Cybersecurity

The Lorax of the Rules Enabling Act: How Not to Stop Mass Hacking

By Susan Hennessey
Friday, September 16, 2016, 11:25 AM

Senator Ron Wyden published an article in Wired this week, co-authored by Matt Blaze and Lawfare’s own Susan Landau, alarmingly entitled, ”The Feds Will Soon Be Able to Legally Hack Almost Anything.” There is a lot to say about the substantive problems with the arguments advanced in the piece, as well as the serious problems with Wyden’s Stop Mass Hacking Act legislation aimed at preventing the Rule 41 change schedule to take effect December 1. But I’ll save thoughts on those issues for a later post. Right now, I want to address a more pressing concern.

Here—like the Lorax who speaks for the trees—I am compelled to defend the suddenly-maligned Rules Enabling Act.

In Wired, Wyden and his co-authors write:

Why would Congress approve such a short-sighted proposal? It didn’t. Congress had no role in writing or approving these changes, which were developed by the US court system through an obscure procedural process. This process was intended for updating minor procedural rules, not for making major policy decisions.

This kind of vast expansion of government mass hacking and surveillance is clearly a policy decision. This is a job for Congress, not a little-known court process.

This sentiment echoes Wyden’s previous statements on the Rule 41 change, which he alleges is the result of “an obscure bureaucratic process.”

It is worth unpacking this strain of criticism, which is shared by many opponents of the rule change. The basic allegation is that the government is somehow circumventing the normal order with the effect—intended or otherwise—of preventing congressional input on important matters.

The objection to ordinary rulemaking as an “obscure bureaucratic process” casts the effort in a nefarious light, and intimates that the government is manipulating the law to the detriment of democratic processes. A similar strategy was deployed by critics of the FBI and DOJ in their standoff against Apple last February; those objectors painted the use of the “colonial-era” All Writs Act as an aberration, ignoring its routine contemporary use.

As with the San Bernardino case, both common practice and the historical record refute these claims outright.

 

The Proposed Change and Problems Solved

First, a refresher on the proposed rule change at issue. Currently, Federal Rule of Criminal Procedure Rule 41 includes territorial venue provisions which authorize magistrates to issue warrants generally within their district, and it extends that jurisdiction in a set of narrowly defined circumstances. Under the existing rule, when an individual uses Tor or other proxy services to hide his or her IP addresses—and thus physical location—law enforcement is unable to seek a warrant from a magistrate within the district where the computer is located, because the district is unknown. In fact, the precise aim of many of the “Network Investigative Techniques” used by the FBI to date is to obtain the unmasked IP address of a computer in order to obtain a warrant for a physical search within the district where it is located.

A second problem arises in the context of “botnets,” wherein the FBI may be aware of the physical location of numerous victim computers, spread over many different federal districts. The current rule requires obtaining a warrant within each district in which a victim computer is located prior to taking remediation action—which qualifies as a “search” of said computer. This leads to significant operational delays and, from the government’s perspective, unnecessary expenditures of resources.  

The Supreme Court recently approved amendments to Rule 41. Under the new language, a magistrate judge will be authorized “to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information within or outside that district if: (A) the district where the media or information is located has been concealed through technological means; or (B) in an investigation of a violation of 18 U.S.C. § 1030(a)(5), the media are protected computers that have been damaged without authorization and are located in five or more districts.”

The first change is designed to solve the problem of individuals concealing their physical locations and the second is a convenience rule specific to botnets. In his article, Wyden objects specifically to the second change and fails to address the other problems. But importantly, his proposed “Stop Mass Hacking Act” rejects the rule change outright, instead of eliminating only the second botnet provision. If Wyden prevails, the status quo—and all attendant problems—will persist.

 

The Rules Enabling Act

Leave aside for now the substantive merits of the debate. I want to address the criticisms of the procedures for implementing the change. Wyden and others shield themselves from hard questions about the tolerability of the status quo and lack of alternatives to the change, by framing their objections as questions of fair play. This, they say, is a matter for Congress to decide and the executive and judiciary are using rulemaking to prevent the needed debate.

