The Very Wicked Problem of Search and Seizure in Cyberspace

The Facts

In April, the Advisory Committee on Criminal Rules proposed amendments to the Federal Rules of Criminal Procedure that would give authorities “more leeway to secretly hack into the suspected criminal’s computer,” so The Hacker News in a recent report.

According to the draft minutes of the Criminal Rules Meeting, the subcommittee on Rule 41 (Search and Seizure) envisioned the following amendment:

A magistrate judge with authority in any district where activities related to crime may have occurred has authority to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information within or outside that district. (p. 515)


Effectively, so the document, the change is intended to cover remotely accessed searches and seizures primarily a) to find out about the location of a computer when it is not known, and b) to search multiple computers in known locations outside the district of the issuing judge.

The Hacker News assessed the proposed amendment and translated it into plain English: With the new Rule 41, statutory law would allow authorities to “easily obtain warrants,” in order to secretly access suspects’ and witnesses’ computers

  • by employing zero-day exploits on software vulnerabilities (thus hacking into suspects’ computers)
  • whenever their location is unknown and presumably outside the jurisdiction of the issuing judge (thus in any of the other 93 judicial districts)
  • in large quantities whenever evidence or technical details related to suspected operators of botnets are targeted (hence, a single warrant could authorize the search of thousands of computers)


The Problem

Both The Hacker News and the Advisory Sub-Committee on the Criminal Rules provide a what occurs to me as an easily accessible set of reasons and justifications for the invasive proposal. It is based on the nature of cyber crime and a) how anonymizing technologies prevent the identification of the originating computer, and b) how containing and dismantling botnets require measures in many different jurisdictions.

My take on what makes the proposed amendment a messy policy problem, which will not be solved to the satisfaction of either stakeholder (government/law enforcement or civil society/privacy), builds on several layers where interests conflict with the pros of the envisioned change to the Federal Rules of Criminal Procedure:

1. The Ethical Layer: Governmental Use of Spyware
When governments employ spyware to utilize zero-day exploits and software vulnerabilities, ramifications range from the national to the global level, including:

  • A Potentially lower level of checks and balances:
    Conventional surveillance measures often have additional checks and balances on the organizational level, for example when telecommunication service providers facilitate wire-taps only after having received rightfully issued warrants. Contrarily, for the use of spyware, government agencies do not have to satisfy such external procedural requirements. Additionally, spyware suites usually equip their operators with remote access measures that may be more invasive than and exceed those that are covered by the respective warrant. In 2011, the German Bundestrojaner and its Staatstrojaners, spyware employed by German federal and state law enforcement agencies, carved out this difficulty of the government catching up with technology.
  • Negative impact on overall Internet security:
    Making zero-day exploits of vulnerabilities in commonly used software an integral part of law enforcement is likely to have negative impacts on the overall level of security in the Internet. The Heartbleed Bug and how it had reportedly been exploited over the course of a longer time by the National Security Agency serves as an example of choice, as it shows how governments can have knowledge about pervasive security flaws without sharing it. While they keep zero-day exploits secret in order to keep using them, these security gaps remain open and can be exploited by anyone who comes across them (our post about the zero-day exploit market and how suppliers cater to governments may be worth a look in this context as well).

2. The Factual Layer: Potential Extraterritoriality
Despite the intention of covering (only) all 94 judicial districts of the United States (US), the purpose of the amendment to Rule 41 is to search and seize data electronically stored on systems, whose location is not known. Accordingly, the very nature of cyberspace implicates potential search and seizure operations targeting devices that are not within the US at all. In that case, given that no prior consent has been obtained from the authority that has jurisdiction over the targeted system, a nation-state’s sovereignty may have been violated.

3. The Constitutional/Legal Layer: Particularity and Proportionality
The authorization of a search and seize of computers without knowing where they are located or how many will be subject to a (single) warrant also calls for considerations of particularity and proportionality. The draft minutes reflect the committee’s argumentation, due to which “any constitutional restriction should be addressed by each magistrate with each warrant request.” (p. 515)


Concluding Remarks

This post only introduces what occurred to me as the most striking points in favor and against the proposed amendment to Rule 41 of the Federal Rules of Criminal Procedure. Instead of recounting further arguments, my intention is to illustrate how The Onion Router (TOR) and other anonymization technologies or botnet facilitated denial of service attacks are challenging procedural law and call for innovative legislation.

