CHALLENGING GOVERNMENT HACKING IN CRIMINAL CASES March 2017 CHALLENGING GOVERNMENT HACKING IN CRIMINAL CASES American Civil Liberties Union Electronic Frontier Foundation National Association of 125 Broad Street, 815 Eddy Street, Criminal Defense Lawyers New York, NY 10004 San Francisco, CA 94109 1660 L St. NW, 12th Floor, Washington, D.C. 20036 © 2017 ACLU Foundation © 2017 Electronic Frontier Foundation © 2017 National Association of Criminal Defense Lawyers Cover Image: Hugh D’Andrade ABOUT THE AUTHORS* AMERICAN CIVIL LIBERTIES UNION (ACLU) For nearly 100 years, the ACLU has been our nation’s guardian of liberty, working in courts, legislatures, and communities to defend and preserve the individual rights and liberties that the Constitution and the laws of the United States guarantee everyone in this country. The ACLU takes up the toughest civil liberties cases and issues to defend all people from government abuse and overreach, and works to establish new privacy protections for our digital age of widespread government surveillance. With more than 2 million members, activists, and supporters, the ACLU is a nationwide organization that fights tirelessly in all 50 states, Puerto Rico, and Washington, D.C., for the principle that every individual’s rights must be protected equally under the law, regardless of race, religion, gender, sexual orientation, disability, or national origin. ELECTRONIC FRONTIER FOUNDATION (EFF) The Electronic Frontier Foundation is the leading nonprofit organization defending civil liberties in the digital world. Founded in 1990, EFF champions user privacy, free expression, and innovation through impact litigation, policy analysis, grassroots activism, and technology development. We work to ensure that rights and freedoms are enhanced and protected as our use of technology grows. With roughly 37,000 active donors, EFF represents technology users’ interests in court cases and broader policy debates, including the debate about law enforcement “hacking.” EFF has worked to educate criminal defense attorneys and the courts about the threats to privacy posed by this surveillance technique, including filing amicus briefs in seven cases arising from the Playpen investigation. NATIONAL ASSOCIATION OF CRIMINAL DEFENSE LAWYERS (NACDL) The National Association of Criminal Defense Lawyers is the preeminent organization in the United States advancing the goal of the criminal defense bar to ensure justice and due process for persons charged with a crime or wrongdoing. NACDL’s core mission is to: Ensure justice and due process for persons accused of crime … Foster the integrity, independence and expertise of the criminal defense profession … Promote the proper and fair administration of criminal justice. Founded in 1958, NACDL has a rich history of promoting education and reform through steadfast support of America’s criminal defense bar, amicus curiae advocacy, and myriad projects designed to safeguard due process rights and promote a rational and humane criminal justice system. NACDL’s many thousands of direct members — and 90 state, local and international affiliate organizations totaling up to 40,000 members — include private criminal defense lawyers, public defenders, active U.S. military defense counsel, and law professors committed to preserving fairness in America’s criminal justice system. Representing thousands of criminal defense attorneys who know firsthand the inadequacies of the current system, NACDL is recognized domestically and internationally for its expertise on criminal justice policies and best practices. * Students in the Technology Law and Policy Clinic at NYU Law School, including David Krone and Charles Low, contributed to this report. ii CONTENTS INTRODUCTION 1 MALWARE: WHAT IS IT & WHAT CAN IT DO? 2 TOR AND THE DARK WEB: WHAT ARE THEY & HOW DO THEY RELATE TO LAW ENFORCEMENT’S USE OF MALWARE? 3 TYPES OF INFORMATION TARGETED BY MALWARE 5 EXISTING WATERING HOLE ATTACKS 6 HOW CAN YOU TELL IF THE GOVERNMENT USED MALWARE IN YOUR CASE? 7 AVAILABLE DISCOVERY REQUESTS 8 AVAILABLE LEGAL ARGUMENTS 9 FOURTH AMENDMENT ARGUMENTS 10 THE DEPLOYMENT OF A NIT ON A SUSPECT’S COMPUTER IS A SEARCH 10 SOME COURTS HAVE HELD THAT VISITING A CHILD PORNOGRAPHY SITE SUPPLIES PROBABLE CAUSE, BUT STRONGER CHALLENGES LIE IN OTHER CONTEXTS 11 NIT WARRANTS CAN BE CHALLENGED FOR LACKING PARTICULARITY 12 SPECIFICITY 12 OVERBREADTH 13 RULE 41(B) ARGUMENTS 14 NIT WARRANTS ISSUED BEFORE DECEMBER 1, 2016 15 NIT WARRANTS ISSUED ON OR AFTER DECEMBER 1, 2016 17 ARGUMENTS FOR SUPPRESSION 17 SEEKING AND RELYING UPON A WARRANT THAT EXCEEDS A MAGISTRATE JUDGE’S JURISDICTION IS IN BAD FAITH 17 SPECIAL LIMITS ON THE EXCLUSIONARY RULE FOR RULE 41(B) VIOLATIONS MAKE SUPPRESSION UNLIKELY ABSENT A FOURTH AMENDMENT VIOLATION 