AUTHOR. Cyber Initiative Fellow, Stanford University; Assistant Professor of Computer Science and Public Affairs, Princeton University (effective March 2018); J.D., Stanford Law School; Ph.D. candidate, Stanford University Department of Computer Science. The author currently serves as a Legislative Fellow in the Office of United States Senator Kamala D. Harris. All views are solely the author's own and do not reflect the position of the United States government. This work draws upon conversations at the Federal Judicial Center Fourth Circuit Workshop, Federal Judicial Center Sixth Circuit Workshop, Federal Judicial Center Ninth Circuit Mid-Winter Workshop, Federal Judicial Center Workshop for United States Magistrate Judges, the Privacy Law Scholars Conference, and the Rethinking Privacy and Surveillance in the Digital Age event at Harvard Law School. The project benefits from the wisdom and feedback of countless colleagues, including Julia Angwin, Kevin Bankston, Dan Boneh, Ryan Calo, Cindy Cohn, Laura Donohue, Hanni Fakhoury, Nick Feamster, Ed Felten, Laura Fong, Jennifer Granick, James Grimmelmann! Marcia Hofmann, Orin Kerr, Mark Lemley, Whitney Merrill, John Mitchell, Ellen Nakashima, Paul Ohm, Kurt Opsahl, David Pozen, Chris Riley, Barbara van Schewick, Michael Shih, David Sklansky, Peter Swire, Elisabeth Theodore, Lee Tien, George Triantis, and Tyce Walters. The editors of the Yale Law Journal, led by Jeremy Aron-Dine, provided invaluable recommendations on the Article's substance and organization. The author is especially grateful to the federal judges, attorneys, and law enforcement officers who informed this Article's discussion of the law, policy! and technology issues associated with government hacking.
ARTICLE CONTENTS INTRODUCTION 574 I. IS LAW ENFORCEMENT HACKING A FOURTH AMEN DMENT "SEARCH"? 581 A. The Technical Architecture of Government Malware 583 1. Delivery 583 2. Exploitation 586 3. Execution 588 4. Reporting 589 B. Conventional Methods for Obtaining Electronic Evidence and Corresponding Perspectives on Fourth Amendment Privacy 590 1. Physical Access to an Electronic Device and the Device-Centric Perspective 590 2. Remote Access to Information via a Third Party and the Data-Centric Perspective 592 C. Obtaining Electronic Evidence by Hacking 594 1. The Easy Scenarios: Physical Access or Content 594 2. The Hard Scenario: Remote Access to Metadata 596 a. A Plausible Position: No Fourth Amendment Protection 596 i. Mobile Phone Location Tracking 600 ii. ISP Surveillance 601 iii. Mobile Phone Serial Numbers 603 iv. Payment Card Magnetic Stripes 604 v. Placing Telephone Calls 604 b. A Better Position: The Fourth Amendment Protects Logical Integrity 609 i. Katzv. United States 609 ii. Riley v. California 609 iii. Cloud Service Searches and United States v. Warshak 610 iv. The Consent-Based Limiting Principle for Constitutional Information Privacy 611 v. Policy Considerations 613 II. RULES FOR MALWARE 614 A. Initiating a Search 615 B. Probable Cause and Particularity 620 C. Venue 625 D. Search Duration 628 E. Notice 633 F. Super-Warrant Requirements 638 G. Policy Arguments in Favor of Always Requiring a Super-Warrant 641 III. LESSONS FOR FOURTH AM EN DM ENT TH EORY 644 A. The Interbranch Dynamics of Surveillance Regulation 646 1. Competing Judicial and Scholarly Perspectives 646 2. The Executive Branch Can Self-Regulate Privacy Practices Through Interagency Processes 649 3. Executive Branch Privacy Protections Can Exceed Judicial and Legislative Protections 650 4. Courts Exhibit Regulatory Capture in Law Enforcement Surveillance Litigation 651 5. Courts Are Capable of Understanding Novel Surveillance Technology 652 6. Congress Is Not Taking Action 653 B. Equilibrium-Adjustment and Substitution Theories Are Indeterminate and Risk Misleading Courts 654 C. Positive Law Is a Factual Guide, but Not Necessarily a Legal Guide, for Constitutional Articulation 657 CONCLUSION 659 APPENDIX 661 "Hacking devices,... of course we do it...." --James Baker, General Counsel, Federal Bureau of Investigation (1) INTRODUCTION
Timberline High School was gripped by panic. (2) In the span of just over a week, the suburban Washington school had received nine anonymous bomb threats, prompting repeated evacuations and police sweeps. (3) The perpetrator taunted academic administrators with a slew of emails, and he spooked students from a threatening social network account. (4) He also knocked campus computer systems offline. (5)
Local police and the county sheriff were stumped. Officers had obtained information about the perpetrator's network access and accounts, but the traffic was routed through a pair of computers in Italy and the Czech Republic. (6) After exhausting their conventional investigative tools, the local authorities called in the FBI. (7)
