Friday, April 26, 2013

Trojan Horse Warrant . . . Fail?


A few years ago, I did a post in which I speculated about the possibility of U.S. law enforcement’s using a Trojan Horse or similar program to surreptitiously search, and perhaps, monitor a suspect’s computer.  And a few years after that, I included an expanded version of that analysis in a law review article, which you can find here, if you’re interested.

This post examines a case which seems to involve federal law enforcement’s seeking a warrant to authorize what appears, essentially, to be the type of surreptitious search and monitoring I speculated about in the earlier post and the law review article.

The case is In re Warrant to Search A Target Computer at Premises Unknown, ___ F. Supp.2d ___, 2013 WL 1729765 (U.S. District Court for the Southern District of Texas 2013) (“In re Warrant”).  And this is how the federal district court judge who deal with law enforcement’s request for the warrant noted above described the facts available to him and the nature of the government’s request:

In early 2013, unidentified persons gained unauthorized access to the personal email account of John Doe, an individual residing within the Southern District of Texas, and used that email address to access his local bank account. The Internet Protocol (IP) address of the computer accessing Doe's account resolves to a foreign country. 

After Doe discovered the breach and took steps to secure his email account, another email account nearly identical to Doe's -- the address differed by a single letter -- was used to attempt a sizeable wire transfer from Doe's local bank to a foreign bank account. The FBI has commenced an investigation, leading to this search warrant request. At this point in the investigation, the location of the suspects and their computer is unknown.

The Government does not seek a garden-variety search warrant. Its application requests authorization to surreptitiously install data extraction software on the Target Computer. Once installed, the software has the capacity to search the computer's hard drive, random access memory, and other storage media; to activate the computer's built-in camera; to generate latitude and longitude coordinates for the computer's location; and to transmit the extracted data to FBI agents within this district.

In re Warrant, supra.

The judge then explains that by

[u]sing this software, the government seeks to obtain the following information:

(1) records existing on the Target Computer at the time the software is installed, including:

• records of Internet Protocol addresses used; records of Internet activity, including firewall logs, caches, browser history and cookies, “bookmarked” or “favorite” Web pages, search terms that the user entered into any Internet search engine, and records of user-typed Web addresses;

• records evidencing the use of the Internet Protocol addresses to communicate with the [victim's bank's] e-mail servers;

• evidence of who used, owned, or controlled the TARGET COMPUTER at the time the things described in this warrant were created, edited, or deleted, such as logs registry entries, configuration file, saved user names and passwords, documents, browsing history, user profiles, e-mail contents, e-mail contacts, “chat,” messaging logs, photographs, and correspondence;

• evidence of software that would allow others to control the TARGET COMPUTER;

• evidence of times the TARGET COMPUTER was used; and

• records of applications run.

(2) prospective data obtained during a 30–day monitoring period, including:

• accounting entries reflecting the identification of new fraud victims;

• photographs (with no audio) taken using the TARGET COMPUTER's built-in camera after the installation of the NEW SOFTWARE, sufficient to identify the location of the TARGET COMPUTER and identify persons using the TARGET COMPUTER;

• information about the TARGET COMPUTER's physical location, including latitude and longitude calculations the NEW SOFTWARE causes the TARGET COMPUTER to make;

• records of applications run.

In re Warrant, supra.  (In a footnote, he explains that the warrant has been sealed “to avoid jeopardizing an ongoing investigation”, but the opinion is not because “it deals with a question of law at a level of generality which could not impair the investigation.”  In re Warrant, supra.)

The judge also explains that, in order to accomplish all this, the

Government has applied for a Rule 41 search and seizure warrant targeting a computer allegedly used to violate federal bank fraud, identity theft, and computer security laws. Unknown persons are said to have committed these crimes using a particular email account via an unknown computer at an unknown location.

In re Warrant, supra.  Federal Rule of Criminal Procedure 41, which you can find here, authorizes federal judges, and federal magistrates, to issue warrants that authorize law enforcement officers to search for and seize specified items, assuming, of course, that the application for the warrant is supported by probable cause.  And if you would like to read more about the processes of applying for and executing a warrant, check out the U.S. Department of Justice publication you can find here.

As noted above, the agents and/or prosecutor applying for the warrant argued that this request, while “novel”, falls within the scope of Rule 41, i.e., that the rule allows the court to issue such a warrant. In re Warrant, supra.  The judge found that this argument raised "a number of questions,
including: (1) whether the territorial limits of a Rule 41 search warrant are satisfied; (2) whether the particularity requirements of the 4th Amendment have been met; and (3) whether the 4th Amendment requirements for video camera surveillance have been shown.”  In re Warrant, supra. In this opinion, he analyzes each of these issues, in this order.  In re Warrant, supra.  

As to the first issue, the judge noted that Rule 41(b)(1) “allows a . . . `judge with authority in the district . . . to issue a warrant to search for and seize a person or property located within the district.’”  In re Warrant, supra.  He also noted that while the Government

readily admits that the current location of the Target Computer is unknown, it asserts that this subsection authorizes the warrant `because information obtained from the Target Computer will first be examined in this judicial district.’ . . . Under the Government's theory, because its agents need not leave the district to obtain and view the information gathered from the Target Computer, the information effectively becomes `property located within the district.’ This rationale does not withstand scrutiny.

In re Warrant, supra.  

