This weekend, the EFF published an article With Rule 41, Little-Known Committee Proposed to Grant New Hacking Powers to the Government. This discussion pits the privacy advocates such as EFF against the Department of Justice folks who want more powers to gather data. The EFF is crying foul and making it seem that these changes are being sneaked through in the dead of night, while the DOJ is pointing out how reasonable the changes are. Multiple public hearings were held and written testimony received and used (including theirs) to amend the rule change. This conversation has been going on since early 2014.
That said, it is entirely possible that the Technology Folks who probably have the best insights into how these rules would intersect with the Modern Internet probably have the least understanding of how these rules work. I've tried to put together a brief backgrounder, followed by links to some of the key Comments and Testimony received thus far. IF YOU DON'T WANT THIS TO BE LAW, YOUR CONGRESSMAN NEEDS TO STOP IT. (conversely, if you are technical and see no problem with it, you might share those thoughts with your Congressman as well.) Here's House.gov's "Find Your Representative" page in case this whole concept of representative government is new to you. They can't REPRESENT you if you don't TALK TO THEM!
What are the Federal Rules of Practice and Procedure?The Federal Rules of Practice and Procedure were created in 1934 under the "Rules Enabling Act (28 U.S.C. § 2071-2077). The key pieces of the act are in 2071 and 2072 -- (2071) "The Supreme Court and all courts established by Act of Congress may from time to time prescribe rules for the conduct of their business. Such rules shall be consistent with Acts of Congress and rules of practice and procedure prescribed under section 2072 of this title." and (2072) "The Supreme Court shall have the power to prescribe general rules of practice and procedure and rules of evidence for cases in the United States district courts (including proceedings before magistrate judges thereof) and courts of appeals." The rest of the act lays out how the "Judicial Conference" plays a role in this work.
Who is the Judicial Conference?Back on October 1, 2015, U.S. Supreme Court Justice John Roberts named the chairs for his six Advisory Committees. One of the powers of being the Chief Justice is that you get to appoint who the chairs of the Committees of the Judicial Conference, who are the leaders who decide what the Federal Rules are going to be, pending approval first by the Supreme Court, and then by Congress. There are actually eleven Judicial Conference committee chairs.
- Judge Richard R. Clifton (Ninth Circuit) -- Committee on Federal-State Jurisdiction
- Judge Allyson K. Duncan (Fourth Circuit) -- Committee on International Judicial Relations
- Judge Lawrence F. Stengen (Eastern District of Pennsylvania) -- Committe on Judicial Resources
- Judge David R. Herndon (Soutern District of Illinois) -- Committee on Judicial Security
- Judge John D. Bates (District of DC) -- Advisory Committee on Civil Rules
- Judge Donald W. Molloy (Montana District) -- Advisory Committee on Criminal Rules
- Previously named chairs:
- Judge Lawrence L. Piersol (South Dakota) -- Committee on Audits and Administrative Office Accountability
- Chief Judge Catherine C. Blake (Maryland) -- Committee on Defender Services
- Judge Anthony J. Scirica (Third Circuit) -- Committee on Judicial Conduct and Disability
- Judge Jeffrey S. Sutton (Sixth Circuit) -- Committee on Rules of Practice and Procedure
- Judge Steven M. Colloton (Eighth Circuit) -- Advisory Committee on Appellate Rules
The full package contained several rules, and per the normal process, the Supreme Court had until May 1, 2016 to forward them to Congress if they agreed with them (This is the action that just happened, triggering the current media round) who then has until December 1, 2016 to take "contrary action" if they don't want them to become the law of the land.
What did the Judicial Conference ask for this year?The items in the 2015-2016 Supreme Court Package of Proposed Rule Changes package consisted of 244 pages of committee notes, Comments from the open comment period, and responses to them. Here is an outline of the Changes proposed, with our focus being on V. B. - Venue to Obtain Warrants for Remote Electronic Search:
- I.Elimination of the Three-Day Rule for Items Served Electronically.
- basically the "three-day rule" had been set up to allow for the time it takes to mail a package through the U.S. Postal Service. The point of this rule change is that if things are being delivered electronically, whey do we need this three day delay?
