Extraterritorial use of policeware in the United States?
Is the FBI allowed to remotely install spyware on computers? And what if the suspect lives outside the United States? What are the capabilities of such “policeware”? This blog post briefly analyzes a decision of a U.S. judge on this subject.
Last week, the story broke that a judge from Texas (United States) had published a decision (.pdf) denying a warrant for the placement of “policeware” on a computer of an unknown suspect at an unknown location. Policeware is special surveillance software, also called “spyware”, utilized to secretly monitor all kinds of internet activities of a computer user. The decision is interesting because it sheds light on the use of policeware in the United States.
Capabilities of the software
Judge Smith explains that the FBI requested to install “data extraction software” on the “Target Computer” (presumably the computer of a suspect). This software has the capability to search the computer’s hard drive, random access memory, and other storage media (thus perform a “remote search”). Additionally, the software can “activate the computer’s built-in camera, generate latitude and longitude coordinates for the computer’s location and transmit the extracted data to FBI agents in the district”. By installing the software, the FBI wishes to obtain information such as web browsing history, e-mail contents, e-mail contacts, chat logs, photographs and correspondence. The law enforcement agency also wishes to use the built-in camera to make photographs to identify the person using the target computer.
Extraterritorial application of a warrant to install policeware
The Texan judge then ascertains whether the request complies with the warrant requirements as described in Rule 41 of the U.S. Federal Rules of Criminal procedure. This blog post does not allow to me elaborate on the judge’s decision and the requirements of a “Rule 41 warrant”, but I do want to point out that the judge establishes that Rule 41 only allows for searches “in the district of the judge”. In this case the territoriality requirement is not met, because the search does not take place within the district, “so far as the Government’s application shows”, according to the judge. Note the judge’s witty remark that the search takes place: “not in the airy nothing of cyberspace, but in the physical space with a local habitation and a name”.
U.S. digital surveillance expert Orin Kerr analyzed the court decision of judge Smith on the popular legal blog “The Volokh Conspiracy”. I found his considerations about the applicability of the warrant requirement on a potentially foreign suspect particularly fascinating. It is standing case law (under United States v. Verdugo-Urquidez, 494 U.S. 259 (1990) that the warrant requirement of the Fourth Amendment of the U.S. Constitution does not apply outside the United States. Since it is likely the physical computer will be searched overseas (because the last known IP address is traced back somewhere in Southeast Asia), the government does not need a warrant to search the physical computer. However, Kerr believes the search also takes place in the United States when the information is analyzed by U.S. law enforcement officials and therefore a warrant is required “for that part of the search that takes place in judge Smith’s home district”. Kerr ultimately finds the arguments presented by judge Smith to deny the warrant unconvincing.
Kerr’s analysis of the case begs the question: is it desirable that the United States could potentially perform searches of computers and install policeware on computers in foreign territory by unilaterally applying their criminal procedural rules to foreigners? If the answer is no, keep in mind that the Dutch government suggested more or less the same thing on p. 34-35 in their announcement today (in Dutch) to amend the Dutch Code of Criminal Procedure to make hacking and the placement of spyware possible on computers “if their location is unknown” (see also this blog post).
I’m curious to hear from international criminal law legal experts and others as to what they think of this.
Thanks Orin for your comment! In our Dutch proposal the legislator also seeks the possibilty to hack a computer (in the broadest sense of the word) to pinpoint the location (IP-adress or GPS signal) of a computer by tracing it or using a web bug. At that point investigators could request legal aid from the state the computer is located. Of course, I understand that in practice this is process is too slow and governements look for alternatives.
A problem is I think that it is unclear when exactly the "location is unknown". In the Dutch letter Cloud computing is provided as an example in which the location of data is unclear. But with regard to data at some U.S. cloud providers it is perfectly clear where to get data: at the headquarters in the United States from these companies themselves.
I just find it fascinating that we are apparently moving towards a world in which states apply their own criminal procedural laws on "target computers" outside their territory (in special circumstances). I wonder if that doesn't lead to chaos or at least an undesirable practice.
JJ, what's the alternative? If investigators don't know where the computer is, how can they get legal process or cooperate with investigators in the country where the computer is located?
Add a comment