With decision of May 5, the Advisory Committee recommended to publish the proposed amendment to Rule 41 for public comment (p. 486), before it will be passed on to Congress for respective enactment.


Tags: , , , , , ,

Hayden Versus Greenwald: High-Profile Debate On State Surveillance Coming Up

Here’s a heads-up to those who are interested in watching the straight-forward debate on what the Toronto Star labeled in today’s print edition “Big Brother – bad or good?”

Scheduled for 7:00 p.m. EDT, Munk Debates, a Canadian charitable initiative, will set the stage for 

  • former director of the NSA, CIA, and Principal Deputy Director of National Intelligence Gen. Michael Hayden (ret.), and
  • Felix Frankfurter Professor of Law at Harvard Law School Alan Dershowitz,

who will represent the pro-side of the debate, facing

  • investigative journalist, columnist, and Snowden revelations chronicler Glenn Greenwald, and
  • serial Internet entrepreneur and co-founder of the social news website reddit Alexis Ohanian,

who will argue against the pervasive state surveillance that became public with the global surveillance disclosures triggered by Edward Snowden a year ago.

The format of the debate includes an online as well as audience vote. Short opening statements are followed by a civil and substantive moderated panel discussion, concluded by short closing statements. The event takes place in Toronto in front of an audience of 3,000 people. It lasts approximately an hour and a half. The final vote is tallied and the winning side announced before 9:00 PM.

The debate will be live streamed to this link.



Tags: ,

Is the Fourth Amendment “Fighting for its Life”?

A couple of weekends ago I attended Western State University Law Review’s National Security Symposium, featuring keynote speaker, Dean Erwin Chemerinsky.  The dean’s speech focused on the Supreme Court’s “failure” to uphold the Constitution and served as an introduction to the afternoon panel on the constitutionality of the National Security Agency’s (NSA) surveillance programs.  The latter panel featured Attorney Todd Gallinger, Professor John Radsan, Professor Ryan Williams, and this blog’s administrator, Professor William C. Snyder.

In his presentation, Dean Chemerinsky asserted that the “reasonable expectation of privacy” test—established by Katz v. United States (389 U.S. 247 (1967)) to determine the applicability of the Fourth Amendment and, if applicability is determined, the reasonableness of warrantless searches and seizures under the Fourth Amendment—“doesn’t work” to protect against the threats of the twenty-first century.  I live tweeted during Dean Chemerinsky’s speech (@Tara_Pistorese, #WSULRSymp2014), but was intrigued by the Fourth Amendment assertions by the dean and thought it prudent to devote a blog post to this topic.

To begin, here is the language of the Fourth Amendment for your reference:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

As contributors to this blog and cyber scholars across the nation have argued, “the Supreme Court has repeatedly and consistently held that production of records about you in the hands of third parties[,]” such as metadata housed by your phone company, “does not implicate your constitutional rights.  You have no 4th Amendment protections regarding those records, [unless you meet the Katz test.]”  This argument finds additional support in Supreme Court cases such as Smith v. Maryland (44 U.S. 735 (1979)) and United States v. Miller (425 U.S. 435 (1976)), where the Court held that no reasonable expectation of privacy exists over phone company or bank records.  In other words, searches of such records do not meet the Katz test for implicating the Constitution at all.

Dean Chemerinsky’s argument, however, was more concerned with what he considers to be an outdated test that must be amended than with the constitutionality of searches that have thus far been conducted under the standard as presently articulated.  Specifically, the dean said, “What the Supreme Court needs to do, but has not yet done, is develop a theory of informational privacy.”

In Katz, which eventually established the “reasonable expectation of privacy” standard, the majority discussed the Fourth Amendment and the proper scope of its protections as follows:

[T]he Fourth Amendment cannot be translated into a general constitutional, ‘right to privacy.’  The Amendment protects individual privacy against certain kinds of government intrusion, but its protections go further, and often have nothing to do with privacy at all.  Other provisions of the Constitution protect personal privacy from other forms of governmental invasion.  But the protection of a person’s general right to privacy—his right to be let alone by other people—is like the protection of his property and of his very life, left largely to the law of the individual states. . . .

