Fitting Cyber into Federal Procedure: Square Peg, Round Hole
A client sent me Cyberscoop’s article about the Department of Justice’s successful efforts to stop a Russian Botnet called “Cyclops Blink.” DOJ’s applause worthy efforts undoubtedly saved millions of dollars and prevented unfathomable types of disruption. This event was nearly a year (to the day) after the FBI debugged countless (estimated at 60,000+) Microsoft Exchange servers targeted by a Chinese hacking group, preventing another catastrophe.
Both the events from April 2021 and April 2022 were accomplished by the DOJ securing search warrants, granting them access to servers and networks owned by private parties and allowing DOJ to enter those servers to delete the malware launched by foreign criminals. In the April 2021 search warrant, the FBI argued that sealing the search warrant (not making it public record) and delaying notice to network owners was permitted because notification could adversely affect the FBI’s efforts (endangering life or property) and the warrant did not involve seizure of tangible property or communications. The servers’ owners were not notified of DOJ’s activities until the mission completed. The DOJ received their authority to conduct these acts from the newish (2016) procedural authority granted by Rule 41(b)(6)(B).
The issuance of search warrants is traditionally subject to the territorial jurisdiction of the courts. However, 2016 amendments to Rule 41(b)(6) allow a federal magistrate judge to issue a search warrant for remote access to electronic media storage to seize or copy electronic data that is located within or outside of the Judge’s district if either are true: (1) the physical location of the electronic data is concealed by technology; or (2) the crime at issue is a Computer Fraud and Abuse Act (“CFAA”) violation for “knowingly” and without authorization, accessing “protected computers” to cause damage, in five or more districts. CFAA defines protected computers as those owned/operated by the U.S. Government, financial institutions, used in or affecting interstate or foreign commerce or communications, or is used with a voting system or federal election.
The advisory committee notes on the 2016 amendments, which added section (b)(6) to Rule 41, stated that the intent was to “eliminate the burden of attempting to secure multiple warrants in numerous districts, and allow a single judge to oversee the investigation.” However, the advisory committee also provided that “the amendment does not address constitutional questions, such as the specificity of description that the Fourth Amendment …leaving the application of this and other constitutional standards to ongoing case law development.”
Albeit grateful for DOJ’s efforts, federal and state courts are traditionally limited to making decisions that affect persons, places, or things within their territorial jurisdiction. While neighboring courts can recognize, certify/re-issue, and enforce orders from other courts, such recognition is not automatic for good reason – States are independently sovereign entities with their own laws and police powers pursuant to the Tenth Amendment to the Constitution. For example, a homeowner can allow a person to use the restroom in his/her house, but that same homeowner cannot make the same decision on behalf of his neighbor. What if the neighbor’s toilet was broken? Or the neighbor’s septic system non-operational? Or the neighbor had some deadly communicable disease spread by surface contact (covid)?
Aside from the Fourth Amendment’s privacy issue, the question of how to interpret Rule 41(b)(6) is also open. How much effort must DOJ expend before stating that the physical location of the electronic data is concealed by technology? Can DOJ simply state that a VPN service makes the location determination impossible? Or, does DOJ have to try and determine the identity of the VPN service provider and subpoena it for an accurate I.P. address of the server and then get the location information from the telecommunications provider?
Also, if DOJ is accessing servers without the owner’s knowledge to perform remediation work, what happens if the remediation work is botched or negatively impacts the server? Does DOJ have culpability or does it have a “good faith” exception to liability? At risk of seeming like a “Monday-morning quarterback,” shouldn’t this exception to be limited to issues of national security (like Chinese hackers in exchange servers, or Russia nation state cyber-attacks)? Or, at least limit jurisdiction by the domicile of the server’s owner? If not going to limit the jurisdiction, why not create a cybersecurity-specific court of judges that are also subject matter experts, similar to the United States Foreign Intelligence Surveillance Court?
Although well-intentioned and producing success stories, abrogation of sustainable legal principles (like jurisdictional limits) can (and will eventually) lead to absurd and disruptive results.