Last year, the FBI and its international police partners hacked at least 4,000 suspected child pornographers in an unprecedented sting on a dark web child pornography website called Playpen. It was the largest police hacking operation to date, and a blueprint for future criminal investigations against tech savvy criminals who use encryption and anonymizing technologies to hide their activities and traces.
But a recent decision by a judge in Massachusetts, who threw out evidence obtained with the fed’s malware, might have dealt a blow to the future of the FBI’s hacking operations and subsequent criminal cases, all because of a technicality: a procedural rule known as Rule 41.
Rule 41 of the Federal Rules of Criminal Procedure stipulates when, and under what circumstances, judges can issue warrants for searches and seizures. Rule 41 is relevant in hacking operations because it mandates that a warrant must be issued within the judicial district where the criminal activity is occurring.
“You have to know where, with some certainty, the target of the search is,” Brian Owsley, an assistant professor of law at the University of North Texas, who wrote a paper about Rule 41 and how it applies to hacking cases, told Motherboard.
But what happens when cops or federal agents don’t know where the computer, and thus the criminal, they want to hack actually is? That’s exactly the problem when investigating cases, such as the Playpen, where criminals used the anonymizing software Tor.
If you don’t know where computer is, according to Rule 41, then you can’t legally hack it.
“Rule 41 simply does not permit a magistrate judge in Virginia to authorize the search of the defendant's computer located in Massachusetts,” argued the lawyer of one of the alleged child pornographer, questioning the legitimacy of the evidence gathered with a single warrant issued by a district judge hundreds of miles away.
The judge agreed, saying the warrant was originally issued without jurisdiction, invalidating the evidence gathered by the FBI’s network investigative technique, or NIT—the feds’ euphemism for hacking.
This is the first time that a judge has thrown out evidence gathered during a hacking operation because of jurisdictional issues, according to experts. But the US government saw this coming.
In 2014, the Department of Justice, using an administrative procedure, proposed changes to Rule 41 specifically addressing this issue. The DOJ proposed that in cases where feds need to hack into computers whose location has been “concealed through technological means”—that is proxies or Tor—judges could still issue warrants without worrying about the jurisdiction.
The proposed changes irked digital rights activists, legal experts, and even Google, who argued the changes were too broad and they should be discussed by Congress after public discussions, and not by an administrative body. For Ahmed Ghappour, a professor at UC Hastings College of the Law and an expert in computer crime law, the proposed changes were “the broadest expansion of extraterritorial surveillance power since the FBI’s inception.”
If the changes were to be approved, critics warned, the FBI suddenly would have power to hack anyone, not only in the United States, but anywhere in the world with a warrant.
The decision by the court in Massachusetts might complicate the current prosecutions arising from hacking Playpen visitors, but it gives the DOJ new ammunition to push and ask for support to its proposed changes.
“We are disappointed with the court’s decision and are reviewing our options,” Peter Carr, a spokesperson for the Department of Justice, told Motherboard in a statement. “The decision highlights why the government supports the clarification of the rules of procedure currently pending before the Supreme Court to ensure that criminals using sophisticated anonymizing technologies to conceal their identities while they engage in crime over the Internet are able to be identified and apprehended.”
In other words, there could be a silver lining for DOJ, as this decision could actually pave the way for the expansion of power the FBI had been longing for.
“They lose this one case but they’ll win the war,” Owsley told me.
The proposed rule changes have already gone through a long drafting process. Now, they’re in front of the Supreme Court, which has to weigh in on them. If the changes get approved, Congress has 180 days to weigh in on the changes, or let them be.
For Nathan White, the senior legislative manager at digital rights group Access Now, this unprecedented decision in Massachusetts might give the issue enough publicity to force Congress to act.
“This shouldn’t be done in secret, and it shouldn’t be done with just barely any attention to them as though they were some simple rule change that won’t affect anything, because this really does change the way law enforcement operates in the 21st century,” White told me. “Will Congress finally understand what is happening here and get involved?”