[T]he Fourth Amendment protects people, not places.  What a person knowingly exposes to the public, even in his own home or office, is not a subject of Fourth Amendment protection. . . . But what he seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected (citations omitted).

Later, Justice Harlan’s concurring opinion explicated the words of the majority by saying (again, internal citations have been omitted):

I join the opinion of the Court, which I read to hold only (a) that an enclosed telephone both is an area where, like a home, a person has a constitutionally protected reasonable expectation of privacy; (b) that electronic as well as physical intrusion in to a place that is in this sense private may constitute a violation of the Fourth Amendment; and (c) that the invasion of a constitutionally protected area by federal authorities is, as the Court has long held, presumptively unreasonable in the absence of a search warrant. . . .

The critical fact in this case is that ‘(o)ne who occupies [] [a telephone booth,] shuts the door behind him, and pays the toll that permits him to place a call is surely entitled to assume’ that his conversation is not being intercepted.  The point is not that the booth is ‘accessible to the public’ at other times, but that it is a temporarily private place whose momentary occupants’ expectations of freedom from intrusion are recognized as reasonable (emphasis added).

Using Katz as a foundation, in my mind, Dean Chemerinsky’s proposal to change the standard upon which we consider searches and seizures with a technological component would require either: (1) broadening the current standard, or (2) employing a separate standard only for instances concerning “informational privacy.”  In either case, my question, generally, is: are we prepared to sacrifice elements of security in the name of this expanded right to privacy?

During the NSA panel at the same Western State University Symposium two weekends ago, Professor Ryan Williams discussed this trade-off between privacy and security and the implications of sacrificing one over the other.  Interestingly, Professor Williams posited that the word “sacrifice” itself implies an element of “knowledge”—in other words, you cannot sacrifice that which you do not know you are surrendering.  Think about this in the context of the NSA metadata collection program.  According to Professor Williams, it cannot be considered a “sacrifice” to permit the government to collect metadata from our phone calls in the name of increased security if we are not made aware that the government is doing so.

I cannot say I entirely agree with Professor Williams on this point for I think there may be instances where sacrifice could be simply the willingness not to know.  (My mind goes to the families of servicemen and women who are on classified assignment.  Would anyone argue that a mother or father’s willingness not to know the specifics of their son or daughter’s mission is not a sacrifice?)  Could it not be just as compellingly asserted that, if I choose security over privacy, I am making a sacrifice by accepting that there are actions the government may take in the name of security of which I choose not know?  To me, the willingness not to know of certain government programs is just as much a sacrifice as an explicit authorization of those activities.

However, even accepting that “knowledge” is somehow inherent in the concept of sacrifice, I would argue that the “reasonable expectation of privacy” test, against which Dean Chemerinsky advocates, at least contemplates “knowledge” by identifying instances where I am not entitled to it.

In other words, by identifying that there are circumstances under which our expectation of privacy would be “unreasonable,” the Court has effectively determined that we are not entitled to knowledge of government intrusion in those cases.  Thus, the Supreme Court has apparently drawn a line between security and privacy for us.

For example, when the NSA collects metadata from my phone calls, I am still sacrificing some of my privacy in the name of increased security even if I do not have true knowledge that it is occurring.  This is because, under the Katz standard, any expectation of privacy I have over that data would be unreasonable.  Am I entitled to “knowledge” if I don’t have a reasonable expectation to privacy?  When we think about it in this context, perhaps the Katz standard can be effectively applied in the technological or cyber realm.


Tags: ,

Cyber Proliferation and Export Controls – New Report Outlines The State of Play

Covering our previous posts on cyber proliferation and export controls (Wassenaar Agreement, Hacking Team, Exploit Sales, i.a.), this research paper provides a comprehensive political and technological analysis of current regimes in place in the United States, Great Britain, and in Germany, which relate to the export of surveillance technology. The report has been published in March as a joint research project of the New America Foundation, the Open Technology Institute, Privacy International, and Digitale Gesellschaft.

Bildschirmfoto 2014-04-19 um 15.46.24

The authors conducted their research guided by the insight that government regulation may have negative impacts on technological innovation and trade, pointing out concerns and ensuring “targeted and careful policy analysis to avoid negative consequences. As a key finding, the authors conclude that

existing export control regulations have become out-dated and have not kept up with new technology.



