Senator Chris Coons, Democrat from Delaware, offered a bill today that would delay implementation of proposed changes to Federal Rule of Criminal Procedure 41 for six months. Stanford’s Center for Internet and Society and Mozilla have been studying issues related to government hacking including the Rule 41 changes. On October 27th, we hosted a discussion focused on these controversial changes and, without characterizing the point of view of any the panelists, want to share Mozilla and CIS’s observations of points of debate and of consensus from the event.
The proposed changes to Rule 41 have been the subject of considerable debate and disagreement. The revised rule would permit judges to issue warrants for computers outside their jurisdictions in two circumstances: if the computer’s true location has been hidden through technological means, or if the affected computers are located in five or more districts. Law enforcement has argued that the Rule 41 changes are procedural and are needed to investigate crimes in which culprits use anonymizing technologies to hide their location. Privacy advocates and technology companies have argued that these changes represent a substantive expansion of law enforcement’s hacking authority that should not be addressed through procedural rules.
These same disagreements were on display on our panel. Nonetheless, we were also able to find consensus on several broad points. Most of our panelists, both those in favor and opposed to the rules change, agreed that current law does not adequately address situations where the government has probable cause to search but does not know the location of computers likely to contain evidence of a crime. Panelists tended to agree that this gap should be filled. Panelists also generally agreed on some of the core substantive concerns raised by the rules change, though they differed on whether those agreed on concerns should be addressed before or after the rule change goes into effect.
One disagreement, as expected, focused on whether the changes to Rule 41 are procedural or substantive. One of our panelists noted that changes made by the court’s rules process are, by definition, procedural and could lawfully be adopted via the rules amendment procedures. Others noted that whether the rule change went forward on December 1st or not, eventually we would confront and have to deal with the substantive concerns.
Among the substantive concerns raised in the discussion, the one we returned to most often and appeared most ripe for congressional engagement was focused on the international implications of the rules change. That is, when law enforcement is granted a warrant for targets using anonymizing software, the target could be overseas. Law enforcement’s operation might therefore violate international law or treaties when hacking an anonymous target. Further, such an operation might violate the principle of reciprocity because we might not want other countries remotely hacking our citizens in violation of the treaties we’ve established with those countries. Our panelists disagreed as to whether such concerns could be addressed adequately by the courts through case law, given that targets overseas might not be subject to full U.S. legal process. A more viable path to address this challenge might be for Congress to establish a process and a remedy when law enforcement uses a remote hack to de-anonymize its targets and determines that they are overseas.
Panelists also disagreed about whether the rule change impacts the Fourth Amendment's 'particularity' requirement. In other words, does a warrant to search multiple computers in unknown locations particularly describe the place to be searched and the things to be seized as the Fourth Amendment requires?
Lastly, the panel briefly discussed the second change to Rule 41, which is intended to make it easier for law enforcement to obtain warrants to combat botnets. Our event took place roughly a week after the Mirai botnet was used in a large-scale denial-of-service attack (the Dyn attack) that temporarily disrupted access to many of the Internet’s most popular sites. An attack like that is notionally what this new provision is intended to address, but our panelists had relatively little to say about whether and how the rules change could be used to mitigate that threat. It seems the challenging legal questions about the territorial reach and Fourth Amendment implications of the rules change might have received comparatively more scrutiny than the botnet provision. In light of the serious nature of the Dyn attack, more work might be needed to understand how the botnet provision will be put into practice.
We had two competing positions on how concerns should be addressed. Given serious legal questions raised by the rules change, one can leave a gap in the law until Congress chooses to fill it. Alternatively, one can allow the rules change to go into effect, thereby eliminating procedural barriers to remote computer searches, and then allow substantive concerns to be address by the courts through case law (or by Congress if it chooses to act later). A drawback of this approach is that government hacking is inherently more opaque than other investigative techniques and might therefore not be adjudicated fully and openly by the courts.
If changes to Rule 41 go into effect on December 1st as scheduled, courts, Congress and the Administration will likely grapple with the substantive problems at some point down the road. In the meantime government hacking moves forward. If Senator Coons’ bill becomes law, there’s time to deal with those problems now, but the law enforcement gap remains unaddressed for six more months. Regardless, we should assume that substantive concerns need attention now, even if judges begin to issue warrants under the revised rule.