Consider this hypothetical: Frustrated with ads on his smartphone, John Doe disables access by mobile apps to his location data on his Android phone (like many smartphone users already do)…and as a result, his smartphone gets caught within the scope of a criminal warrant that copies the information from his smartphone and exposes highly confidential and personal information entirely irrelevant to the criminal investigation to governmental investigators. Far fetched? Not when the new amendments to Rule 41 of the Federal Rules of Criminal Procedure take effect on December 1st, 2016. Stemming from a proposal made by the advisory committee on criminal rules for the Judicial Conference of the United States, the Supreme Court of the United States (SCOTUS) approved these amendments in April of this year that significantly increase the power of the federal government to remotely access computers and mobile devices under a judicial warrant. Rather than remain limited to their local jurisdiction, magistrate judges would now have the power to issue warrants to remotely access computers (either specifically or as part of a larger network, such as a botnet or VPN) where anonymizing technology was used to hide the location of such computer(s)…arguably even internationally.
Frustrated with the pace of technological developments that have been stymieing federal investigations (such as data encryption and online anonymizers such as Tor), the Department of Justice has been arguing for years that the Federal Rules of Criminal Procedure (dating all the way back to 1917) needed to be updated to reflect the “digital age”. U.S. Assistant Attorney General Leslie R. Caldwell has blogged that such amendments comport with existing 4th Amendment protections, and that remote searches are already permitted so long as the legal requirements are met. Multiple search warrants for multiple jurisdictions (up to 94 under the new rules) would no longer be required (such as “a search warrant to assist in the investigation of a ransomware scheme facilitated by a botnet that enables criminals abroad to extort thousands of Americans”). The question, however, is not whether changes are needed (they are), but whether the current changes simply go too far (they might). As implied by the introductory hypothetical above, anyone using anonymizing technology (say, in California) can become caught in the sights of a warrant issued in Texas. Further, victims of botnet or malware attacks could foreseeably find themselves victimized by not only the initial attack, but by the government’s subsequent remote access under a warrant – access that may uncover highly personal information entirely irrelevant to the underlying investigation or otherwise adversely impact the operation of their mobile device. Forum shopping is not just possible, but could be expected. Moreover, the current language of the amendments can implicate computers well outside the U.S. – a such as an innocent foreign user whose computer is unknowingly compromised as part of a botnet would now have their computer foreseeably subject to U.S. government access (even arguably through its OWN botnet framework designed to perform multiple access across multiple platforms)…without such user potentially even knowing it.
Such rule changes were passed to Congress, which could have rejected the implementation or remain silent, thereby permitting the rule changes to come into effect. Unfortunately, a last-minute effort in the Senate to block or otherwise delay the implementation of these amendments was unsuccessful. Additional debate on further narrowing remote access requirements or otherwise clarifying the locus of anonymizing (i.e. solely limited to the suspect versus remote computers and mobile devices of third parties] would help assuage public fears and misconceptions. From this author’s perspective, the Federal Rules of Criminal Procedure did indeed need some modernization to reflect a more digital world, of which some of the changes are welcome. That said, implementing such sweeping changes without robust public debate is troublesome to say the least. Balancing the personal privacy interests of the individual against the need to effectively prosecute criminal conduct is a delicate process…and amending procedural rules that have the effect of expanding substantive powers and tilting such balance should not be relegated to implementation without such public debate. Unfortunately, that has not been the case here…making everyone’s data more vulnerable in the process.