On Thursday, the US Supreme Court passed a proposed change to Rule 41 of the Federal Rules for Criminal Procedure, one of the main bodies of law that governs the powers and behavior of the FBI. Previously, Rule 41 stated that a judge may only hand out a warrant to be issued within the district they represent — but how do you work within that system when you’re tracking someone whose location has been technologically obscured? The new version of Rule 41, approved on Thursday, removes the requirement in cases where the suspect’s location cannot be realistically obtained. In practice, this means the FBI can ask for, and receive, warrants to hack suspects anywhere in the world.
This comes in the wake of a number of legal decisions against the FBI, stemming from the jurisdictional issue presented by the former version of Rule 41. The US congress may intervene to stop this rule change, but it’s doubtful that it will choose to do so, especially in an election year. The Supreme Court also changed Rules 4 and 45 in the same decision, but they’re not considered as centrally important to the FBI’s cyber powers.
Until now, it’s been difficult to get direct authorization to directly hack users of the TOR network and other anonymity regimes. In many cases the FBI has had to find alternate ways of confirming someone’s rough location before they could get the warrant for further, directed attacks from the appropriate magistrate. That takes time and, in some extreme cases, may simply be impossible. The Supreme Court decision means that in cases where the location of a suspect has been “concealed through technological means,” jurisdiction essentially does not apply at the investigatory phase.
Here’s the most relevant part of the full ruling:
These warrants would still have to meet the normal standards of evidence for a warrant of the type requested, and would have to show that the location of the suspect could not be reasonably attained by other means. In practice, fulfilling this second requirement could be as simple as demonstrating that a suspect uses the TOR Network at all.
To an extent, the FBI’s concerns are unquestionably real — we can’t, as a society, let crime go on simply because technology has been specifically created to run afoul a rule even The Intercept calls “a technicality” in many situations. The concern is not so much that the FBI will be able to push forward with these sorts of cyber investigations more efficiently, but that the powers will be subject to little oversight.
In particular, privacy advocates worry that this could turn into a meta-warrant issued to give the FBI jurisdiction to attack entire anonymity networks like the TOR Network and, potentially, the entire user base of such programs.
In addition, a large proportion of the suspects investigated by the FBI will be found to be outside the FBI’s ability to prosecute — the criminals will turn out to be in Russia, China, Iran, or just plain old Europe. As UC Hastings professor of law Ahmed Ghappour said in a recent paper, the FBI’s increasingly aggressive tactics in pursuing cyber criminals has the potential to set off real international strife, if the recipient nation decides to take it the wrong way. In many cases, the FBI is already cyber-attacking suspects whose physical location is unknown — with this rule change, it’s expected that activity will become totally routine.
As of right now, the FBI has a real sense of entitlement to try any case in which they’ve done the lion’s share of the investigation — check out the case of Eric Eoin Marques, who will soon be transferred to the US despite not having set foot in the country or having hosted a single server there. Since the crime was online, it affected America and can thus motivate an extradition request — the wide-open nature of international law has allowed novel modes of cyber crime to more quickly affect the standards for investigation and prosecution than in the US. For better or worse, America is just now starting to replicate some of those same standards at home.
If investigation of cyber crimes progresses without borders, and to an extent the prosecution of them does as well, then cyber criminals are submitting themselves to a completely different sort of legal risk than regular ones.