An Open Letter to Congress: Please Prevent Rule 41 from Going into Effect

October 31, 2016

Dear Congress,

My name is Katherine Carpenter and I urge you to protect the 4th Amendment rights of all Americans and take action to prevent Rule 41 of Federal Criminal Procedure from going into effect in the Federal Court System.

What are the Federal Rules of Criminal Procedure?

These rules govern federal criminal prosecutions. The rules include the process for correcting clerical errors, court holidays, court hours, the warrant process. These rules are supposed to focus on procedures and are not intended to impact the substantive rights of defendants. However the new Rule 41 is not completely procedural and treads into the arena of individuals’ substantive rights.

What is Rule 41?

Rule 41 of Criminal Procedure is a proposed rule that has been in process for three years. The Supreme Court has already approved it without any modification. If you, in Congress, do not take action before December 1, 2016, this new procedural rule will be adopted and will likely be difficult to change or roll back.

Rule 41 deals with warrants.

This proposed rule change would allow a judge — “any magistrate judge in any district where activities related to the crime may have occurred” — to issue a warrant to remotely access, search, seize, or copy data when “the district where the media or information is located has been concealed through technological means” or when the media are on protected computers that have been “damaged without authorization and are located in five or more districts”.

You may be thinking, “Why should I care? I don’t plan to be a defendant in a criminal court…”

Ah, but here’s the troubling piece: the warrant will allow law enforcement to hack into a computer even if you are not a defendant in a criminal case. Many individuals have expressed concern that victims and/or innocent parties will be “hacked” by law enforcement. The Department of Justice has said these amendments would only apply in “two narrow circumstances” (above) and the intention is not to do away with any 4th Amendment protections, however the application of laws can differ from the intent of rulemakers.

I. Where a computer location is concealed by technological means:

A new Rule 41 warrant allows law enforcement to “use remote access to search electronic storage media and seize or copy electronically stored information located within or outside that district if […] the district where the district where the information or media is located has been concealed using technological means” and is relevant to a crime. This rule could be interpreted broadly enough to include any computer, smartphone, or other device capable of carrying “media or information”.

What does it mean to conceal a location through technological means?

Your IP address is considered “personally identifiable information” (PII) under the HIPAA privacy rule. While this rule pertains only to health care interactions, other similarly protected information includes your social security number, your birthday, and your face. A person may want to conceal their IP address when they go online to protect themselves because the IP address can be used to identify individuals. Both the Tor browser and a virtual private network (VPN) conceal an individual’s original location. Benign methods of concealing your computer’s location can include denying location data to smartphone applications, changing the country setting in an online service to see censored content.

Here’s why you might want to “conceal” your computer’s location “through technical means.” I am going to focus on a VPN as an example here because I believe it is more relevant to a larger audience of computer users than is Tor.

  • You might use the internet in a coffee shop (or otherwise access public wifi spots). Whether you are doing something personal or work-related, wifi connections in public locations can see the information that travels over the network and a VPN keeps your information private. For that reason, many workplaces require that employees log into a VPN when they are working away from the office to protect trade secrets, intellectual property, and other types of business information. This is a reason to have and to use a VPN.
  • Wifi Security. This is related to the previous reason. Any time anyone accesses a network, there is the possibility that someone is monitoring it. Malicious actors could use a variety of methods to capture information from the network including personal information, passwords, and access data on network-connected devices. Even if network traffic is monitored without bad intent, it is reasonable to protect correspondence and other information on an individual device from unauthorized eyes.
  • Comparing Prices Online. The rationale for concealing one’s location could be as simple as comparing prices of items across different websites. While the practice of advertising different prices to people in different places is legally controversial, it does happen and when a consumer is searching for a bargain, it is useful to find the best one.
  • You might work for a business that has secrets it protects against corporate espionage and other prying eyes. Many businesses mask the location of their computers (and those of their employees) because people with technical knowledge can capture information that could be relevant for competitive advantages. Additionally, executives at a corporation, particularly publicly traded ones, may want to use a VPN and turn off mobile location tracking in order to avoid giving out their location.
  • You may be a researcher, studying any number of savory or unsavory characters. Researchers monitor “dark web” sites to do internet security research and other research to prevent cybercrime. For them it is critical to mask their true identification including location because they are working in dangerous territory with individuals who could be dangerous. Other researchers study gangs, not in a cyber-crime context but in other contexts. Depending on their research, they also would want to mask their true identification to protect themselves. This is a situation where people might use Tor instead of a VPN (or Tor in combination with a VPN).
  • You may be the victim of cyber harassment or stalking. This is a critical reason to mask your computer’s location so that your harasser or stalker can not find your true location. In a situation where a victim of cybercrime has a computer somehow connected to the crimes of the stalker/harasser/criminal it makes sense to get a subpoena from law enforcement and cooperate with them than have law enforcement remotely access the device.
  • You might visit porn sites. In 2013, an estimated 30% of Internet traffic went to porn sites. The US is one of the heaviest global porn consumers. You may not want other people to know that you watch porn at all or allow them to make judgments about you based on the types of sites you visit and the type of porn you watch. This is similar for dating sites or social networks including Tinder or Ashley Madison: you may give the site real information (or not) about yourself but you probably don’t want to have cookies from those sites saved on your machine so they can be traced back to you. (Additionally, if you ever went to a site even accidentally that served child porn, you could be in a great deal of trouble.)
  • You might be curious about something and not want it traced back to you. Everyone has reasons at some point in their life for making inquiries they do not want to be public. Politicians may have more reason than some people to protect their online inquiries because they are in public service. You may want your political views to be private because of your personal preferences or the company you work for. You may perform an online search about health issues for a friend, a colleague, or curiosity and not want that inquiry traced back to you. An IP address is personally identifiable, similar under some regulatory categories to your face, eye color, phone number, and exposing an IP address will allow others to track these online activities back to you.