18 DUE PROCESS ARGUMENTS FOR DISMISSAL OF INDICTMENT 20 CONCLUSION 22 APPENDIX A: GLOSSARY 36 APPENDIX B: TABLE OF ORDERS ON MOTIONS TO SUPPRESS 38 APPENDIX C: SAMPLE BRIEFS AND LETTERS TO COMPEL DISCOVERY 43 FIRST SAMPLE MOTION AND EXHIBITS 44 GOVERNMENT’S OPPOSITION TO FIRST SAMPLE MOTION 72 DEFENDANT’S REPLY FOR FIRST SAMPLE MOTION AND EXHIBIT 102 DISCOVERY LETTER FOR FIRST SAMPLE MOTION 119 SECOND SAMPLE MOTION 121 THIRD SAMPLE MOTION 130 FOURTH SAMPLE MOTION AND EXHIBITS 137 INTRODUCTION In recent years, the government has increasingly turned to hacking as an investigative technique. Specifically, the Federal Bureau of Investigation (“FBI”) has begun deploying malware: software designed to infiltrate and control, disable, or surveil a computer’s use and activity. The government calls this type of hacking operation a “Network Investigative Technique,” or NIT. Law enforcement, and particularly the FBI, has been using malware to investigate online criminal activity since at least 2002.1 While the FBI initially limited malware attacks to individual computers, it has in recent years embraced a form of bulk hacking that enables small teams of agents to hack thousands of computers in a single operation, often on the basis of a single warrant issued by a single magistrate judge.2 The use of this controversial technique is driven in part by the increased availability and adoption of easy-to-use privacy-enhancing technologies, like Tor and Virtual Private Network (“VPN”) services, which allow individuals to shield their locations and identities online, and by the use of encryption, which allows individuals to protect the contents of their communications.3 Installing malware can enable the government to identify targets who use privacy-enabling software to hide their IP addresses, and thus their location or identity, or to access encrypted communications. To date, the best known and most frequently litigated form of government bulk hacking is a so-called “watering hole” operation, in which the government commandeers a website associated with criminal activity, continues to operate it, and uses the site to surreptitiously deliver malware to (possibly hundreds or thousands of) computers that connect to the site. The term derives from the concept of poisoning a watering hole where certain animals are known to drink. The government can deliver the malware through a link that a user clicks on, or by programming the malware to secretly install itself on a computer once a user visits a particular page. Unbeknownst to the user, the malware then takes partial control of the computer in order to search it and send identifying information, including the computer’s IP address, back to a law enforcement server. To obtain authorization to deploy malware, the FBI uses search warrants issued by magistrate judges pursuant to Rule 41 of the Federal Rules of Criminal Procedure.4 In several watering hole operations, the FBI has remotely searched thousands of computers located in districts around the country pursuant to a single search warrant—including, in the most recent known operation, searching more than 8,000 computers in 120 different countries.5 As of the date of publication, the legality of such government bulk hacking is being fiercely litigated in criminal cases across the country, giving rise to a quickly developing area of law. As information about law enforcement hacking has come to light, a number of federal judges have voiced concern about the legality of this technique, with some rejecting hacking warrant applications or suppressing evidence obtained by the FBI through the use of malware. This guide seeks to educate defense attorneys about these highly intrusive surveillance techniques and to help them prepare a zealous defense on behalf of their clients against secretive and potentially unlawful hacking. Such hacking has never been discussed by Congress, and we in no way endorse government hacking. However, given that the federal government is deploying malware and a recent amendment to Rule 41 only makes such deployment easier, it is our goal to ensure that all uses of malware are subject to meaningful Fourth Amendment analysis so that malware is installed only when supported by individualized suspicion. Our Fourth Amendment right to be free from unreasonable searches applies regardless of whether new technology is involved in effectuating a particular search; however, the law may be slow to catch up, particularly when the government goes to great lengths to hide details about its use of new surveillance techniques.6 In the following sections, we explain the technologies and terminologies that surround government malware,7 point out how to recognize the use of government malware in a criminal case, and outline the most