Tags: , , , ,

The FBI’s Role in Cybersecurity

Today, Richard P. Quinn, National Security Special Agent in Charge for the FBI’s Philadelphia Field Office, gave a statement before the House Homeland Security Committee, Subcommittee on Cyber Security, Infrastructure Protection, and Security Technologies.  In the statement, Quinn outlined the FBI’s role in cybersecurity.  Here are the takeaways:

  • The Cyber Threat and the FBI Response.  Recognizing the broad range of entities that present a cyber threat–state-sponsored hackers, hackers for hire, global cyber syndicates, and terrorists–the FBI is: (1) “prioritizing high-level intrusions”; (2) working in cooperation with federal, state, and local Cyber Task Forces and through the National Cyber Investigative Joint Task Force (NCIJTF); (3) partnering with the private sector; and, (4) coordinating overseas cyber investigations and supporting key partners, such as The Hague.
  • Recent Successes.  To name a few:
    • By “targeting infrastructure [the FBI] believe[s] has been used in distributed denial of service (DDoS) attacks[,]” the FBI has enabled “foreign partners to take action” and reduced the “effectiveness of the botnets and the DDos attacks[]“;
    • Operation Clean Slate–an FBI Cyber Division initiative to disrupt and dismantle botnets threatening US security–”to date . . . has resulted in several successes[,]” including the disruption of Citadel Botnet and ZeroAccess Botnet;
    • Aleksandry Andreevich Panin pled guilty in January of this year to conspiracy to commit wire and bank fraud, charges arising from his role in developing Spyeye, which is “malicious software” that “infected more than 1.4 million computers.”
  • Next Generation Cyber Initiative.  Briefly, “[t]he FBI’s Next Generation Cyber Initiative, which [it] launched in 2012, entails a wide range of measures, including focusing the Cyber Division on intrusions into computers and networks–as opposed to crimes committed with a computer as a modality; establishing Cyber Task Forces in each of [the FBI's] 56 field offices to conduct cyber intrusion investigations and respond to significant cyber incidents; hiring additional computer scientists to assist with technical investigations in the field; and expanding partnerships and collaboration at the NCITJF.”
  • Private Sector Outreach.  “The FBI’s newly established Key Partnership Engagement Unit (KPEU) manages a targeted outreach program focused on building relationships with senior executives of key private sector corporations.  Through utilizing a tiered approach, the FBI is able to prioritize our efforts to better correlate potential national security threat levels with specific critical infrastructure sectors.”


You can read the full statement here.


Tags: , ,

Cyber Round Up: SCOTUS Denies Klayman’s Request; China Concerned About Growing Number of Cyber Warriors; Vanity Fair Exclusive with Snowden

  • Presiding Foreign Intelligence Surveillance Court Judge Reggie Walton was misled by Department of Justice officials resulting in an erroneous ruling on March 7 that the government should not be permitted to store phone records longer than five years, U.S. News reports.  Specifically, DOJ officials failed to inform the Court of preservation of evidence orders issued against the NSA.  Without this information, Judge Walton deemed the government’s fear of penalties for deleting older records “far-fetched.”  Judge Walton has ordered an apology and explanation from the DOJ, the article further explains.


  • According to the New York Times, in an attempt to relieve some of China’s concerns over the U.S.’s intent to triple the number of cyberwarriors it employs by 2016, the Obama Administration has “quietly held an extraordinary briefing for the Chinese military leadership on . . . the Pentagon’s emerging doctrine for defending against cyberattacks against the United States—and for using its cyber technology against adversaries, including the Chinese.”  The Times further reports that Defense Secretary Chuck Hagel is concerned about “the growing possibility of a fast-escalating series of cyberattacks and counterattacks between the United States and China.”


  • Jamshid Muhtorov, a Colorado resident charged with providing material support to a terrorist organization, has become the first defendant to challenge the constitutionality of the law authorizing foreign intelligence surveillance without a warrant, the Los Angeles Times reports.  Although Mr. Muhtorov’s defense team has thus far not been allowed to see classified evidence in the case, the team believes Mr. Muhtorov’s phones were secretly tapped and emails read pursuant to this law.




