Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Nov. 7 — Privacy advocates have little time for congressional intervention to stop an amended procedural rule that will allow federal judges to approve remote access to electronic devices.
The U.S. Supreme Court approved revised Federal Rule of Criminal Procedure 41, set to take effect Dec. 1, will allow federal judges to issue warrants that cover districts other than their own for law enforcement entities looking to conduct remote electronic searches, including of devices cloaked to hide their locations.
There is almost no chance Congress will intervene before the effective date, analysts told Bloomberg BNA. So companies that maintain large databases of personal data, such as e-mail service providers, may face more law enforcement warrant requests for access.
Whether the rule change will be utilized for overseas searches remains to be seen. Because of other federal investigatory programs, law enforcement agencies may be able to access information abroad without the search and seizure rule changes, the analysts said.
The search and seizure changes cap off a three-year process pitting federal prosecutors against technology companies, including Alphabet Inc's Google and Microsoft Corp. The companies and privacy advocates found the extension of Rule 41 far outside the boundaries of the U.S. disturbing and said the issue should be considered through the legislative process.
Judges may allow remote hacking of a device regardless of whether the owner is aware of how the computer may be being misused, such as a malware-loaded computer which the owner had no idea had been used in a cyberattack.
Software that allows users to be anonymous fueled the need for changes, law enforcement said. Rule 41 is “finally caching up with the evolution of technology,” Greg Brower, FBI deputy general counsel, said at a recent Stanford Law panel on Rule 41.
Privacy advocates have said that the change will make it easier for the Federal Bureau of Investigation to access computers remotely when the locations of the devices are unknown and allow a single warrant to search large numbers of computers at once.
The Department of Justice has said the amended ruled doesn't change any Fourth Amendment protections or procedures, such as the need for probable cause, and doesn't allow any searches not already permitted by law.
Google Law Enforcement and Information Security Director Richard Salgado said the Department of Justice has made assurances about what it would do concerning the amended Rule 41 “and those are taken as sincere representations.”
But the rule “is susceptible to interpretation,” which requires relying on prosecutors to not invoke “a significant technique in an invasive way” to force access to information, he said at the Stanford panel. The companies would have to await the courts, in published opinions, to identify an invasive interpretation as a problem, Salgado said.
“That’s a lot of maybes, and it’s only going to come to the public’s attention in certain situations. It’s not actually going to be part of the public’s conscience in most cases,” Salgado said.
An attempt by Sen. Ron Wyden (D-Ore.) to block the changes to Rule 41—the Stopping Mass Hacking Act ( S. 2952)—hasn't progressed despite bipartisan cosponsorship. In addition, 50 organizations, including Google, Evernote Corp. and PayPal Holdings Inc., sent a letter to Congress in June opposing the changes and urging support for the bill.
In September, Wyden's attempt to move the bill to the floor for unanimous consent was blocked.
“I doubt there’s floor time before Dec. 1” to take up the bill, Peter Swire, a Georgia Institute of Technology law professor and senior counsel with Alston & Bird LLP, told Bloomberg BNA.
Stewart Baker, cybersecurity partner at Steptoe & Johnston LLP Washington, told Bloomberg BNA that a third party candidate had a better chance of winning the presidential election than Wyden does of getting his bill passed by Dec. 1.
Ahmed Ghappour, University of California Hastings College of the law visiting assistant professor, said at the Stanford panel that more than 80 percent of devices that are unable to be located are likely outside U.S. borders,
Baker, who also served as the Department of Homeland Security’s first assistant policy secretary, said the international implications are the very reason it is unlikely that the government would pursue Rule 41 warrants against computers and other devices known to be located outside the U.S.
The FBI has used a separate Network Investigative Technique that allows for the secret transmission of computer code to a site’s users and enables the government to identify users’ internet protocol addresses, Baker said. The FBI targeted child pornography users, “and sweeping in users in other countries, without any unfavorable diplomatic consequences. So we shouldn’t assume other countries will react badly to the U.S. discovering criminals inside their borders and handing their cops the evidence.”
In any event, Congress will review Section 702 of the Foreign Intelligence Surveillance Act, which gives the National Security Agency broad authority to collect information on overseas targets. FISA's authorization sunsets Dec. 31, 2017.
Swire, who was Office of Management and Budget chief privacy counselor under President Bill Clinton, said the “next administration will treat Section 702 as must-pass legislation. And that creates an opportunity for some pro privacy reforms as well.”
Extraterritorial reach is also central in a search and seizure case involving Microsoft that could land in the Supreme Court. A U.S. Court of Appeals for the Second Circuit panel last July ruled Microsoft didn’t have to give prosecutors e-mails stored on Irish servers allegedly related to a drug case. The Department of Justice in October asked the full Second Circuit to rehear the case.
To contact the reporter on this story: Joyce E. Cutler in San Francisco at JCutler@bna.com
To contact the editor responsible for this story: Donald G. Aplin at firstname.lastname@example.org
Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.
Notify me when updates are available (No standing order will be created).
Put me on standing order
Notify me when new releases are available (no standing order will be created)