Anonymizing Technology Forces An Upgrade of The Federal Rules of Criminal Procedure

Edward J. George
Georgetown Law, Class of 2017

On December 1, 2016, the amended Rule 41(b), the venue provision for federal warrants, of the Federal Rules of Criminal Procedure went into effect. Google and civil liberties groups, including the ACLU and Center for Democracy and Technology, have widely panned the amendments, arguing that it is a dangerous expansion of the government’s surveillance capabilities. However, these critiques are aimed at the policy issues surrounding venue, and fail to address where a warrant should be sought when anonymizing technology masks a computer’s location. For that question, the Advisory Committee on Rules of Criminal Procedure found the right answer.

Under the old Rule 41, magistrates with authority in a district may issue warrants to search for and seizure a person or property located within that district. And before the advent of the Internet, this rule made perfect sense. In the physical world you cannot search something if you do not know where it is located. For example, before the Internet, if a criminal wanted to steal an individual’s credit card or financial information, they would have to physically locate and steal that information. Moreover, evidence of that crime—the stolen credit card or financial papers—can physically be located, barring they are not destroyed.

Under the old Rule 41, law enforcement would seek a warrant in that district. Today, however, that criminal can obtain the same information by using the Internet and hacking an individual’s computer. Additionally, the criminal can use Tor, software that allows users to obscure their computer’s physical location. As a result, this technological change posed a serious problem to the question of venue under the old Rule 41.

In 2013, this problem arose in Texas in In re Warrant to Search a Target Computer in Premises Unknown. In In Re Warrant, the government applied for a search warrant, requesting to search a hacker’s remote computer to determine the hacker’s identity and location. Because the government did not know the hacker’s location or identity, the government applied for the search warrant in the district where the victim resided, asking the magistrate to search the hacker’s computer by surreptitiously installing software designed to extract location information. The magistrate, looking at the old Rule 41, denied the warrant because he believed that he could only issue a warrant to search property within his own district.

Whether one agreed or disagreed with the magistrate’s decision, the implications stemming from the decision were simple. The growing use of anonymization tools, like Tor, in effect answered the old Rule 41 venue question: law enforcement could not obtain a warrant in any district because they did not know the location of the search. For this very reason, the Department of Justice sent a letter to the Advisory Committee on Criminal Rules in September 2013, proposing amendments to Rule 41. The Committee addressed DOJ’s concerns in the amended version of Rule 41 by allowing law enforcement to seek a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information located within or outside that district if the district where the computer is located has been concealed by anonymizing technology.

The actual practice of this amended rule raises serious, normative questions, including whether amended Rule 41 will allow the government to legally hack almost anyone. But addressing such questions is not the role of the Advisory Committee. Congress, through the Rules Enabling Act, delegated authority to the Supreme Court to promulgate general rules of practice and procedure for the federal courts. The Act does not authorize the Court to address policy, privacy, and civil liberty questions when promulgating general rules of practice and procedure. If Congress does not like the promulgated rules, they have retained the authority to review and reject them, as they tried to do with Rule 41 this past November, but that measure ultimately failed.

Congress can even impose a higher standard than Rule 41 if they so choose. But it would be wrong to expect the Advisory Committee to address these concerns because (1) the Rules Enabling Act does not delegate that authority to the Supreme Court, and (2) the Advisory Committee, when amending Rule 41, was answering the question of venue: where do you obtain a search warrant when the computer’s location is masked behind anonymizing technology. Hopefully this new Congress will address these concerns, but for now, law enforcement has received its answer regarding venue and cybercrime.