- II. Federal Rules of Appellate Procured
- A.Inmate-Filing Rules
- B.Late Post-Judgment Motions and Appeals Time
- C.Length Limits for Briefs and Other Documents
- D.Amicus Filings in Connection with Rehearing
- E.Technical Amendment
- III. Federal Rules of Bankruptcy Procedure
- A. Procedures for International Bankruptcy Cases
- B. Chapter 13 Notices
- IV. Federal Rules of Civil Procedure
- A. Service on a Foreign Corporation
- B. Service
- C. Venue Technical Amendment
- V. Federal Rules of Criminal Procedure
- A. Service on Foreign Corporate Defendants
- "The proposed amendment to Criminal Rule 4 addresses service of a summons on organizational defendants that have no agent or principal place of business within the United States. (...) Given the increasing number of criminal prosecutions involving foreign entities, the Advisory Committee agreed that the Criminal Rules should provide a mechanism for foreign service on an organization."
- B. Venue to Obtain Warrants for Remote Electronic Searches
- More below ...
Rule 41 Amendment: Venue to Obtain Warrants for Remote Electronic SearchesThe text below comes from the aforementioned "Supreme Court Package" ... specifically from pp.198-200, for the text of the rule change itself, and from pp.200-202, for the Subcommittee comments. Further explanation is from pp.225- labeled "Excerpt from the September 2015 Report of the Judicial Conference"
Rule 41. Search and Seizure(b) Venue for a warrant Application. At the request of a federal law enforcement officer or an attorney for the government:
(6) a magistrate judge with authority in any district where activities related to a crime may have occurred has authority to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information located within or outside that district if:
(A) the district where the media or information is located has been concealed through technological means; or
(B) in an investigation of a violation of 18 U.S.C. § 1030(a)(5), the media are protected computers that have been damaged without authorization and are located in five or more districts.
(f) Executing and Returning the Warrant.
(1) Warrant to Search for and Seize a Person or Property.
(C) Reciept. The officer executing the warrant must give a copy of the warrant and a receipt for the property taken to the person from whom, or from whose premises, the property was taken or leave a copy of the warrant and receipt at the place where the officer took the property. For a warrant to use remote access to search electronic storage media and seize or copy electronically stored information, the officer must make reasonable efforts to serve a copy of the warrant and receipt on the person whose property was searched or who possessed the information that was seized or copied. Service may be accomplished by any means, including electronic means, reasonably calculated to reach that person.
Subcommittee notes on (b)(6)Subcommittee notes on (b)(6):
Subdivision (b)(6). The amendment provides that in two specific circumstances a magistrate judge in a district where activities related to a crime may have occurred has authority to issue a warrant to use remote access to search electronic storage media and seize or copy electronically stored information even when that media or information is or may be located outside of the district.
First, subparagraph (b)(6)(A) provides authority to issue a warrant to use remote access within or outside that district when the district in which the media or information is located is not known because of the use of technology such as anonymizing software.
Second, (b)(6)(B) allows a warrant to use remote access within or outside the district in an investigation of a violation of 18 U.S.C. § 1030(a)(5) if the media to be searched are protected computers that have been damaged without authorization, and they are located in many
districts. Criminal activity under 18 U.S.C. § 1030(a)(5) (such as the creation and control of “botnets”) may target multiple computers in several districts.
In investigations of this nature, the amendment would eliminate the burden of attempting to secure multiple warrants in numerous districts, and allow a single judge to oversee the investigation.
As used in this rule, the terms “protected computer” and “damage” have the meaning provided in 18 U.S.C. § 1030(e)(2) & (8).
The amendment does not address constitutional questions, such as the specificity of description that the Fourth Amendment may require in a warrant for remotely searching electronic storage media or seizing or copying electronically stored information, leaving the application of this and other constitutional standards to ongoing case law development.
Excerpt from the September 2015 Report of the Judicial Conference re:Rule 41I'll place the footnote first ... "At present, Rule 41(b) authorizes search warrants for property located outside the judge's district in only four situations: (1) for property in the district that might be removed before execution of the warrant; (2) for tracking devices installed in the district, which may be monitored outside the district; (3) for investigations of domestic or international terrorism; and (4) for property located in a U.S. territory or a U.S. diplomatic or consular mission."
Now from the memo:
The proposed amendment to Rule 41 addresses venue for obtaining warrants for certain remote electronic searches. At present, the rule generally limits searches to locations within a district, with a few specified exceptions. The proposal to amend Rule 41 is narrowly tailored to address two increasingly common situations in which the existing territorial or venue requirements may hamper the investigation of serious federal crimes:
(1) where the warrant sufficiently describes the computer to be searched but the district within which that computer is located is unknown, and
(2) where the investigation requires law enforcement to coordinate searches of numerous computers in numerous districts.
The proposal would address this issue by amending Rule 41(b) to include two additional exceptions to the list of out-of-district searches permitted under that subsection.(see footnote above) Language in anew subsection 41(b)(6) would authorize a court to issue a warrant to use remote access to search
electronic storage media and seize electronically stored information inside or outside of the
(1) when a suspect has used technology to conceal the location of the media to be
(2) in an investigation into a violation of the Computer Fraud and Abuse Act, 18
U.S.C. § 1030(a)(5), when the media to be searched include damaged computers located in five
or more districts.
The proposal also amends Rule 41(f)(1)(C) to specify the process for providing notice of a remote access search.
As expected, the proposed amendment generated significant response; the Advisory
Committee received 44 written comments, and 8 witnesses testified at a public hearing in
Washington, D.C. In addition, the Department of Justice submitted written responses to the
issues raised by the comments and testimony. Many commentators raised concerns regarding the
substantive limits on government searches, which are not affected by the proposal. In fact, much
of the opposition reflected a misunderstanding of the scope of the proposal. The proposal
addresses venue; it does not itself create authority for electronic searches or alter applicable
The Advisory Committee approved revisions to the published proposal aimed at
clarifying the procedural nature of the proposed amendment. It changed the published caption
from “Authority to Issue a Warrant” to “Venue for a Warrant Application” and revised the
Committee Note to state that the constitutional requirements for the issuance of a warrant are not
altered by the amendment. The Advisory Committee also approved revisions to the notice
provision and accompanying Committee Note that directly respond to points raised by
Some of the Comments and Witnesses
The Center for Democracy & Technology submitted an 11-page PDF prior to testifying before the Judicial Conference on this matter Friday, October 24, 2014. Their big "Legal Implication" was "The proposed modification to FRCrmP Rule 41 would make policy decisions about important questions of law that are not currently settled and would best be resolved through legislation."
The ACLU submitted a 21-page PDF comment April 4, 2014 -- "ACLU Comment on the Proposed Amendment to Rule 41 Concerning Remote Searches of Electronic Storage Media"-- prior to the Advisory Committee's public hearing on the subject, April 7-8, 2014. Great reading! I especially appreciated this being cast into the area of Cloud Data challenges -- see the section "Remote Searches of Cloud Data Pose Fourth Amendment, Statutory, and Policy Problems." This report also addresses one of my chief concerns, which I call "Venue Shopping." In a large botnet, victims exist in every single Federal District. This means that if I found a "friendly judge" in any district, I could just flood all my requests through that jurisdiction.
Many of these same concerns were re-addressed to the committee by the ACLU who also presented testimony for the October 24, 2014 meeting. (See "Second ACLU Comment on Rule 41")
Richard Salgado also shared Google's Comments on the Proposed Amendment to Rule 41 (13FEB2015) raising these and many similar concerns, and specifically pointing out that the Mutual Legal Assistance Treaties exist for exactly the purpose of international cooperation on searches. Should we really be conducting extra-territorial searches without even knowing what territory the seized material is located in? Google also mentions the concern that many VPNs may find themselves subject to this search because of the anonymizing function that a VPN can perform, even if the VPN is a legitimate bank, retailer, or other business merely seeking to better secure their users.
The EFF was represented in testimony (November 5, 2014) by Amie Stepanovich, the Senior Policy Counsel at Access, "an international digital rights non-governmental organization founded in the wake of the 2009 Iranian post-election crackdown." She points out in her testimony that this is a broad expansion of the powers defined in the Computer Fraud and Abuse Act (CFAA) which may, due to the nature of botnets that use distributed Command and Control, result in searching and seizing evidence from various protected classes of computer users, all of which have been victims of botnets, including journalists, dissidents, whistleblowers, members of the military, lawmakers and world leaders!
The list of all 55 received comments can be accessed at Regulations.gov
Other significant commentors included:
Kevin Bankston, for New America's Open Technology Institute
Bruce Moyer, for the National Association of Assistant United States Attorneys
David Bitkower, for the U.S. Department of Justice
This memo presents three "warrant scenarios" and attempts to show how they would not be violations of Fourth Amendment rights of protection from unreasonable search.
Comments on Proposed Remote Search Rules by professors Steven Bellovin of Columbia, Matt Blaze of University of Pennsylvania, and Susan Landau of Worcester Polytechnic Institute
This memo points out concerns about trying to address very specific botnet features in the face of the unknown - how botnets will change in the future, as well as raising some very key questions about Chain of Custody and Authenticity of Evidence when we have no idea where the computer is providing the evidence in question.