  • The U.S. Army Military Academy at West Point has established a cyber warfare reasearch institute and plans to build “a cyber brain trust unprecedented within the service academies,” according to USA Today.  Through these programs, elite cybertroops will betrained, with seventy-five positions available to scholars of technology, psychology, history and the law, and other relevant areas of expertise over the next three years.


  • According to Ars Technica and an FCC filing, in-flight WiFi provider, GoGo has voluntarily exceded the information sharing requirements imposed by the government, a choice that has been criticized by the ACLU.  GoGo claims its decision was born out of a desire to thwart spammers and protect against other network vulnerabilities.



Tags: , ,

Cyber Round Up: Reactions to NSA Reform Proposal

As promised, here is a mini round up detailing the public’s response, generally, to President Obama’s NSA reform proposal:

  • The Hill reports that Obama’s proposal is “sure to come under fire as it heads to Congress.”  The report notes several possible reasons.  Here are a few:

(1) Although lawmakers have generally expressed support for the idea of ending collection and storage of metadata, there is disagreement over the proper manner in which government agents should be permitted to search for records.

(2) Some have expressed concern over the proposal’s failure to address other “symptom[s] of the NSA’s overreach.”  As Kevin Bankston, policy director of the New America Foundation’s Open Technology Institute reportedly put it, “Any proposal to address the problem of bulk data is fatally incomplete if it doesn’t prohibit bulk collection of any kind of record under any of the NSA’s different legal authorities.”

(3) “A big factor affecting the outcome of the president’s proposal is who gets authority.”  This is because, as the article explains, the Judiciary Committee would traditionally have jurisdiction over matters concerning foreign intelligence.  But, the House Intelligence Committee “was given primary authority over its leaders’ bill[.]”

This last point brings me to the next article I want to highlight.

  • Politico reports that Bob Goodlatte (R-Va), House Judiciary Committee Chairman, declared his intent to “fight any effort to move [NSA] surveillance reform legislation to the House floor without going through his panel.”  Goodlatte further indicated that, although input from the House Intelligence Committee is welcomed, the Judiciary Committee should be the central venue in charge.
  • In a separate article, Politico identifies an additional hurdle—“no major force pushing for the changes.”  As the report explains, the NSA’s Section 215 authority is set to expire in June of next year; however, “rank-and-file lawmakers . . . caution that there’s no serious pressure coming from home to support the kinds of changes Obama wants.”
  • Alex Jones’ Info Wars has also come out and criticized private companies for failing to take a more active approach in order to force legislation on this issue.  Trevor Timm of the London Guardian stated, Facebook and others are “holding fire” when it comes to pushing reform on the hill.  But, “[t]he keepers of the everyday [I]nternet seem to care more about PR than helping their users.  The truth is, if the major tech companies really wanted to force meaningful surveillance reform, they could do so tomorrow.”
  • The Brennan Center’s Elizabeth Goitein has also identified what some believe is a hole in the President’s proposal, MSNBC reports.  “The problem is there are no meaningful limits on what [the government] can do with [the] data, the only limits are on what they have to do to get the data,” Goitein reportedly said.


How Snowden Divides the German NSA Inquiry Panel

On March 20, 2014, the German Bundestag, the country’s federal parliament, formed a parliamentary investigative commission to probe the surveillance activities of the 5-eyes states, in particular of the National Security Agency (NSA) and the British Government Communication Headquarters (GCHQ), that targeted and involved Germany. The inquiry panel has taken up work, as the German Attorney General has filed charges neither against the NSA, nor against the German government. In February, the Chaos Computer Club and the International Federation for Human Rights filed a criminal complaint against the German government (we blogged about that matter 8 weeks ago).

Germany’s international news outlet Deutsche Welle (DW) covers the investigation in English. As the commission has not been able yet to agree on what role Edward Snowden should play in the process, DW reported two days ago about the resignation of its chairman Clemens Binninger. “A parliamentary inquiry’s first order of business should not be to serve party-political profiling,” Binninger said according to DW, referring to the unresolved question if Snowden should be heard as a whiteness or not. The oppositional Green and Left Party representatives are pressing to summon Snowden as a crucial whiteness. In contrast, the representatives of the ruling Christian and Social Democrat party factions delayed the decision and will, so DW, not take it until after Chancellor Merkel’s visit to the United States in 3 weeks.