Other relevant location-related information:
Advertisers and other data brokers (in the US) are allowed to collect your IP address and use it with other information to create a picture of you and your habits so that they can target better ads/products for you. You are not required to consent for advertisers to collect your IP address and metadata about your online interactions.

Global Positioning System (GPS) is also used to assess location via electronic devices in vehicles, in smartphones, and in devices specifically created to assist in directional navigation (also commonly known as GPS devices). You may turn your GPS receiver in your phone off, and that will impact your use of certain applications. For example, you can map out a path using Maps (apple or google) when you have disabled your GPS and location, but you cannot use transportation applications (Uber, Lyft, etc.) because they rely on your physical location to alert their drivers.

II. Where crime involves computers located in five or more judicial districts:
I believe this part of the proposed rule is aimed at combating DDoS attacks like the ones suffered last week. Many of the machines involved in this kind of attack are run by innocent victims (natural people), devices where administrative access is still set to the “factory” defaults, companies with devices running outdated software, or companies using devices that had some vulnerability the vendor left behind. The problem with hacking into any/all of these devices is that it perpetuates a problem and will likely not help anyone with vulnerable machines. It seems like this kind of government hacking could end up in a “blaming the victim” type of scenario.

Federal law enforcement officers have collaborated in the past by collecting information about similar-looking crimes in multiple jurisdictions and combining the evidence to build a stronger case that fights cybercrime (or other crimes). These efforts could expand without Rule 41 if Federal law enforcement improved internal collaboration. I believe this is a more constructive way to deal with botnets and DDoS attacks than remotely accessing any electronic device that communicates with the Internet in pursuit of information.

The scope of both parts of the new rule would allow warrants to be issued to allow remote access of electronic devices outside of the judge’s judicial district and perhaps outside of the United States. Search warrants should be issued by a disinterested judge, based on probable cause, and must be sufficiently precise as to the things to be seized and the place to be searched. If the justice department starts searching citizens computers because judges believe that using technology to protect your privacy (e.g., using a VPN, not sharing location data with your phone applications) is “probable cause” of criminal activity, we will become a society of suspected criminals simply by doing the things we are supposed to do to keep ourselves safe online.

I implore you to take action against Rule 41 in the remaining time you have before December 1. The election looms and I am aware that many of you are campaigning for re-election. I participate in the electoral process and I believe this issue is relevant for everyone whether or not you hold office.

This proposed rule change will impact every single one of you no matter where your political beliefs lie. Senator Wyden has introduced a very short bill that if passed will simply prevent these new Rule 41 changes from going into effect.

This is a constitutional issue, it is not a partisan one. Please take action and prevent Rule 41 from going into effect.

Sincerely,

Katherine Carpenter
San Francisco, CA

Bio. Katherine Carpenter is a consultant and works in technology, privacy, health, information security, and ethics.

Disclaimer/declaration: I have been active as an advocate for privacy, as a bridge builder for law enforcement, and helping protect people who have been stalked and harassed online. Although my beliefs political views may have influenced my writing, I have tried to create the most comprehensible, and apolitical arguments possible because I believe this issue is relevant to all Americans no matter your belief system, race, gender and as Americans we deserve to be protected by our Constitution.