Myths and Facts about the FBI’s Supposed “Warrant to Hack”
A group of five senators, led by Senators Wyden and Paul, have introduced legislation to prevent changes to the Federal Rules of Criminal Procedure from taking effect. The one-page Stopping Mass Hacking (SMH) Act (released along with a brief summary) states that the proposed amendments to FRCP Rule 41, which the Supreme Court approved, “shall not take effect.” The amendments would alter Rule 41’s venue requirements, which prevent a judge from approving a warrant when the target is located outside of his or her district. The amendments would create two new exceptions to this restriction, permitting judges to approve out-of-district remote access computer search warrants: 1) when suspects conceal their online location and identity, engaging in crime anonymously; and 2) when malware affects innocent users in five or more districts. Remote access searches allow the government to covertly access and collect information stored on a target device through an Internet connection, without ever physically seizing it.
The first exception is intended to eliminate a jurisdictional hurdle frustrating the investigation of crimes committed by users utilizing techniques to hide their identity and location. Federal judges only have authority to issue warrants for devices they know to be in their district. Thus, if the location of the device is unknown—such as when the suspected criminal is using an anonymizing tool to hide his or her device’s IP address—no judge in the country has authority to issue the warrant to search the unlocated user’s device. The amendments seek to solve this problem by authorizing a judge to grant out-of-district warrants in such investigations where a device’s location information is “concealed through technological means.” If the amendments take effect, the government could apply for a warrant to search an anonymous user’s device in any district “where activities related to a crime may have occurred.”
The second exception would create a mechanism by which law enforcement could more easily investigate botnets. A botnet is a network of computers infected with malicious software that enables simultaneous command by a single control mechanism or “master.” This network of compromised computers or “zombies” can be used to accomplish any number of illegal and harmful activities. Remote access searches enable law enforcement to gather information on these infected computers, which the government could use to amass evidence of the crimes, map out patterns of activity, and, ideally, catch the master. However, the government would currently need to apply for a separate warrant in each jurisdiction where a set of zombies is located. This presents a significant hurdle because a single botnet can affect millions of computers, which are likely spread out throughout the 94 federal judicial districts (and the world). The amendments seek to remove this hurdle by permitting the government to apply for a single warrant that covers all devices related to the investigation of certain computer-related crimes that have damaged computers in five or more districts.
The Rule 41 amendments also alter the notice requirements for remote access search warrants. Currently, an officer executing a warrant must provide the subject of the search with both a copy of the warrant and a receipt for property taken. The amendments modify these requirements in remote access searches, such that the government would only need to make reasonable efforts to serve a copy of the warrant on either the person whose property was searched or whose information was seized or copied. This means that either the individual who owns the remotely accessed device or the actual owner of the seized information, or both, may never receive notification that their property was searched. Such lack of notice limits targeted individuals’ ability to challenge the validity of remote access warrants, while simultaneously expanding law enforcement’s ability to target larger numbers of computers. This is especially troubling for locations with publicly shared computers used by numerous people, such as in corporations, libraries, and schools.
While these proposed amendments are styled as procedural rule updates, they implicate increasingly important law enforcement issues and have substantial policy ramifications. Accordingly, they deserve serious attention from both Congress and the public. Given the amount of debate surrounding these changes, it is important that those involved are armed with a clear understanding of the issues. To that end, outlined below are 6 myths about the Rule 41 amendments and the realities underlying them.