It is worth following the happenings on the inquiry panel, as, to me, they reflect the dilemma of German politics to resolve the contradicting interests of a flawless examination of the 5-eyes’ invasive intelligence collection and keeping the diplomatic relationship with the United States in good terms.



Tags: , ,

The Heartbleed Bug and the Political Implications of Vulnerability Management

Today, the Canadian Broadcasting Corporation (CBC) recounted the happenings around the Heartbleed Bug, a pervasively occurring vulnerability of the widespread OpenSSL cryptographic software that was revealed by Google and a Finnish security firm on Monday. Along with the public notification, the information website was established, explaining that “[t]he Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software[,]” allowing attackers to eavesdrop on communications and steal sensitive data among others. On his security blog, cryptography guru Bruce Schneier mentioned 500K sites to be vulnerable, classifying the level of how catastrophic the event is on a scale from 1 to 10 as 11.

I found that the coverage of the incident gained another momentum just a few hours ago, when Bloomberg reported that the National Security Agency (NSA) had exploited the vulnerability for “at least two years [...] and regularly used it to gather critical intelligence,” according to “two people familiar with the matter.” USA today cited an official statement of the NSA denying knowledge of the Heartbleed Bug.


Reviewing the news of this week, two major implications in terms of cyber security policy seem to be represented by the Heartbleed Bug:

  1. As CBC mentioned: “Disclosing a web problem also means alerting hackers.” The more widespread the vulnerability, the less co-ordinated the patch. This can lead to differing times of exposure to the alerted hackers. On the one hand, the many users of the vulnerable systems (e.g. different banks, or the website of the Canadian Revenue Agency, which has been compromised) patch the vulnerability at different times. On the other hand,  user notification about potential compromises happens at varying paces.  As a result of the Heartbleed disclosure, so CBC, “there has been confusion among consumers about what they should be doing, including whether they should be altering their passwords.” For more on the issue of breach notification on Crossroads, follow this link.
  2. Regardless if the NSA knew about Heartbleed and exploited it or not, intelligence collection does use exploits to accomplish its mission (see also our coverage of exploits in cyber security). The dilemma is as obvious to me: national security interests confront those of millions of users who rely on a system which is known to be insecure to those who are tasked to guard them.



Tags: , ,

Symposium Tomorrow: “The Constitutionality and Consequences of America’s Use of Drones and the NSA Spying Program”

Western State University’s Law Review is hosting a symposium tomorrow entitled, “The Constitutionality and Consequences of America’s Use of Drones and the NSA Spying Program.”  Dean at University of California–Irvine School of Law, Erwin Chemerinsky, will be the keynote speaker.  The symposium, moderated in part by Professor Ryan T. Williams, will also feature two distinguished panels. The first panel is on the lethal use and legality of unmanned aerial vehicles and, later, there will be a panel on the NSA surveillance programs.

The latter panel, on which this blog’s administrator, Professor William C. Snyder, will sit as a contributor, will analyze the current NSA surveillance programs through the lens of constitutional law, the proper scope of the public’s knowledge on NSA and other government surveillance programs, and the hot and ever-controversial issue of whether Edward Snowden is a patriot or a villain.

The symposium tomorrow, April 12, will run from approximately 8:30am until 5pm at Western State University College of Law.



Next Page »


Untitled Document
Tara J. PistoreseTara J. Pistorese

holds Juris Doctor and Masters of Public Administration degrees from Syracuse University's Maxwell School of Citizenship and Public Affairs and its College of Law. She has served as a law clerk in the United States Attorney's Office for the Western District of New York and the Public Defender Service for the District of Columbia and as an extern in the United States District Court for the Western District of Washington. Full biography

Benjamin Zaiser

is both a scholar and a Federal Agent of the Federal Criminal Police Office of Germany. (Opinions expressed here are his own and not any part of official duty.) Full biography

Professor William Snyder

Professor William C. Snyderis a member of the faculty of the Institute for National Security and Counter-terrorism at Syracuse University after fifteen years with the United States Department of Justice.