One problem with modern computer or computer related crime: it’s international in scope. But governments are limited by their borders, their authority, and their sovereignty.
A proposed change to the federal rules of criminal procedure that authorize US judges and magistrates to permit searches is either a minor tweak of a procedural rule designed to deal with a growing problem, which allows pedophiles and terrorists to escape prosecution, or the largest power grab in history, permitting cops in the US to insert code and take over computers anywhere in the world. Your pick. Either way, the rule changes went into effect on December 1, 2016.
In 2005, Russian hackers Alexey Ivanov and Vasiliy Gorshkov were invited to the US for a job interview with the Invita Corporation of Seattle Washington. To demonstrate their prowess, the pair logged into their computer in Chelyabinsk, Russia, downloaded hacker tools which they showed off to their prospective employer.
Unbeknownst to them, the Invita Corporation was an FBI front, and US law enforcement was monitoring everything they did. Armed with the captured IP address and password, the FBI got a federal judge in Washington State to issue a warrant authorizing a search of the Russian computer. The US courts upheld the warrant. The Russian government, needless to say was not so sanguine about having US law enforcement officials rummaging through the computers of their citizens without so much as a “by your leave.” They indicted the FBI agents for unauthorized access.
Rule 41 of the Federal Rules of Criminal Procedure, together with the Fourth Amendment govern the method of getting a search warrant to search for and seize evidence.
You have to provide a sworn affidavit to a federal judge or magistrate. Then you have to establish probable cause, specify the place to be searched and the thing to be seized with particularity. In the case of searches for electronic evidence you must provide a procedure for minimizing what you see, so that a warrant authorizing a computer search for child porn doesn’t authorize a rummaging through tax records for tax fraud.
As a general rule, a judge can only issue a warrant in their own district for a search in their own district – a judge in Manhattan NY could not authorize a search in Manhattan, Kansas. With 94 judicial districts, this also meant that a federal judge in Manhattan could authorize a search in the Bronx, but not in Brooklyn. Some limited exceptions exist for evidence that it travelling from one district to another, or evidence located outside of any district (like at U.S. diplomatic offices) or in certain domestic terrorism cases.
The proposed changes would permit a magistrate in any district “where activities related to a crime may have occurred” to issue a warrant “to use remote access to search electronic storage media and to seize or copy electronically stored information outside that district” if the district where the media or information is located has been concealed through technological means, or if there’s a computer crime investigation occurring in 5 or more districts.
The Deparment of Justice says this change is necessary “to ensure that tech-savvy criminals do not have immunity from investigation.” In a blog post on November 21, 2016 Assistant Attorney General Leslie Caldwell called for adoption of the rule change noting:
“Recent judicial decisions and news coverage have highlighted a recent investigation, of the Playpen website, a Tor site used by more than 100,000 pedophiles to encourage sexual abuse and exploitation of children and to trade sexually explicit images of the abuse. Investigators caught a break with Playpen. Authorities were able to wrest control of the site from its administrators, and then obtained approval from a federal court to use a remote search tool to undo the anonymity promised by Tor. The search would occur only if a Playpen user accessed child pornography on the site (a federal crime), in which case the tool would cause the user’s computer to transmit to investigators a limited amount of information, including the user’s true IP address, to help locate and identify the user and their computer. Based on that information, authorities could then conduct a traditional, real-world investigation, such as by running a criminal records check, interviewing neighbors, or applying for an additional warrant to search a suspect’s house for incriminating evidence. Those court-authorized remote searches in the Playpen case have led to more than 200 active prosecutions – including the prosecution of at least 48 alleged hands-on abusers – and, extraordinarily, the identification or rescue of at least 49 American children who were subject to sexual abuse.”
Despite surmounting this technological obstacle, however, the Playpen prosecutions still face an additional obstacle: a loophole in judicial procedures that makes it unclear which court – if any – an investigator is supposed to go to with a search warrant application when investigating anonymized crime.
Let’s be clear what we are authorizing in the rule change. If adopted (and it’s likely that it will be), the rulewould allow a judge in ANY district where activities “related to a crime” have been commited (not just the district in which the crime has actually been committed, where the defendants are likely to be located, or where evidence is likely to be found) to authorize law enforcement to break into a computer anywhere in the world, to install software, backdoor programs, or any technological means to get evidence of that crime.
This allows what’s called “forum shopping” or judge shopping. With the vast majority of the world’s Internet traffic passing through servers in Northern Virginia, investigators in Colorado investigating a Panamanian tax haven could go to a magistrate in Alexandria, Virginia and get a warrant to search the Panamanian bank. There are several terms here which are ambiguous, and which could be expanded to give US judges’ almost unlimited authority.
“Related to a Crime”
The nexus between the judge issuing the warrant and the crime being investigated is tenuous at best. If ANY activity in the district is related to ANY crime, then the judge has authority to issue a warrant for evidence outside the district. This activity can be as tenuous as an email being routed through the district, a website being viewable within the district, a potential victim travelling through the district, or even a router, hub or software used in furtherance of the crime being manufactured or transported through the district.