Later, he explains that under the “Government's logic, a Rule 41 warrant would permit FBI agents to roam the world in search of a container of contraband, so long as the container is not opened until the agents haul it off to the issuing district.” In re Warrant, supra.  He noted that the “search” for which the Government

seeks authorization is actually two-fold: (1) a search for the Target Computer itself, and (2) a search for digital information stored on (or generated by) that computer. Neither search will take place within this district, so far as the Government's application shows. Contrary to the current metaphor often used by Internet-based service providers, digital information is not actually stored in clouds; it resides on a computer or some other form of electronic media that has a physical location. 

Before that digital information can be accessed by the Government's computers in this district, a search of the Target Computer must be made. That search takes place, not in the airy nothing of cyberspace, but in physical space with a local habitation and a name.

Since the current location of the Target Computer is unknown, it necessarily follows that the current location of the information on the Target Computer is also unknown. This means that the Government's application cannot satisfy the territorial limits of Rule 41(b)(1).

In re Warrant, supra.  He also found that the other options codified in Rule 41(b) did not apply here because (i) this was not a terrorism investigation (Rule 41(b)(3); (ii) the warrant did not seek to install and use a tracking device within the Southern District of Texas (Rule 41(b)(4); and (iii) there was no evidence that the Target Computer will be found on U.S.-controlled territory or premises” (Rule 51(b)(5). In re Warrant, supra.  

Next, he considered whether the warrant application satisfied the 4th Amendment’s particularity requirement.  In re Warrant, supra.  As I have noted in prior posts, the 4th Amendment requires that warrants “particularly” describe the place to be searched and the things to be searched for.  In analyzing this issue, the judge noted, again, that “the warrant sought here would authorize two different searches: a search for the computer used as an instrumentality of crime, and a search of that computer for evidence of criminal activity.” In re Warrant, supra.  He also explained that because “the latter search presumes the success of the initial search for the Target Computer, it is appropriate to begin . . . with that initial search.”  In re Warrant, supra (emphasis in the original).

The judge found the government had not satisfied the particularity requirement as to this search because its application for the warrant

contains little or no explanation of how the Target Computer will be found. Presumably, the Government would contact the Target Computer via the counterfeit email address, on the assumption that only the actual culprits would have access to that email account. Even if this assumption proved correct, it would not necessarily mean the government has made contact with the end-point Target Computer at which the culprits are sitting. 

It is not unusual for those engaged in illegal computer activity to `spoof’ IP addresses as a way of disguising their actual on-line presence; in such a case the Government's search might be routed through one or more `innocent’ computers on its way to the Target Computer.

In re Warrant, supra.  And as to the second search, i.e., the search of the computer targeted by the warrant, the judge found that the government had not explained how “its search technique will avoid infecting innocent computers” which could be implicated if, say, the computer was in a workplace or was “used by family or friends uninvolved in the illegal scheme” among other problems. In re Warrant, supra.  

Finally, the judge addressed the issue of “video surveillance,” explaining that the

data extraction software will activate the Target Computer's built-in-camera and snap photographs sufficient to identify the persons using the computer. The Government couches its description of this technique in terms of `photo monitoring,’  as opposed to video surveillance, but this is a distinction without a difference. In between snapping photographs, the Government will have real time access to the camera's video feed. That access amounts to video surveillance.

In re Warrant, supra.  

He noted that, in U.S. v. Biasucci, 786 F.2d 504 (U.S. Court of Appeals for the Second Circuit 1986), the federal appellate court held that video surveillance warrants have to satisfy the requirements of Title III of the Omnibus Crime Control and Safe Streets Act of 1968, 18 U.S. Code §§ 2510–2520, which governs traditional wiretaps.  In re Warrant, supra.  For a checklist of those requirements, check out this site.  Basically, to obtain a wiretap warrant, an officer has to also provide

(1) a factual statement that alternative investigative methods have been tried and failed or reasonably appear to be unlikely to succeed if tried or would be too dangerous; (2) a particular description of the type of communication sought to be intercepted, and a statement of the particular offense to which it relates; (3) a statement of the duration of the order, which shall not be longer than is necessary to achieve the objective of the authorization nor, in any event, longer than 30 days, (though extensions are possible); and (4) a statement of the steps to be taken to assure that the surveillance will be minimized to effectuate only the purposes for which the order is issued.

In re Warrant, supra.  

He found the Government’s application for this warrant failed to satisfy requirements (1) and (4).  In re Warrant, supra.  As to (1), the application for the warrant did not explain why other methods were unlikely to succeed and/or would be dangerous.  In re Warrant, supra.  And this, according to the opinion, is what the application said about (4) -- minimization:

`Steps will be taken to assure that data gathered through the technique will be minimized to effectuate only the purposes for which the warrant is issued. The software is not designed to search for, capture, relay, or distribute personal information or a broad scope of data. The software is designed to capture limited amounts of data, the minimal necessary information to identify the location of the TARGET COMPUTER and the user of TARGET COMPUTER.’

In re Warrant, supra.  

The judge found that “the breadth of data authorized for extraction in the proposed warrant” (see above) “fatally undermined” the Government’s assurances that it the software would “capture only limited amounts of data” from the Target Computer.  In re Warrant, supra.  He also noted that “given the unsupported assertion that the software will not be installed on `innocent’ computers or devices, there remains a non-trivial possibility that the remote camera surveillance may well transmit images of persons not involved in the illegal activity under investigation.”  In re Warrant, supra.  

He therefore denied the Government’s application for the warrant . . . which does not mean that it cannot (i) try again with this judge and/or (ii) try again with another federal judge.  In re Warrant, supra.  

No comments: