Wednesday, February 18, 2015
Posted by Richard Salgado, Legal Director, Law Enforcement and Information Security
At the request of the Department of Justice, a little-known body -- the Advisory Committee on the Rules of Criminal Procedure -- is proposing a significant change to procedural rules that could have profound implications for the privacy rights and security interests of everyone who uses the Internet. Last week, Google filed comments opposing this change.
It starts with the Federal Rule of Criminal Procedure 41, an arcane but important procedural rule on the issuance of search warrants. Today, Rule 41 prohibits a federal judge from issuing a search warrant outside of the judge’s district, with some exceptions. The Advisory Committee’s proposed change would significantly expand those exceptions in cases involving computers and networks. The proposed change would allow the U.S. government to obtain a warrant to conduct “remote access” searches of electronic storage media if the physical location of the media is “concealed through technological means,” or to facilitate botnet investigations in certain circumstances.
The implications of this expansion of warrant power are significant, and are better addressed by Congress.
First, in setting aside the traditional limits under Rule 41, the proposed amendment would likely end up being used by U.S. authorities to directly search computers and devices around the world. Even if the intent of the proposed change is to permit U.S. authorities to obtain a warrant to directly access and retrieve data only from computers and devices within the U.S., there is nothing in the proposed change to Rule 41 that would prevent access to computers and devices worldwide.
The U.S. has many diplomatic arrangements in place with other countries to cooperate in investigations that cross national borders, including Mutual Legal Assistance Treaties (MLATs). Google supports ongoing efforts to improve cooperation among governments, and we are concerned that the proposed change to Rule 41 could undermine those efforts. The significant foreign relations issues associated with the proposed change to Rule 41 should be addressed by Congress and the President, not the Advisory Committee.
Second, the proposed change threatens to undermine the privacy rights and computer security of Internet users. For example, the change would excuse territorial limits on the use of warrants to conduct “remote access” searches where the physical location of the media is “concealed through technological means.” The proposed change does not define what a “remote search” is or under what circumstances and conditions a remote search can be undertaken; it merely assumes such searches, whatever they may be, are constitutional and otherwise legal. It carries with it the specter of government hacking without any Congressional debate or democratic policymaking process.
Likewise, the change seemingly means that the limit on warrants is excused in any instance where a Virtual Private Network (VPN) is set up. Banks, online retailers, communications providers and other businesses around the world commonly use VPNs to help keep their networks and users’ information secure. A VPN can obscure the actual location of a network, however, and thus could be subject to a remote search warrant where it would not have been otherwise.
The Advisory Committee is entertaining a dramatic change to electronic surveillance rules. Congress is the proper body to determine whether such changes are warranted, and we urge the Committee to respect Congress’ traditional role in prescribing the substantive rules governing electronic surveillance.