Thus, if the alleged “bad guy” uses the Windows OS, then “activity related to a crime” occurred in Seattle. If Mac OS, a judge in Northern California has potential jurisdiction – even if no crime occurred in these districts, or for that matter anywhere in the United States. The nexus between warrant and judge, and warrant and crime needs to be much stronger than just something “related to a crime.” In addition, there’s no requirement that the law enforcement officer demonstrate – under oath – such a nexus, or that the failure to adequately do so invalidates both the warrant and the evidence seized under the warrant.
“May Have Occurred”
The proposed rule change doesn’t even require proof that activity related to a crime have ACTUALLY occurred in the district in which the Court is located – just that it MAY have occurred.
There’s no standard of proof, and no consequence for being wrong. Sure, a botnet in Vladivostok MAY impact Hawaii. Why not? Since we are virtually sending US federal agents to kick in the door of some dude in Vladivostok, and grab his computer and take it back with us, we should have a reasonably high standard of proof that (1) a crime has actually occurred; (2) the crime occurred in the United States and in a particular district or multiple districts; (3) if the crime occurred outside the U.S., the U.S. has extraterritorial jurisdiction to investigate and/or prosecute the crime (some important legal mumbo jumbo, but significant); (4) that there’s likely to be evidence of that crime in the place we are searching; (5) there’s some significant nexus between the crime and the district in which the warrant is sought.
That’s really not a lot to ask, since the Fourth Amendment already requires the government to demonstrate under oath probable cause.
“To Use Remote Access”
This is a big one. What the heck is “remote access” in this context? What hath the courts authorized? Stealing user ID’s and passwords? Installing malware? Password cracking? Back doors? Trojan horse programs? What?
Short answer is – all of the above and more. Whatever technology that is developed now or in the future which allows an FBI agent in Des Moines to “search” a computer in Beijing?
And, of course, not just a computer. The law would allow a judge to authorize a search of the contents of a cell phone, an IoT device, a remote camera, a NEST thermostat – just about anything. It might also be used to conduct mass sweeps of the type used by the NSA and revealed in the Snowden documents.
A judge in the US could authorize “remote access” to a server, database, ISP, website, etc., anywhere in the world, and have a program continuously scan for information related (and not very related) to any crime which “may have occurred” in the U.S.
It’s one thing to take over a playpen child porn server, it’s another to take over a Japanese telecom company to search for information related to a U.S. criminal investigation. The term “remote access” covers a multitude of possible actions. If the “remote access” damages or destroys information on the target computer, who is liable? If the remote access violates the laws of the nation in which it is invoked, are US officials liable for prosecution? If the remote access is targeted at the wrong person or persons? What if the remote access allows seizure of information protected by privilege or privacy laws in the foreign nation?
Pretty heady stuff. And with the U.S. government interpreting the authority to seize records “relevant to a crime” to mean that they have the authority to seize the entirely of databases if a portion thereof is “relevant to a crime” (e.g., mandating that telcos turn over the records of EVERY phone call so that they can be searched for relevant records), the rule change would theoretically permit US law enforcement to compile and retrieve massive databases of information through “remote access” and then search them here.
So EVERY European’s search history could be “remote accessed,” retrieved, taken to the US for analysis, and then scanned for the evidence the Court has looked for. This points out a problem with how electronic searches are conducted generally. If I am looking for, for example, MD5 hashes of known child porn, and I scan every attachment to every email of every person in the world, and only examine those with the MD5 hashes, have I “searched” the email of the ones my program let through? I think so, but the term “remote access” is broad enough to drive a couple of thousand semis through.
“To seize or copy electronically stored information”
Here’s another ambiguous term. The rule change permits a court order to allow remote access for the purposes of seizing or copying electronically stored information. Seems simple, no? I mean, why is that any different than seizing a paper document or record?
Because it is. It’s an entirely different kind of seizure altogether.
The rule would not only permit taking of existing documents. It would permit installation of remote access devices to take information which doesn’t now exist. Future IP information. Scanning for evidence. Installing logging software. Installing data analytics software. Remotely turning on webcams, microphones, tracking devices. A webcam, for example generates “electronically stored information” – even if that information is only stored incidental to transmission.
Thus, a warrant in the U.S. can authorize the “seizure” of that information. This is not mere hyperbole. US courts within the US have authorized things like turning on OnStar systems or IoT devices to make them spy on their owners or users. US Courts authorize turning cell phones into real-time or near real time tracking devices.
If the goal of the amendment is to permit the seizure of documents or records that exist at the time of the issuance of the warrant, then say so, and limit the rule. Make it explicit that a US court can’t issue a warrant overseas to install a tracking device. Or other surveillance.
Remember, once this is enshrined in the law, it will be interpreted in the broadest possible way. While the DOJ calls for a limited rule change to deal with pedophiles, botnets and terrorists, the rule will inevitably be expanded, and the authority granted will likewise expand.
“If the district where the media or information is located has been concealed through technological means.”
So, this appears to suggest that an “anywhere” warrant can only be issued where the cops don’t know – and can’t determine where the media or information is located, right? As Lewis Carroll’s Humpty Dumpty noted “When I use a word, it means just what I choose it to mean—neither more nor less.”
The rule does not, by its terms require that the police not know where the information they are seizing is located, just that the location be “concealed” through technological means.
It doesn’t require that concealment to be effective, or even that the cops be fooled. So if a French hacker uses IP spoofing, or a proxy server to further ANY crime, this fact alone authorizes a judge in the US to issue a warrant for remote access to the French computer, even if the police in the US know precisely where that computer is located.
All that is required is “concealment” and “technological means.” If I use a third party to post my whois information, I have “concealed” where I am – potentially through technological means.
This must be further elaborated. Sure, if you know there’s a crime going on, and you know the website or botnet responsible for the crime, and where you are going to search, but you don’t know what district the evidence is located and, and this is important – cannot, with the exercise of reasonable diligence, determine the location of the evidence, then searching with an anywhere warrant might be reasonable.
But you know what’s going to happen with this language. There will soon be a boilerplate warrant in which law enforcement agents simply – and universally – state that “the district in which the information is located has been concealed through technological means” in just about every case. No muss, no fuss.
Also, what if, during the course of a search, it becomes obvious WHERE the search is located? Must the police then stop the search and resort to the ordinary practices of obtaining international cooperation? Maybe they can take steps to preserve the evidence in advance of international process for search? Nope – in for a penny, in for a pound.
Five or More Districts
This one is just silly. The rule allows these “anywhere” warrants in computer crime prosecutions if there’s an investigation of damage to media in computers and the damage exists on computers in “more than 5 districts.”
The fact that there’s a multi-district investigation, or multi-district impact doesn’t mean that there isn’t an appropriate district for the issuance of a search warrant. Remember, the maginstrate must have authority to issue the warrant and authorize the search. In general that means that the search should occur where the magistrate is located. Under this provision, if the FBI shows that a DDoS attack impacted computers in 5 districts (and don’t they all?) then the FBI can go to any judge anywhere in the country and get a warrant to search any computer anywhere in the world.
It also permits the time honored tradition of manufacturing crimes, manufacturing jurisdiction and manufacturing venue. If you enhance punishment for sale of drugs near schools, undercover cops will arrange meetings at 2AM that just happen to be near a school. If a wire fraud statute requires an interstate phone call, the FBI agent will drive across the George Washington Bridge from NY to NJ to create the crime. And if your authority to get an “anywhere” warrant depends on computers being in more than 5 districts, you can yourself distribute the attack to get the result you want. Violia! Instant international jurisdiction.
Letters Rogatory, Treaties, and MLAT’s
To ask whether the amendments to Rule 41 are reasonable, let’s ask how the US would feel if, for example the Nazmiyeh (Iranian law enforcement) or the Islamic courts in Iran executed warrants to seize evidence from US computers related to possible crimes against the Iranian government.
Or if the North Korean Ministry for People’s Security did the same. Or, for that matter, Scotland Yard, or French Surete? The entire concept of sovereignty relies on the fact that nations have authority to act only within their respective jurisdictions. As much as the bobbies in London might want to fly to New York and kick in some doors (or heads) they can’t do it. To conduct a search in a foreign nation – even a lawless one, or one that actively promotes or encourages crime – you have to apply the law of nations (or be willing to face the consequences of not applying the law of nations).
To get evidence from a foreign nation, you either have to apply for what is called “letters rogatory” – where the Courts of one country ask for assistance of the Courts of the other country to get the evidence requested. It’s slow, expensive and ill-suited for the Internet age. Another way is to use what’s called an MLAT. Mutual Legal Assistance Treaty, or more accurately, a Mutual Treaty for Assistance in Criminal Matters. This is what permits a cop in Kansas to get the Gendarme in Paris to conduct a search or compel production of records, or go out an interview witnesses in the City of Lights.
Sure, where you have NO IDEA where the bad guy is, and can’t with the reasonable exercise of diligence find out where they are, you should be able to go to a court in the U.S. and get a warrant to at least determine where the evidence is located. Maybe even preserve that evidence to ensure that it’s not destroyed.
But to be able to just “take it” from a foreign country because you didn’t initially know where it was? That gets into sovereignty issues. Why should a judge in Kansas be able to issue a warrant to seize evidence in Paris, France – over the objections of the French government?
The proposed rule is intended to deal with a genuine problem of how you conduct a search and seizure when you don’t know (and can’t find out) where you are searching. Fair ‘nuff. But it goes way beyond this, and could allow continued searches, seizures, siphoning of data, and installation of monitoring and tracking devices overseas even after the location is determined.
So it’s a broad solution to a narrow problem. And you can expect it to get even broader. Keep posted.