Those criticisms materially misrepresent not only the statutory operation of the Rules Enabling Act but also the particular history of changes to federal rules and Rule 41 in particular.

Pursuant to the Rules Enabling Act, the Supreme Court is authorized to promulgate the rules of procedure for federal courts, which have the binding force of law. Later amendments to the law codified the role of the Judicial Conference as the principal rulemaking body. Under current practice, subject matter specific advisory committees evaluate proposed changes to the rules and, when authorized by the Standing Committee, publish draft amendments for public comment. Upon review of all submissions and independent analysis, the Standing Committee recommends changes to the Judicial Conference, which then submits the proposed changes to the Supreme Court. The Supreme Court considers the proposals and promulgates the rules prior to May 1, which then take effect December 1, unless Congress enacts legislation to reject, modify, or defer the change. Notably, none of this process occurs in secret or absent significant deliberation and debate. Congress is afforded a six-month period to debate the issues and veto the change if desired. And Congress never forfeits authority to repeal or modify the change after it takes effect.

This is the process that Congress specifically set up to govern changes to the Federal Rules of Criminal Procedure. And this is the precise process that was followed in the Rule 41 change.

What’s more, there’s nothing unusual about this at all. Specific to Rule 41, going back to 1977, the rulemaking process has been used to address the precise circumstance in which a warrant is preferred or required but no judge is apparent or practically available to issue it. For example, the 1977 updates to what is now Rule 41(d)(3) permit a judge to issue a warrant based on oral statements communicated through telephone or other reliable electronic means. That change, as with the current botnet updates, was intended for convenience and efficiency. In updating procedures to conform to technological developments, the Advisory Committee cites to Supreme Court holdings giving “greater priority to the use of a search warrant as the proper way of making a lawful search.” The “use of search warrants can best be encouraged by making it administratively feasible to obtain a warrant when one is needed.” In other words, rule changes are designed to promote the use of warrants. And the rulemaking process Congress established to update venue is meant to facilitate the goals of the court and legislature.

Furthermore, amendments to Rule 41 in 1990 and 2008 addressed instances in which technological developments challenged baseline assumptions of the existing venue rules. Those rule changes were designed to “provide a practical tool for federal law enforcement officers that avoids the necessity of their either seeking several warrants in different districts for the same property” and to afford “a useful warrant procedure to cover familiar fact patterns.” In short, the Rules Enabling Act has long been used for the exact purposes sought today.

Indeed, although critics paint the use of the Rules Enabling Act on issues related to venue and jurisdiction as divergent from the regular order, the opposite is true. It is far less common for Congress to direct rule changes through statute; one example is when the USA PATRIOT ACT expressly authorized magistrates to issue warrants outside the district for investigations into domestic and international terrorism. But this case was exceptional. The Rules Enabling Act is the normal way this gets done.

 

The Counterfactual World Without the Rule Change

The rule change will take effect on December 1, 2016 unless Congress passes legislation rejecting, modifying, or delaying the amendment—which it will not and should not do. The numerous prosecutions resulting from the Playpen child pornography cases offer a glimpse into the counterfactual world without changes to Rule 41. In short, there is legal chaos. Judges in over twenty-five federal districts have presided over matters relating to a Playpen prosecution. Thus far, courts have reached wildly divergent conclusions regarding the application of Rule 41, the nature of the possible violation, and appropriate remedies. The government has noted that approximately 150 individuals have or will be indicted for charges stemming from the operation, so this legal uncertainty will only increase as additional courts weigh in.

Most, though not all, courts have agreed that a warrant issued in the Eastern District of Virginia to deploy an NIT from a server located in that district to computers located outside the district in order to discover their locations amounts to at least a technical violation of Rule 41(b). Courts presiding over defendants unfortunate enough to have been located within the Eastern District of Virginia have held that Rule 41 was not violated with respect to those defendants, but have differed on whether a warrant was required in the first instance because the defendant lacked a reasonable expectation of privacy in his IP address or—somewhat less convincingly—in his computer in general.