One week later, FBI agents penned a fake Associated Press article about the incident. (8) They drafted the title and content to pander to the hoaxer's ego, portraying him as a tech-savvy prodigy who had outwitted the local authorities. (9) Then, they sent a link to the hoaxer's social network account, hoping he would click. (10)
He took the bait. When he loaded the news story, he unwittingly installed FBI malware--which surreptitiously circumvented security protections in his web browser, bypassed his proxy connection through Italy, and reported his Internet Protocol (IP) address to an FBI server in Virginia. (11) An FBI agent forwarded the IP address to local police, who determined it was associated with a Comcast broadband subscriber. They issued an exigent request to Comcast, which quicldy responded with an account name and address. (12)
Hours later, just after midnight, a SWAT team raided the residence. (13) They discovered a teenage student who attended Timberline High. (14) He immediately admitted culpability. (15)
Law enforcement malware is not new. (16) The earliest reported case is from 2001, when FBI agents snuck into a mafioso's office and installed a system for recording keystrokes. (17) What is new is how often federal law enforcement is deploying malware. (18)
Over the past decade, privacy and security technologies have become much easier to use. Individuals and businesses are rapidly adopting technical protections, especially in the wake of the Edward Snowden leaks. Usage of the Tor anonymization software, for example, has roughly doubled since fall 2013. (19) Apple has made storage encryption the default for macOS and iOS devices, protects iMessage conversations with end-to-end encryption, and it is moving toward greater hardware protections for data. (20) Google has mostly made storage encryption the default for Android devices. (21) Facebook offers optional end-to-end encryption for messages on its social network and automatic end-to-end encryption for messages sent via its WhatsApp messaging app. (22)
These privacy and security technologies provide legitimate and important protections. But they also inhibit tried-and-true law enforcement techniques. Investigators used to be able to subpoena an Internet Service Provider (ISP) for an online suspect's identity; internet anonymization software makes that impossible. Investigators used to be able to serve a search warrant or wiretap order on a cloud service to obtain a suspect's online communications; end-to-end encryption makes that impossible. Investigators used to be able to seize a suspect's computer and smartphone and search their data contents; device encryption makes that impossible. The law enforcement community refers to this trend as "going dark," and it has sought assistance from technology firms and legislatures to reverse the trend. (23)
There is, to be sure, an ongoing and lively debate over the extent to which law enforcement agencies are actually "going dark" and how law and policy should respond if they are. (24) One aspect of the debate is indisputable: certain law enforcement techniques for electronic searches and seizures are no longer effective, and the natural substitute for those techniques is hacking. (25) If the government cannot learn a suspect's identity from his ISP, it can break into his computer and retrieve identifying information. If the government cannot obtain a suspect's communications from his cloud services, it can break into the suspect's computer, retrieve stored communications, and intercept future conversations. If the government cannot read the encrypted data stored on a suspect's devices, it can break into those devices to extract unencrypted data or the cryptographic material necessary for decryption. These substitution effects are not hypothetical--they are happening today. The FBI has already deployed malware to investigate a wide range of offenses, including loansharking, harassment, extortion, fraud, and child pornography. As security and privacy technology becomes more prevalent, law enforcement hacking will only become more commonplace.
The rapid rise of government malware has, surprisingly, only just begun to capture judicial attention. Through 2015, there were only a few federal opinions on the practice. (26) In 2016 and 2017, there were nearly a hundred (see Figure 1). (27) Scholarly treatment of the subject remains scattershot. (28)
This Article aims to begin filling the analytical void, offering guidance for courts and enriching dialogue with policymakers and scholars. (29) It also draws upon law enforcement hacking as the latest flashpoint for electronic surveillance, using the practice to illuminate and advance longstanding scholarly debates about the Fourth Amendment.
The balance of the Article is organized in three Parts. Part I begins with a motivating question of positive law: is government malware necessarily regulated by the Fourth Amendment? The Part provides a technical framework for evaluating government malware and explains how malware lands in a gap in the case law on electronic evidence. This Article respectfully submits that...