Congress should stop government hacking and protect the Fourth Amendment

In 1928, U.S. Supreme Court Justice Louis Brandeis wrote a famously prescient and insightful dissent, pointing out that advances in technology pose challenges for the protection of the Bill of Rights’ prohibition of unreasonable searches and seizures. Forty years later, the Supreme Court admitted that the majority had been wrong to say wiretapping did not implicate the Fourth Amendment, and that Brandeis had been right. The Court closely examined and then upheld New York legislation that carefully regulated the issuance of a special kind of warrant to allow wiretapping, if the government could show a judge the reasonableness of the intrusion in a way that took account of the particular ways that wiretapping invades privacy. Congress responded by enacting what is still known as Title III, the federal wiretap statute which nearly 50 years later stands as a testament to the open, deliberative approach to complex privacy issues. Today, remote governmental searches of computers pose public policy challenges that demand similar legislative attention. Simplistic tweaks to the court rules governing the issuance of traditional warrants, such as the Administration recently persuaded the Supreme Court to lay before Congress, expecting a rubber stamp, cannot deal adequately with this new challenge.

A diverse, bipartisan coalition of Senators — Ron Wyden (D-Ore.), Rand Paul (R-Ky.),  Tammy Baldwin (D-Wis.), Steve Daines (R-Mont.), and Jon Tester (D-Mont.), along with Rep. Ted Poe (R-Texas) and Judiciary Committee ranking member John Conyers (D-Mich.)  — has introduced the “Stopping Mass Hacking Act” (S. 2952 and H.R. 5321) to stop the Justice Department’s judicially-endorsed misstep.  The bill would prevent changes to Rule 41 of the Federal Rules of Criminal Procedure from taking effect, leaving to Congress the complex task of balancing the privacy and law enforcement interests that come into play when the government seeks to intrude secretly into the computers of crime victims and suspected criminals, in an effort to investigate or thwart cybercrime.

{mosads}The proposed rule changes would codify a broad new authority to issue warrants for out-of-district and unknown-location searches for (and of) computers in relation to the investigation of any federal crime and – in certain computer crime cases – simply for the convenience of law enforcement agents even if the location of the computers is known. Just as troubling, the rule change would facilitate the government in secretly hacking into the computers of thousands of crime victims while hunting a few cybercriminals.

Since its inception, Rule 41 has reflected the Framers’ understanding of one of the core characteristics of a “reasonable” search. Warrants not only must be particularized and supported by probable cause, but also may be issued only by judges sitting in the locality where the search would be executed. This limitation highlights the judge’s responsibility to the people whose privacy would be intruded upon. The Framers had personal and bitter experience with being the subjects of warrants that did not meet these criteria, and they wanted them forbidden.

The new proposal would essentially eliminate any venue requirement for digital searches of this kind by creating an exception so expansive and unbounded as to be meaningless. The National Association of Criminal Defense Lawyers (NACDL) opposes the amendment, both because it overreaches the authority of judicial branch, and because it would upset the appropriate balance that must be struck between law enforcement methods and the protection of privacy in a civil society now become digital.

The language proposed is far more wide-ranging than is required to accomplish the limited goal of finding out where a particular computer is operating. If the DoJ needs to defeat privacy-protective software to determine the location of a computer, then a law addressing that specific interest could be written. Similarly, if law enforcement needs to search for digital evidence that multiple, far-flung computers have been commandeered by a remote device in the commission of a crime (the “botnet” scenario), a carefully framed law could allow for the search of that particular type of information across districts—the actual malware, not the complete contents of the computer/device. However the changes to the rule are not written this way. Instead, they would allow judicial forum shopping and expansive remote searches of personal computers.

The principal flaw in the current proposal is that it suggests that such searches may properly be authorized by ordinary warrants.  It turns a blind eye to the inescapable conclusion that these aggressive digital interventions have technological, political and constitutional implications far beyond what can be addressed by a simple procedural rule.

Under 28 U.S.C. §2072, the Supreme Court has the authority to prescribe rules of practice and procedure for the federal courts. But the Rules Enabling Act goes on to say that “Such rules shall not abridge, enlarge or modify any substantive right.” The proposed amendments to Rule 41 fail this longstanding test. They facilitate warrants that by their nature are unlikely to comply with fundamental rights under the Fourth Amendment.

While it is surely possible to craft a constitutional procedure for digital searches, the rulemaking process is not adequate for addressing such sensitive constitutional questions. Only a comprehensive legislative approach, crafted after full public hearings, could possibly deal with all the complex aspects of this issue. NACDL urges Congress to pass the Stopping Mass Hacking Act and stop these changes from taking effect.

Peter Goldberger is an attorney in private practice in Ardmore, Pennsylvania and serves as Co-Chair of the Rules of Procedure Committee of the National Association of Criminal Defense Lawyers.