Two More Courts Find In Favor Of The FBI And Its NIT Warrant; No Suppression Granted

Legal Issues

from the malware-deployment-is-a-go dept

Two more rulings on suppression motions in FBI Playpen cases have been handed down. (h/t Riana Pfefferkorn) The ruling [PDF] in Tennessee agrees with the defendant that the FBI’s NIT warrant exceeded Rule 41 jurisdiction limits. The following quotes are from the more substantive “Report and Recommendation” [PDF] by the magistrate judge, which has been adopted by the court overseeing the criminal trial.

The undersigned agrees with the majority of courts to analyze the Virginia search warrant that it violates Rule 41(b) because the magistrate judge in the Eastern District of Virginia lacked authority to issue a search warrant to search property located outside of her district.

Defendant’s computer was never located in the Eastern District of Virginia. See Fed. R. Crim. P. 41(b)(1) & (2). Moreover, the FBI was not investigating a crime of terrorism in the Eastern District of Virginia, nor was it attempting to seize property located in a United States territory or foreign state. See Fed. R. Crim. P. 41(b)(3) & (5). The Government argues that Rule 41(b)(4) is persuasive because the NIT is analogous to a tracking device, which was installed on the Defendant’s computer when his electronic transmission “touched down” in the Eastern District of Virginia, where Playpen was hosted. However, as observed by the Western District of Washington, applying Rule 41(b)(4) to the Virginia warrant “stretches the rule too far…”

That being said, the court decides suppression is not the right remedy for this violation:

In balancing the present facts and circumstances, the magistrate judge first correctly concluded that suppressing the evidence in this case would not meaningfully deter future law enforcement misconduct. The defendant’s objections that officers acted deliberately, recklessly, or with gross negligence, and that it should have been apparent to law enforcement that the Virginia magistrate lacked authority to sign the warrant, are simply unsupported by the record.

[…]

To the extent that there was error in this investigation, such error “rests with the issuing magistrate, not the police officer, and ‘punish[ing] the errors of judges’ is not the office of the exclusionary rule.”

Interestingly (and a bit infuriatingly), the court grants good faith to the FBI for its apparent inability to fully comprehend the “intricacies of the jurisdictions of federal magistrates.” This gives the FBI credit for pretending to misunderstand the very statutes it’s in the process of trying to change. The FBI — and the DOJ above it — very much want the jurisdictional limitations of Rule 41 removed precisely for cases like these: where a search and seizure is performed on remote computers located far outside the jurisdiction where the warrant was issued.

The Nebraska decision [PDF] is much, much worse. First, the court finds there’s no expectation of privacy in an IP address, even if the defendant has taken affirmative steps to obscure it.

With or without Tor, Defendant was sharing his IP address with others—total strangers, to potentially include law enforcement officers—with the hope and belief that the users of the first “node” computer would keep his IP address secret. While Defendant’s choice to use Tor may be evidence of his “actual, (subjective) expectation of privacy” in his IP address, using Tor does not elevate that expectation to “one that society is prepared to recognize as ‘reasonable.’”

Not only that, but the court rules the NIT is not a search (nor a “tracking device,” as the government argued in the Tennessee case), even though it had to extract this information from the user’s computer.

But deploying the NIT to reveal the IP address was not a computer search. Defendant’s IP address is not a “physical component” of the computer or a file residing on his computer like electronic documents or pictures. Rather, the IP address is assigned to a user by the ISP and typically is “maintained on the internet modem that connects an internet device to the internet.” Thus, the NIT essentially compelled Defendant’s computer to produce its IP address (similar to a return address on an envelope) when the NIT instructed the computer to send other information identified in the Virginia Warrant. And the NIT was deployed only after Defendant sought out and visited the Playpen website. “The FBI did not come looking for Defendant. Instead it waited until he came to them and engaged in illicit activity by downloading content from Playpen.”

And here we have another reason why digital-to-analog so often fails. Comparing the compelled production of an IP address to a return address on an envelope is a non-starter because utilizing the postal service does not require the use of a return address, whereas an internet connection almost always requires an IP address.

Worse, the opinion cites Virginia judge Henry Morgan Jr.’s decision in another Playpen case — where he asserted the FBI could hack computers with invalid warrants because, hey, computers get hacked all the time.

See also Matish, — F. Supp. 3d —, 2016 WL 3545776 at *22-24 (holding that with the prevalence of computer hacking and the “compromise of unprecedented amounts of data previously thought to be private,” all individuals have a diminished expectation of privacy once they log onto the internet.)

The court also finds that the FBI’s NIT reach didn’t exceed Rule 41 geographical limitations. Instead, the defendant made a virtual “trip” to the warrant’s jurisdiction to access content stored on the seized server.

Finally, even if the defendant had raised a Fourth Amendment challenge the court found valid, the good faith exception would have prevailed. As in the Tennessee decision, the court finds the FBI held up its side of the deal by providing the magistrate with an affidavit full of technical language and specifics about the search method to be deployed.

This appears to be the broader finding across the large number of Playpen/NIT cases. The FBI’s warrant may be invalid but either there’s no expectation of privacy in the information obtained or the good faith exception prevents suppression of the obtained evidence.

The first is less problematic than the latter. While some users may undertake efforts to obscure their IP addresses, their expectation of privacy is no more “reasonable” than that of those who don’t. Either the info has an expectation of privacy or it doesn’t. The legal justifications used by judges, however, haven’t been all that great, with the worst being that having your anonymity stripped and your information absconded with is just the price of doing business on the internet — whether it’s a criminal or law enforcement performing the actions apparently matters very little.

The latter part — the reliance on the FBI’s good faith — is more of an issue. The FBI clearly knew its NIT would travel far beyond the jurisdiction the warrant was issued in. It apparently felt that it benefited heavily from good faith rulings as it made little attempt to obscure this fact from the magistrate judge it presented its affidavit to. But it still withheld some information, including the fact that it would actually be delivering a malware package that would “phone home” once it reached its destination. Just because the search sort of originated at a seized server in Virginia does not excuse seizures performed all over the nation utilizing a single, jurisdictionally-limited warrant.

Filed Under: fbi, hacking, malware, nit, playpen, rule 41