Julianna Coppage

The New Rule 41: Resolving Venue for Online Crimes with Unknown Locations

On December 1, 2016, Rule 41 of the Federal Rules of Criminal Procedure, which governs the procedures regarding issuances of search warrants, was amended in two critical ways.1 The amendments remove venue restrictions in two narrow situations, authorizing magistrate judges to issue warrants for remote searches of electronic storage media when (A) the location of the electronic media “has been concealed through technological means” or (B) the investigation pertains to botnets that have damaged computers “without authorization” in violation of the Computer Fraud and Abuse Act2 and the damaged computers “are located in five or more districts.”3 The amendments mark the end of a three-year review process of the proposals, which culminated with the adoption of the new rules by the U.S. Supreme Court in April 2016.4

Critics of the amendments argue they amount to sweeping substantive changes that dramatically increase the investigative power of the government and weaken individual privacy and security protections.5 Proponents of the change insist that the amendments merely close a procedural loophole that enabled nationwide crimes to elude the jurisdiction of any court.6 Each provision will be subsequently examined in light of its stated purpose, critical response, and likely overall effect. Because the amendments close a procedural loophole without altering underlying substantive law, the scope of the amendments is appropriately narrow to meet its corrective function.

I. Background

The amendments authorize magistrate judges to issue warrants for the government to use “remote access to search electronic storage media.”7 This kind of search is accomplished using a “Network Investigative Technique” (“NIT”).8 The government defines a NIT as a set of computer instructions that augments the content a user requests from a website.9 When delivered successfully back to the computer with the requested content, the NIT gathers limited, specified identifying information from that computer and relays it back to a government-controlled server.10 This typically occurs without the knowledge of the host computer’s operator.11 Opponents decry the use of the term NIT as pure semantics and insist the tool used by the government is malware.12 Privacy advocates maintain the use of such tools amounts to the U.S. government hacking computers of individuals around the world.13 For the purposes of this article, the term NIT will be used.14

II. Amendments

The revised Rule 41b(6) has two provisions; the first pertains to searches of electronic media when the location of that media was concealed through technological means, and the second regards venue provisions for botnet investigations.

A. Concealing Location Through Technological Means

This provision is designed to facilitate the government’s investigation of serious crimes that, due to increasingly advanced anonymization techniques, otherwise elude prosecution.15 Particularly, the government has used NITs to pierce the veil of websites hosted on hidden services using Tor.16 Sites that use this functionality can hide the locations of the website’s host and users.17 This technology is abused by tens of thousands of criminals; investigators readily locate websites devoted to criminal activity, many of which involve sexual abuse of children, but because of the technology, the investigators have no ability to identify the people involved.18

The government has increasingly used NITs to target Tor users trafficking in child pornography, such as the recent Playpen cases.19 In these cases, the government took over the server that hosted the child pornography site named “Playpen,” physically moved the server to the Eastern District of Virginia, obtained a search warrant from a magistrate judge in the Eastern District of Virginia authorizing the use of a NIT, and deployed the NIT on all users that accessed certain sub-forums on the Playpen website over the course of a two-week period.20 The sting has resulted in hundreds of prosecutions and the rescue of at least forty-nine children from sexual abuse.21

The Playpen prosecutions have encountered a large number of motions to suppress the search warrant used, however, because the warrant was issued under the previous version of Rule 41, which did not lift the venue restrictions for such prosecutions.22 Many courts have found at least a technical violation of Rule 41 because the magistrate judge in the Eastern District of Virginia did not possess the authority to authorize a search in a district outside of her own, and at least one court even held the search warrant wholly invalid.23 Such rulings necessarily present a catch-22, however, because the government cannot ascertain the location of the users without the NIT, but they cannot use the NIT without seeking authority based on probable cause from a federal judge.24 Rule 41 helps prevent forum shopping and ensures that judges only issue warrants for crimes located in their districts.25 However, because in this case the location of the targets were unknown and the crimes occurred online outside of any territorial bounds, the older venue provision of Rule 41 created confusion as to whether any judge could issue a warrant.26

Critics of the amendment claim this is a substantive, not procedural, change, and as such, it is better left to Congress.27 Critics further maintain that the rule authorizes government hacking, and as such should be approved by a full body of democratically elected representatives rather than by an “obscure” committee.28 Two senators opposed the rule, but their measures to stop the adoption of the change gained no traction.29
Proponents of the new rule dispute this characterization, insisting that the change only allows the search warrant applications to be heard by a judge and does not change substantive Fourth Amendment jurisprudence.30 Indeed, the Advisory Committee comments to this rule change reiterated that position, stating that “[t]he amendment does not address constitutional questions, such as the specificity of description that the Fourth Amendment may require in a warrant for remotely searching electronic storage media or seizing or copying electronically stored information, leaving the application of this and other constitutional standards to ongoing case law development.”31

Botnet Investigations

The second part of the amendment is specifically targeted to provisions of the Computer Fraud and Abuse Act that prohibit programmed viruses that infiltrate victims’ computers without permission.32 This rule change was designed to counteract the particular problem of botnets, which the Department of Justice defines as “essentially a mass hack—a network of victim computers that have been surreptitiously infected with malware and are controlled remotely by criminals.”33 Botnets cause a variety of problems, ranging from installing keystroke logging software on a victim’s computer to utilizing victim computers to carry out a distributed denial of service (“DDoS”) attack.34 Botnets are widespread and malicious, often hiding in plain sight, which makes dismantling them incredibly tricky.35

Investigating botnets and prosecuting developers can be even more difficult. The first step in investigating botnets is often identifying infected computers.[footnote] Judish, supra note 35. To do so, the government frequently needs to obtain a search warrant to gain identifying information about those computers.36 However, these are typically nationwide investigations that span multiple judicial districts.37 Under the previous version of Rule 41, the government would have to simultaneously apply for and be granted a search warrant in all ninety-four judicial districts in the United States to successfully run a botnet investigation.38 This is logistically absurd and practically infeasible. The amended Rule 41 allows an investigator to apply for a search warrant from a single magistrate judge when investigating a botnet that targets computers in more than five judicial districts.39

This change angers privacy advocates, who argue that hacking victims’ computers falls well outside the powers delegated to the executive branch.40 They contend the change at minimum conveys an implicit approval of government hacking, which is inappropriate for the limited jurisdiction of the rules committee that approved the change.41 A tool with a capability for such damage to innocent victims should not be legalized without the public debate afforded by Congressional hearings, according to these privacy advocates.42

Such arguments, though they may reflect legitimate concerns, seem conceptually misplaced in the Rule 41 debate. The rules committee noted a similar problem, finding that “much of the opposition [to the changes] reflected a misunderstanding of the scope of the proposal. The proposal addresses venue; it does not itself create authority for electronic searches or alter applicable statutory or constitutional requirements.”43 While the wisdom and legality of such tactics may be hotly contested, the fact that there should exist a court in the country that can authorize the investigation of these crimes seems to be ignored. That is all the text of the new Rule 41 allows, and all that it can allow. The legality of the investigative techniques is still a matter for Congress and the courts and will continue to be litigated. In the meantime, though, a procedural loophole that enabled criminals to escape the jurisdiction of any American court has been closed.

* GLTR Staff Member; Georgetown Law, J.D. expected 2018; Barnard College, B.A. 2012. © 2017, Julianna Coppage.