts. The Department of Justice says they need this authority to effectively respond to situations in which a botnet has infected multiple computers in multiple jurisdictions, and are, for example, used to launch large-scale denial of service attacks, steal personal and financial data.   It would allow the government to install software enabling a remote search or seizure on multiple victim computers pursuant to a single warrant issued by a single judge—thus earning the label “mass hacking.” The Department of Justice emphasizes that the substance of what they can do hasn’t changed at all; the only thing that has changed is that they need only one warrant to do so.

Fourth, it specifies that in remote searches, the government must make “reasonable efforts” to serve a copy of the warrant on the person whose property was searched.  In other situations, notice “must” be given.

The Assessment

To be clear, the government still needs to obtain a warrant based on probable cause to engage in any such search. The constitutional requirement of particularity still applies. And the additional requirements imposed by the Wiretap Act with respect to any interception of real-time communications that might result (if, for example, a computer’s microphone or camera were remotely activated) still must be complied with.

That said, there is no doubt that the amendment makes it a whole lot easier for the government to seek and get approval for remote searches and the use of network investigative techniques that enable it to install malware on a target computer.  It both makes explicit the authority to engage in these types of remote searches and clears jurisdictional and logistical hurdles that otherwise make it difficult  (or impossible) for federal agents to obtain judicial approval. There is also no doubt that the amendment will, at least in some circumstances, result in remote searches of—and the installation of malware on—data and devices located extraterritorially.

These developments raise important security, privacy, and foreign relations considerations.   They thus point to the critical importance of rigorous court review, meaningful internal, executive-branch controls, and further congressional action.

First, at the same time that remotely accessing a device may provide the only way to effectively identify perpetrators, protect attacked devices, and gather information, the use of such hacking tools carries risks. Among the concerns, network investigative tools developed and employed by the government can be co-opted and used by criminals; malware designed to protect attacked devices can inadvertently spread and infect additional devices; and multi-target searches may, and in fact are likely to, lead to the search and seizure of the data of wholly innocent persons.

Courts are on the front lines in protecting against these risks. They have a critical role to play in assessing the specific tools being employed, ensuring that the constitution’s requirement of particularity is being complied with (which requires an understanding of where and how the tool is to be applied), insisting on effective minimization procedures to protect against the retention and dissemination of non relevant information, and, whenever possible, demanding that the government provide meaningful notice to the target of the search or seizure.  But understanding and assessing what the government is seeking to do requires at least some technological expertise. Additional judicial training, as well as funding for technical experts to assist when necessary, is needed in order to ensure judges have sufficient expertise to ask the right questions, identify situations in which they require additional guidance, and obtain that expert assistance.

The potential security costs of malware gone wrong also means that the executive branch should take extra precautions before employing a novel network investigative technique.  DOJ should require Department-level approval of requests for remote search warrants. And it should demand rigorous and periodic security reviews by both internal and independent experts of the tools being employed.  Congress should demand this is a statutory requirement and also require reporting on the use of remote search warrants, akin to what is required under the Wiretap Act (see 18 USC § 2519).

More broadly, in recognition of the potential security and privacy risks involved, Congress should legislate specific, additional showings that must be made to the court before a remote search warrant could be issued, even in the limited circumstances permitted here.  Here, also, the Wiretap Act provides a good model.   Among other requirements, the government should be obligated to provide details about the target of the search and method of searching, explain why other techniques reasonably appear unlikely to succeed,  and put in place minimization requirements.  Authorizations should be time-limited.

Second, the executive should put in place a clear protocol for addressing the situation in which a remote search results in the search or seizure of devices located extraterritorially. As already stated the Department of Justice has acknowledged that the courts have no jurisdiction to authorize searches of extraterritorially located. But it did not say what it would do if and when it uncovered that it was searching devices located in other countries. The protocol should require immediate notification to the foreign government, absent a joint Attorney General and Secretary of State determination that such notification would significantly jeopardize the investigation.   Congress should make this a statutory mandate. It should also demand reporting on the number of instances in which extraterritorial searches were inadvertently authorized, the circumstances, and it should require that those reports be made public to the extent possible without jeopardizing ongoing investigations or national security.

Meanwhile, the executive should recognize that the United States is not the only government employing increasingly sophisticated remote search tools, including on devices that may ultimately be located in the United States. The United States should work with foreign governments to establish mutually-agreed protocols for responding to what is likely to the increased reliance on governmental hacking—including the likelihood that device or data being accessed by a foreign government turns out to be in the United States.

These are novel and complicated issues.  I fully agree with the critics that have argued that these kind of quasi-procedural, quasi-substantive rule changes are things that should have been, and still should be, taken up and addressed by Congress. But it’s not too late for Congress to do so; it can and should demand the kind of additional protections I (and others) have described. Meanwhile, federal prosecutors must satisfy probable cause, particularity requirements, and other statutory requirements (such as those imposed by the Wiretap Act).  Courts still need to approve such requests—an authority they should exercise with care.  And if and when the search leads to criminal charges, it will be subject to potential challenge and further judicial review.