Judge: FBI's NIT Warrant Invalid And IP Addresses Do Have An Expectation Of Privacy, But No Suppression Granted
from the good-findings-mixed-with-questionable-conclusions dept
Thanks to the FBI's one-to-many NIT warrant, which was issued in Virginia but reached thousands of computers all over the world, yet another federal judge is dealing with the fallout of the feds' efficiency. Michigan federal judge Thomas Ludington finds plenty he doesn't like about the FBI's malware and the DOJ's defense of it, but still can't quite find enough to warrant suppression of the evidence [PDF link].
Properly stated, the question here is whether the FBI’s NIT warrant so exceeded the limits of the magistrate judge’s jurisdiction and authority or reasonable behavior by law enforcement as to require suppression to deter similar actions in the future. Although the NIT warrant exceeded the scope of Rule 41(b) as it existed at the time, the FBI’s actions in investigating and closing Playpen were reasonable and directed toward securing the judicial review of law enforcement which the Fourth Amendment contemplates. Given the circumstances, suppression is not appropriate.
That being said, the opinion does offer plenty of counters to the DOJ's legal rationale -- something that other defendants in the FBI's massive Playpen investigation might find useful. The court, like others, finds the FBI exceeded the jurisdictional limitations of Rule 41 and no amount of creative phrasing is going to change that.
None of the three bases in Rule 41(b) provided jurisdiction for the magistrate judge to approve the warrant. Rule 41(b)(1) cannot serve as the basis for jurisdiction. Under that provision, a magistrate judge can issue a warrant to seize property “located in the district.” Here, the server housing Playpen had been transported to Virginia by the FBI, but the NIT involved the transmission of information from that server to computers located around the country and then back to the server. The relevant information (or “property”8 ) was the information requested by the NIT from the user’s computer. The NIT cannot be reasonably construed as seizing information “located in the district” even if the request for the information originated from a server in Virginia.
Even if Kahler had some contact with the Playpen server located in Virginia, the information sought by the NIT was all located in Michigan. The mere fact that the information from outside the district was brought into the district cannot satisfy Rule 41(b)(2). If that scenario was sufficient, then there would effectively be no jurisdictional limit on warrants for seizure of personal property, because property can typically be moved.
It also finds -- during its discussion of Rule 41 limitations -- that the DOJ can't justify its defective warrant by claiming the software was merely a "tracking device." The NIT pulled information from a computer -- including information that would ID the user -- and left nothing behind to track further computer "movements." That changes the purpose -- and the scope -- of the intrusion.
The receipt of the username associated with the computer’s operating system goes beyond simple location data to descriptive data regarding the identity of the user. The NIT is more than just a “tracking device”; it is a surveillance device.
Additionally, the entire purpose of the NIT was to interact with a computer and obtain information that was located in another district. Even though the NIT was nominally installed on the Playpen Server, the NIT’s “tracking” functionality occurred in other districts. Finally, the purpose of the NIT was to discover the location of the users accessing Playpen, not track their movement.
The government also argued that even if the warrant was faulty, it was ultimately unnecessary because the information obtained fell under the Third Party Doctrine. The court disagrees (nodding to the Supreme Court's Riley decision), finding that efforts users make to cloak their identity -- even while engaging in criminal activity -- generates a layer of privacy protection under the Fourth Amendment.
The Government argues that, despite using a software which exists only to veil the user’s IP address from prying eyes, the user has no reasonable privacy interest in his or her IP address. This argument has little to recommend it. If a user who has taken special precautions to hide his IP address does not suffer a Fourth Amendment violation when a law enforcement officer compels his computer to disclose the IP address, the operating system, the operating system username, and other identifying information, then it is difficult to imagine any kind of online activity which is protected by the Fourth Amendment. Internet use pervades modern life. Law enforcement, acting alone, may not coerce the computers of internet users into revealing identifying information without a warrant, at least when the user has taken affirmative steps to ensure that third parties do not have that information.
This contrasts with other decisions dealing with the same subject matter, where judges have found there's no expectation of privacy in IP addresses, even when one has taken extra steps to obscure it. Those findings seem logically contradictory, at best. If someone's attempts to keep third parties from obtaining information, this information can't truly be considered held by a third party. Stripping away these efforts turns the FBI into the "third party," and the government isn't allowed to both act as a third party and excuse its actions with the Third Party Doctrine.
But in the end, there's no suppression. As the court points out, two things weigh against suppressing the evidence, even with the warrant being facially invalid under Rule 41. First, the FBI malware only infected registered users visiting the dark web child porn site, which makes the possibility of accidental infection almost nonexistent. Second, the fact that the FBI had no idea where the site's visitors were actually located makes this an inelegant solution to a problem, not a case of judge-shopping for compliant magistrates.
[T]his is not a case where the FBI purposely avoided compliance with the law. The investigation of Playpen was difficult precisely because the FBI had so little information about the location of the users. If the FBI had known where certain users were located but nevertheless chose to seek a warrant in another district, suppression would be appropriate. In that case, the FBI would have purposely skirted the law despite a legal alternative. Kahler’s arguments, if accepted, would imply that the FBI should not have conducted the NIT investigation at all because the users were masking their true location. The FBI’s decision to adopt novel tactics to bring individuals distributing child pornography behind location-concealing software to justice is not inherently troubling behavior.
In the future, the FBI won't have to deal with nearly as many suppression hearings, thanks to changes to Rule 41. These decisions are becoming relics of statutorial limitiations almost as soon as they're issued. Even if courts find the malware deployment to be a search invasive enough to trigger Fourth Amendment protections, the lack of jurisdictional limits going forward will prevent them from being challenged.
Unfortunately, the rule changes are almost guaranteed to encourage more frequent deployments of tools designed to decloak anonymous internet users. The breadth and reach of these warrants will be almost unchecked and that's bad news for activists, dissidents, and others who just want to stay off the internet grid. Sure, it's also bad news for child porn fans, but child porn, terrorism, drug warring, etc. is where these efforts start. It's seldom where they end.