A few weeks ago the Supreme Court notified Congress of this year’s proposed amendments to the Federal Rules of Criminal Procedure. Without further congressional action, the new rules will become final in December 2016. Several amendments to Rule 41, which governs search and seizure warrants, have generated some opposition on the grounds that they are unlawfully confer new legal powers on the government and are unconstitutional. As I explain below, however, those legal objections are not well-founded. The amendments only loosen venue requirements, removing artificial geographical constraints on the issuance of certain types of warrants.
Originally proposed in 2014, the Rule 41 amendments would authorize federal judges to issue warrants for seizure or copying of electronic information whether or not the information is geographically located in the judge’s district. Whereas the previous version of Rule 41 only allowed judges to issue warrants authorizing extra-district searches in terrorism investigations or for crimes committed in various places where the federal government has extraterritorial sovereign authority (consular premises, embassies, etc.), new Rule 41(b)(6) adds explicit authorization for out-of-district searches using “remote access” under two narrow circumstances.
The first circumstance is when the actual location of the physical hardware of the computer or information to be searched “has been concealed through technological means.” The change eliminates an anomaly in the previous version of Rule 41 that would not have authorized remote-search warrants when the geographical location of a computer was hidden behind some sort of anonymity technology. New Rule 41(b)(6)(A) would allow remote searches of websites like the infamous “Silk Road” drug marketplace, which concealed its location behind a Tor hidden service. Although the government has not disclosed what methods it would use for remote searches under this amendment, it seems clear that the new rule would at least allow courts to issue warrants that authorize the government to hack a computer hidden behind such a service.
The second circumstance involves mass damage to computers. New Rule 41(b)(6)(B) establishes three elements for obtaining such a warrant. First, the warrant must be sought as part of an investigation of a violation of intentional damage to a protected computer under 18 U.S.C. § 1030(a)(5). Second, the computer or computers to be searched must have been targets of the damage. Third, those damaged computers must be spread across at least five judicial districts. This amendment is most probably intended to facilitate more efficient investigations of rapidly-spreading malware or so-called “botnets,” groups of computers that have been hijacked and harnessed into a network controlled by the hijacker. For years, cybercriminals (organized and otherwise) have used botnets for a wide variety of illegal purposes, such as illicit bitcoin mining, theft of credit-card information, or dissemination of spam. More recently, the government and private-sector actors have pursued criminal and civil remedies to seize control of botnets and shut them down.
Critics have raised two primary legal objections to the amendments. (There are also a variety of policy objections, but I won’t address those here.) The first is this: The changes are more than “merely a procedural update” because the rule creates “new hacking powers” in violation of the Rules Enabling Act, which says that the federal rules “rules shall not abridge, enlarge or modify any substantive right.” Under this argument, the amended rule “creates new avenues for government hacking that were never approved by Congress.”
Although it’s true that Congress has not explicitly legislated on this point and the rules may not create or alter substantive rights or duties, nothing in new Rule 41(b)(6)(A) or (B) purports to do either. Instead, the amendments alter which magistrates may issue which warrants. Nor do the revisions purport to alter the extraterritorial reach of the Computer Fraud and Abuse Act, which is generally acknowledged to be very broad. And the old Rule 41 did not forbid remote searches of computers as long as the authorizing warrant fit within one of the older venue provisions.
To be sure, the pending amendments loosen the venue requirements, but they don’t call new government powers into existence. If anything, the amendments have the opposite effect, since they still restrict what kinds of warrants a court might issue in the absence of the venue restrictions, and practically limit the exercise of whatever investigative powers the government might have otherwise. The amended rule thus draws a line that complies with the prohibition on creating new rights while also ensuring that the new rule does not “abridge . . . or modify any substantive right.”
The other objection is constitutional: The new rule violates the Fourth Amendment’s particularity requirement because the government must be able to describe the physical location of the computer to be searched before it can obtain a warrant, whereas the amendments specifically contemplate the search of a computer in an unknown geographic location. According to critics, the Fourth Amendment forbids remote searches of unknown locations because every warrant must “particularly describ[e] the place to be searched” and the “things to be seized.” Since the amendments authorize a search of a computer in an unknown location, the argument goes, the government inherently cannot particularly describe the “place to be searched.”
This argument fails for two reasons. First, it is not true that the geographical location of something is necessary for describing it “particularly.” Since computers and networks are composed of physical objects, particularity only requires a warrant to describe the targeted computer in a way that reliably distinguishes it from other computers. A quick Google search reveals a variety of methods for doing that, such as combining internet addressing information with other types of information or using web tracking cookies and other digital fingerprints. To satisfy the particularity requirement for an individual warrant, then, the warrant must simply identify the facts that distinguish the computer to be searched from other computers.
Second, nothing in the rule sets aside or abrogates the particularity requirement. Particularity is a legal requirement in addition to the other requirements in the rule, not subsumed within them. Judges make case-by-case evaluations of this sort about particularity every time they sign off on an application, whether or not a rule or statute requires it. Moreover, there’s no reason to think that all possible warrants issued under the amended rule would fail particularity, or even that a large number of them will fail. If individual cases covered by the rule can satisfy the particularity requirement, then the whole rule doesn't violate it.
There is, of course, much room for a healthy policy debate on these issues, and Congress should embrace its role in that debate. It’s eminently reasonable to worry that damage could accidentally damage innocent Americans’ property in the course of a court-authorized remote access. Some previous efforts to shut down botnets have resulted in just that sort of damage, and I’ve argued elsewhere that Congress should prescribe standards that balance the risks in such operations. It’s likewise important for Congress to perform its legislative duty of ensuring that the government has the right set of authorities and resources for enforcing the law. But if Congress wants to create limits on the government’s investigative powers, it should say so explicitly through legislation, not smuggle the limits into venue provisions in the rules of procedure.