First published in the Spring 2017 edition of Partnering Perspectives.
Amended Rule 41 of the Federal Rule of Criminal Procedure, which became effective December 1, 2016, expands federal law enforcement’s power to remotely search and seize electronically stored information (ESI). The amended rule permits federal law enforcement agencies to seek a warrant from a “magistrate judge with authority in any district where activities related to a crime may have occurred” and use that warrant to legally access, search, and copy data “concealed through technological means” on any computer system that may be storing ESI pertinent to, or damaged by, a crime. The rule has caused consternation among privacy activists and technology companies on constitutional grounds and because the potential extraterritorial reach of the rule may clash ultimately with international privacy laws.
Prior to the rule change, federal law enforcement agencies were required to obtain a warrant from a magistrate with jurisdiction over the location where the targeted computer system was physically located. This requirement proved challenging for law enforcement because computer locations can easily be hidden or masked over the internet using tools like Virtual Private Networks (VPNs) or secure browsers that anonymize the source of the internet traffic. These tools, however, are often used for legitimate purposes by individuals and organizations alike. VPN software allows for private browsing of the internet, and organizations often use the tool to provide employees with a means to remotely access corporate systems, allowing those individuals to stay connected outside of the office.
The Department of Justice, understanding that it cannot reseal Pandora’s box, cited the increased use of masking by criminals as justification for the expanded warrant power. The department also argued that the rise of botnet attacks—in which a host computer takes control of millions of other internet-connected devices for nefarious purposes—justified the rule change. Indeed, in October 2016, a version of the Mirai Botnet infiltrated a series of unprotected internet-connected devices, mainly security cameras and DVRs, that were then used to overwhelm and crash servers hosted by Dyn, an internet infrastructure company. Dyn provides services to some of the internet’s major household names, including Twitter, Amazon, Netflix, Paypal, Reddit, CNN, the BBC and The New York Times, all of which were taken offline in some capacity during the attack. Proponents of the Rule 41 amendment also have argued that the rule merely addresses venue and does not create or alter substantive rights or duties (which would violate the Rules Enabling Act).
Not surprisingly, opponents of the amendment are concerned that it will place unchecked power in the hands of law enforcement agencies at the expense of privacy rights. Allowing the government remote access to search and seize or copy all internet-connected devices affected by an attack that could occur anywhere in the world might result in individuals and corporations, unaware that their devices were co-opted by a bad actor, being hacked twice—once by the fraudster and then by the government. Opponents are concerned that law enforcement’s effort to combat cybercrime could ultimately compromise data integrity and further erode privacy on the internet.
There are protections in place to limit the reach of amended Rule 41. First, the officer executing the warrant must make a reasonable effort to notify the owner of the computer. It should be noted, however, that Rule 41 does not elaborate on what actions would constitute a reasonable effort. Second, the warrant must meet the particularity requirement, mandating that the warrant describe the specific things to be seized. While this requirement is intended to prevent a general, overbroad search of an entire computer system, tech savvy opponents of the amended rule are concerned that some network investigative techniques used by law enforcement may be able to remotely access and extract more information than is specified in the warrant. Third, the hacking incident must have affected protected computers in at least five judicial districts or the information sought by law enforcement must be “concealed through technical means” before law enforcement can seek a warrant of this nature. While these provisions should place limits on the potentially expansive power granted by the rule, risks remain that federal law enforcement will engage in forum shopping to seek out magistrate judges who may lack technical expertise and be more likely to issue a wide-ranging warrant.
Additionally, the rule change is raising privacy concerns overseas, particularly within the European Union. The EU Data Protection Directive (Directive 95/46/EC) prohibits the processing or transfer of personal data to a country outside the European Economic Area (EEA). The US-EU Safe Harbor framework, which allowed for data transfer between the EEA and the US, was invalidated on October 6, 2015, after a finding by The Court of Justice of the European Union that certain US surveillance practices infringe upon Europeans’ rights and freedoms in regard to the processing of personal data. The Privacy Shield framework, enacted to replace Safe Harbor and restore legal data transfer, has come under fire by some in the European Union for not containing adequate privacy safeguards.
While Rule 41 does not address the extent to which US federal law enforcement agencies may access data in foreign countries, critics are concerned it could give the agencies the ability to remotely access, search and seize ESI from computer systems, wherever located, that either have been hacked (so long as the hack impacts protected computers in at least five US judicial districts) or are concealing information through technical means. If the rule is used to remotely access computer systems abroad, the US government may encounter pushback from foreign governments and citizens alike, further endangering the Privacy Shield framework and other diplomatic arrangements.
The amendments to Rule 41, although approved by the Supreme Court of the United States and sent to Congress on April 30, 2016, were met with some skepticism from at least two Senators.
A group of 50 US based organizations, led by Google, PayPal, and the ACLU, among others, also raised concerns about the breadth of the rule change and what it could mean for their clients’ privacy.
Rule 41 has the ability to become a useful tool in the federal law enforcement toolbox. There is the potential for abuse, however. A broad interpretation by both federal law enforcement and the federal courts could lead to significant conflict with those nations that view privacy as a right, not a privilege. Foreign governments and their citizens may not welcome the prospect of the US government using Rule 41 to remotely access personal and business information stored on foreign computers without the consent of the foreign state. It is important for businesses to monitor how amended Rule 41 will shape the global data privacy landscape and adjust their privacy and data protections and practices accordingly.