On April 28, 2016 the United States Supreme Court proposed a modification to Federal Rule of Criminal Procedure 41 that significantly alters the manner in which the government can obtain search warrants to access computer systems and electronically stored information that will no doubt have an effect on hackers and hacking victims alike. The modification will go into effect on December 1, 2016, barring Congressional intervention.
The proposed rule change would empower federal magistrate judges in “any district where activities related to a crime may have occurred . . . to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information” regardless of where the computer being searched may be located so long as “the district where the media or information is located has been concealed through technological means” or, in computer fraud cases, “the media are protected computers that have been damaged without authorization and are located in five or more districts.” The full text of the proposed rule change is available here. Under the old rule, the government generally could obtain a warrant to access electronically stored information only from a magistrate in the district where the computer with the stored information was physically located.
Proponents of the new rule say the change is necessary to allow the government to respond quickly to cyber-attacks of unknown origin—and in particular malicious “botnets”—which are becoming increasingly common as hackers become ever more sophisticated. Responding to a request for comment by Bloomberg News, a Justice Department spokesperson explained that “[t]he use of remote searches is often the only mechanism available to law enforcement to identify and apprehend” hackers.
But others say the new rule will dramatically expand the government’s power to search computers without their owners’ consent—regardless of whether those computers belong to criminals or to the victims of a crime. For example, as Amie Stepanovich, a policy lawyer for digital civil rights organization Access Now, explained to the Advisory Committee on Criminal Rules, “[v]ictims of botnets include journalists, dissidents, whistleblowers, members of the military, lawmakers and world leaders, or protected classes. . . [with] inherent rights and protections under the U.S. Constitution, the International Covenant on Civil and Political Rights, and/or other well accepted international law. Without reference to or regard for these rights and protections, the proposed change would subject any number of these users to state access to their personal data on the ruling of any district magistrate.”
The new rule also loosens the traditional requirement that the government must provide a copy of the warrant to the party subject to search. Under the new rule, the government would only need to “make reasonable efforts to serve a copy of the warrant and receipt on the person whose property was searched or who possessed the information that was seized or copied.” “Reasonable efforts” can include the use of “electronic means, reasonably calculated to reach that person”—such as an email notification that could itself appear to be malicious. It is possible that a person whose computer is searched by the government pursuant to the new rule may never know it.
Pursuant to statute, the proposed rule change will automatically go into effect on December 1, 2016 unless Congress acts affirmatively to block it. Senator Ron Wyden of Oregon has already launched a campaign to that effect. (Some of our colleagues from Patterson Belknap are providing legal representation to assist Senator Wyden in a separate matter related to the government’s electronic surveillance authority.)
But assuming it goes into effect, the impact of new Rule 41 could be felt by any business that relies on distributed network or cloud-based computing systems (as many now do). Under the new rule, a single warrant will potentially give the government access to a business’s entire network of computers, regardless of the location of the computers, raising privacy concerns for businesses (and individuals) who are the victims of data breaches. It also potentially heightens the risk that a warrant issued to find a hacker could yield unrelated information about the victim business that the government may seek to use against the business for other purposes—for example, evidence of a potential regulatory violation.
There are also multijurisdictional implications of the new rule that have yet to be fully explored. Many businesses now rely on server networks that span the globe and regularly shift data loads to different geographic locations based on demand and other factors. Conceivably, a warrant issued pursuant to the new Rule 41 could permit a remote search of a computer in a foreign jurisdiction that could run afoul of existing international agreements and foreign laws, including MLATs—mutual legal assistance treaties—that were created to facilitate foreign searches.
If the new Rule 41 goes into effect, only time will tell how the government will use the rule and how Courts will interpret it both when asked to issue warrants and when asked to suppress evidence obtained pursuant to these potentially broad warrants. We will continue to monitor the progress of and responses to the proposed new Rule 41.