The U.S. Department of Justice has made new changes to Rule 41 of the Federal Rules of Criminal Procedure, changing venue provisions for obtaining a search warrant. The Cipher Brief sat down with David O’Neil, a Partner at the firm Debevoise & Plimpton and former acting Assistant Attorney General of the Criminal Division at the Department of Justice, to discuss was these changes mean, the rationale behind them, and their likely implementation during FBI investigations into online crime.
The Cipher Brief: What do the amendments to Rule 41 of the Federal Rules of Criminal Procedure entail?
David O’Neil: There are two key changes to Rule 41. The first is intended to address the situation in which the government does not know what district court it should go to in order to obtain a warrant because the person or place that they are investigating has used technology that obscures their location. It allows the government to go to a relevant court to seek a warrant in those circumstances.
The second change, which is known colloquially as “the botnet provision,” allows the government to go to one district court in order to obtain a search warrant where many computers in many judicial districts have been infected by the same malware, or are part of the same botnet. So, instead of having to go to 94 different districts to obtain evidence on computers within those districts, the government can go to one court and obtain the authority to cover all the districts in which it needs to operate.
Both amendments are fundamentally venue provisions. They affect where the government can go to obtain a warrant. They don’t change anything about the standards or requirements the government needs to meet in order to get a warrant.
TCB: What is the rationale for the changes? Do you anticipate that it will better equip law enforcement to address criminal activity online?
DO: The rationales for the changes are pretty straightforward and are points the Department of Justice has been emphasizing for several years. The rationales are that, because of changes in technology that make it more difficult to determine where a person is located when committing crime over the internet, updates were needed to the venue provisions of Rule 41—enacted in 1917—and that with the phenomenon of botnets, there needed to be a provision that specifically addresses it.
The changes will better enable law enforcement to address those situations. The question is, as some have cautioned, will it have unintended consequences and allow the government to do more problematic things, or to do problematic things more easily than it currently can? That remains to be seen.
TCB: One criticism is that the changes did not receive any kind of meaningful congressional debate. Why were the amendments not brought before Congress at all?
DO: The amendments have been debated in the Advisory Committee on the Rules of Criminal Procedure for more than three years. I always push back a little bit when I hear about how the amendments have not received thorough debate because I spent three days in meetings with judges, private practitioners, academics, and privacy advocates discussing these rule changes in great depth when I was the Department of Justice’s representative to the advisory committee. So they did receive very a thorough hearing.
It did not go through Congress because these are fundamentally procedural rules and Congress created a body and a process for the creation of, and amendments to, procedural rules like this. And ultimately, the Supreme Court approved them.
Congress, of course, can at any point step in and block these rules or change them. But it has not, at least yet, decided to do that.
TCB: On FBI hacking more generally, the techniques likely to be used under the changes in Rule 41 are not new, or a result of the law’s amendment. But it has brought up concerns about collateral damage or furthering cyber insecurity by releasing exploits into the wild, which could essentially allow criminals to exploit that same vulnerability in the meantime. How does FBI hacking play out in broader cybersecurity?
DO: I agree this is a totally different topic from Rule 41. I think the two are often conflated and the Rule 41 changes become a convenient target for broader concerns about what, substantively, law enforcement or the intelligence community is doing. But the Rule 41 changes are narrow venue amendments. So I think that is important to recognize that from the outset.
Regarding the question on the use of what are sometimes called zero-day exploits by law enforcement and the intelligence community, it is a very tricky and a very difficult subject. If law enforcement or the intelligence community deploy exploits like that, or create them, and then introduce them into the ecosystem, it’s hard to see how that will not have unintended consequences. There is a great risk with the use of those techniques or vulnerabilities that ultimately everyone’s security may be weaker.
I am a believer in ensuring that the decision whether or not to deploy those kinds of tools is made after full consideration of all of the possible impacts and the different equities implicated. The Obama administration announced an official vulnerabilities equities process, which sounds like an inter-agency body that would consider and make those kinds of decisions. But it is totally unclear what that body does, what its rules are, what decisions it has made, or how active it is.
It would go a long way to bolstering the public’s trust that the government is using these kinds of tools responsibly if there was more transparency about how that process works and more confidence that there is an effective way of making sure that the consequences were thought through from all angles before the government deployed a hacking tool or used a vulnerability.
TCB: How do you see the venue changes being implemented? Will the FBI expand past targeting botnets and child pornography to crimes like the sale of drugs, counterfeit documents, arms, or even the dissemination of classified material online? Is the scale of these attacks going to be like the Playpen case, for example, where the FBI hacked 8,000 different devices in 120 different countries? Is this the new normal for law enforcement fighting cybercrime?
DO: The kinds of cases where the Rule 41 amendments are going to be useful are still going to be the exceptional, unusual, and particularly complicated ones. Those are also the cases in which there are usually the most victims and, in the case of online child sexual exploitation, where harm to the victims is most egregious. So they will not become the new normal, nor will these changes open a vast new form of law enforcement techniques or a new strain of investigations. They are going to address a gap in pre-existing law.
However, people will need to watch very closely how the government uses these authorities. If in fact, as some have cautioned, the government starts using them as a venue shopping measure, and always takes controversial warrants to the same judge who rubber stamps them, or does not understand the technology, then this is an issue that should be revisited. That is an issue we are just going to have to wait and see and, of course, if that’s the case, then the wisdom of the changes will come back up in the advisory committee on federal rules, or Congress can address this directly.
The concerns that have been raised about these changes are valid, but I think their effect is likely going to be much more limited than what some fear.