Even where courts agree as to Rule 41 violation, they differ as to the nature of the violation—technical or fundamental—as well as to the appropriate remedy. The Michaud court found that the Rule 41 violation was technical and did not rise to constitutional magnitude requiring suppression. Additionally, the defendant was not prejudiced because he lacked a reasonable expectation of privacy in the IP address, the court held. Furthermore, Michaud held that suppression was disfavored because law enforcement relied on the warrant in good faith. (Notably, the evidence in Michaud was later suppressed on other grounds.) In US v. Werdene, the Eastern District of Pennsylvania broadly adopted the Michaud rational, and declined to suppress evidence. However, in U.S. v. Levin, a judge in the District of Massachusetts determined the warrant was void ab initio. Furthermore, because the warrant was wholly invalid, there was a fundamental violation of Rule 41 and all evidence was suppressed. Note, the Levin holding differs not only from Michaud and others as to the nature of the violation and remedy, but also contradicts the two holdings in the Eastern District of Virginia which found the warrant proper with regards to that district and thus not void ab initio. The same issue is currently pending before many federal judges in nearly 100 distinct cases.

In short, it’s a mess. So when people argue the rule change represents a usurpation of legislative power, they are not only wrong, they are arguing for continued chaos.

These holdings speak to more than just the state of legal uncertainty. They also illustrate the particular perils that will result from not updating Rule 41. In avoiding the highly disfavored remedy of suppression, a number of courts relied on the good faith exception. But good faith reliance is foreclosed for future investigations. The exception functions as a temporary safety valve, preserving important criminal prosecutions while the state of the law is resolved. Absent the Rule 41 change, law enforcement will be unable to conduct these types of investigations in the future or will increasingly face outcomes like Levin and forced to dismiss criminal charges.

Let’s be entirely clear on this point: Without Rule 41 changes, investigators will be effectively banned from conducting the operations that can identify the physical locations of many individuals within the United States who consume and distribute child pornography and in many cases offer (from the safety of their masked IP address) detailed confessions on ongoing “hands on” offenses against minor victims.

Significantly, neither Wyden nor proponents in the privacy advocacy community have articulated any form of alternative to addressing the demonstrated problems. And despite over one hundred cases in federal courts—and 26 child victims identified and rescued from hands on abuse in the Playpen operation alone—some critics even resort to outright mocking of the government’s asserted interests in countering child pornography. In discussing the rule change, TechDirt writes:

The DOJ insists that the new rules only apply in narrow cases WHERE YOU SHOULD ALL BE AFRAID because EXPLOITED CHILDREN ARE AT RISK IF YOU DON'T ALL SHUT UP…[W]e should always be skeptical when law enforcement starts throwing out "sexually exploited children!" and "terrorism!" as reasons to upend existing rules” (emphasis in original).

Naturally, the abhorrent nature of a particular crime is not a reason to forgo substantive debate on an issue, nor does it override legal and policy discussions. But the serious consequences of inadequate venue procedures are the reason why Congress designed the Rules Enabling Act to shift the burden to those members who object to changes deemed proper and necessary by the judiciary and approved by the Supreme Court.

The tactic Wyden advances precisely illustrates why. He and his co-authors advance genuine objections regarding the policies and processes surrounding law enforcement operations facilitated by the rule change. But venue rules are intended to identify the magistrate of competent jurisdiction to make legal determinations, and they should not be used as a proxy for policy or statutory constraints advocates are unable to achieve elsewhere.

Following the rule change, Congress retains the power to pass whatever legislation it pleases to limit the conduct of lawful hacking and impose rules to avoid the “unintended consequences” that so alarm the Wired authors. And the executive can impose whatever policy considerations or limitations it deems necessary. But attempting to impose these constraints by blocking a necessary and tailored rule change causes grave harm and handicaps the proper function of the judiciary.

False insinuations that the executive and judicial branch are attempting to game the system undermines public trust in government institutions. It further distances constituents from understanding important mechanisms that moderate their relationship with their government. The stakes are sufficiently high to demand an intellectually honest framing of the discussion.

Instead of maligning the Rules Enabling Act as an “obscure bureaucratic procedure,” perhaps opponents to the Rule 41 change could articulate whether they view the existing state of affairs as tolerable. If it isn’t, and the proposed changes are still unacceptable, then do they have any better alternative to offer?

Topics: