Press release: Privacy International files amicus curiae brief in case challenging warrant authorizing FBI to hack over 8,700 devices, mostly located outside the US

Privacy International has today filed an amicus curiae brief in the case of U.S. v. Levin. Privacy International’s brief highlights the implications of permitting U.S. law enforcement to hack abroad. The case is currently pending in the U.S. Court of Appeals for the First Circuit. Levin is one of a wave of criminal cases brought pursuant to an FBI operation in which over 8,700 computers around the world were hacked. 
 
 Key points:

  • In 2015 a magistrate judge in the state of Virginia authorized a warrant for the FBI to hack untold numbers of electronic devices located potentially anywhere in the world.
  • FBI ultimately hacked over 8,700 computers, over 83% of which were located outside the U.S., in 120 countries and territories.
  • Privacy International has filed an amicus curiae brief in the case, arguing that the FBI’s unilateral hacking of devices abroad violated both international and domestic law, and carries potentially grave foreign relations risks.

Privacy International is able to provide comment and/or background on the case. Media contact: press@privacyinternational.org ; +44 (0) 20 3422 4321
 
 Privacy International’s Arguments
 
Privacy International files its amicus curiae brief to draw attention to the international implications of the FBI’s hacking operation. Well-established international law and practice prohibit a state from unilaterally conducting investigative action beyond its borders or, in other words, without the consent of affected countries. Such action can be perceived as a violation of sovereignty, with the potential to lead to diplomatic conflict. For this reason, U.S. law generally limits the ability of U.S. judges to authorise warrants to conduct overseas searches and seizures. 
 
Our brief also highlights that, in the digital realm, unilateral investigative action poses particular risks. As the public is increasingly learning from hacking-related controversies such as those surrounding the recent U.S. election, the nature, scope and purpose of a hack — especially where foreign actors are involved — can be difficult to determine. It can therefore run a risk of heightening diplomatic conflict. The FBI’s use of hacking powers abroad also raises the question of whether the U.S. would welcome hacking operations on a similar scale carried out on U.S. residents by other countries.
 
This case and the others emanating from the FBI’s hacking operation raise novel and critical questions regarding the power of governments to hack and appropriate limitations on that power. Privacy International has been working to address these issues with an emphasis on the privacy and security of individuals around the world.
 
 
 Scarlet Kim, PI legal officer said:
 
“The FBI’s hacking operation in this case represents an enormous expansion of its extraterritorial surveillance capabilities — affecting thousands of computers in over a hundred countries around the world. Our brief sheds light on the foreign implications of the FBI’s actions, which were conducted unilaterally without the consent of other states, in violation of well-established international law and practice. It also raises important questions about the foreign relations risks incurred by this type of hacking abroad. How will other countries react to the FBI hacking in their jurisdictions without prior consent? Would the U.S. welcome hacking operations on a similar scale carried out on U.S. residents by other countries? Is the FBI violating the laws of foreign jurisdictions by hacking devices located in them?”
 
 Notes to Editor
 
In March 2015, a magistrate judge in the U.S. state of Virginia authorised a warrant for the FBI to execute a hacking technique — what it calls a “network investigative technique” (“NIT”) — on the devices of visitors to the child pornography website Playpen. On the basis of this single warrant, the FBI ultimately hacked over 8,700 computers. Over 83% of these devices were located outside the U.S., in 120 countries and territories.
 
Visitors to Playpen were accessing the website via the Tor network, which protects the anonymity — including the location — of users using the internet. People also use Tor and other anonymising technologies for a variety of legitimate reasons, including to prevent websites from tracking them, access websites and services blocked in their respective countries, and send and receive sensitive data, such as financial or medical information. If the physical location of a device is cloaked, it may be anywhere in the world. Moreover, at the time of the government’s warrant application, over 80% of Tor users were connecting to its network from outside the U.S.
 
The FBI’s hacking operation has resulted in a wave of criminal prosecutions. In many of these cases, such as this one, the defendants have challenged the validity of the warrant under Rule 41 of the Federal Rules of Criminal Procedure. At the time the warrant was issued, Rule 41 prohibited, with certain exceptions, magistrate judges from issuing warrants to search or seize property located outside their geographical districts.* The defendant in this case has argued that the warrant is invalid because it was executed in Massachusetts, outside of the issuing district. While much of the litigation challenging the validity of the warrant has focused on the domestic jurisdictional limitations imposed by Rule 41, Privacy International’s brief centers on the extraterritorial jurisdictional limitations on the warrant authority.
 
 *On December 1, 2016, significant amendments to Rule 41 came into force, which now permit magistrate judges to issue a warrant to remotely search or seize “electronically stored information” outside their district where the location of such information “has been concealed through technological means.”
 
 -ENDS-