Court Finds FBI's 'Malware' Deployment To Be Perfectly Constitutional

The US court system has hosted a large number of lively discussions about the tactics used by the FBI in its Playpen child porn investigation. A lot of new ground was broken by the FBI, not all of it good. First, the agency kept a darkweb child porn site running for two weeks after it seized it. It did this to facilitate the distribution of malware designed to uncover information about the computers (and users) accessing the site.

Adding to the mess was the malware itself. The FBI's Network Investigative Technique (NIT) was deployed across the US (and across the globe) via a single warrant signed by a magistrate judge in Virginia. Plenty of courts have declared the FBI's warrant invalid, as the search performed violated Rule 41's jurisdictional limitations. (Those limitations no longer exist, so chalk up a win for the DOJ.) Many have also called the NIT's extraction of IP addresses and device-identifying info a search. But very few judges have seen fit to suppress the evidence obtained, either finding no privacy expectations in IP addresses or granting the FBI "good faith."

At the appellate level, only two Playpen cases have been heard, but both courts returned decisions in favor of the government. The process continues in full force at the lower levels, where the DOJ is still working its way through the dozens of cases springing from its NIT deployment.

In Texas, a federal judge has decided [PDF] against suppressing evidence obtained with the FBI's NIT. But Judge Xavier Rodriguez does so while using a descriptive term the government vehemently disagrees with. [h/t Brad Heath]

In December 2014, the Government became aware of a website named Playpen that contained child pornography. One of the servers for that website was in North Carolina. Ultimately the Government seized that server pursuant to a warrant, relocated the server to Virginia, and assumed the role of administrator. When the Government was unable to identify the identity of the approximate 150,000 members of the website, the Government obtained a warrant on February 20, 2015 to deploy Network Investigative Technique (NIT) malware. The warrant authorized the search for persons located in the Eastern District of Virginia. The malware, however, reached all computers accessing the website, including Defendant Halgren's computer in San Antonio, Texas.

Through the malware the Government discovered that a user named "Platch" accessed the site, and the Government discovered the IP address associated with "Platch." Defendant Halgren was the user associated with the IP address.

The FBI has argued its NIT isn't malware, even though it seems to fit the description. It's a payload designed to reveal IP addresses and device info without the target's permission or awareness. If deployed by anyone else other than the government, the government would take issue with the exploit's operation and delivery method.

Thus ends the things the government won't like in this opinion. The judge goes a route few others have, treating the malware like a tracking device. By casting it as something it really isn't, the judge is able to sustain the warrant's viability. If the NIT is a tracking device, no jurisdictional violations occurred. The tracking device simply "traveled" out of the jurisdiction and that can't possibly be the government's fault.

Magistrate Judges have authority "within the district in which sessions are held by the court that appointed the magistrate judge . . . and elsewhere as authorized by law." 28 U.S.C. 636(a). Former Rule 41 that was in effect in 2015 authorized a Magistrate Judge "to issue a warrant to search for and seize a person or property located within the district." The Former Rule 41 provided "exceptions to this jurisdictional limitation for property moved outside of the jurisdiction, for domestic and international terrorism, for the installation of a tracking device, and for property located outside of a federal district. None of these exceptions [in 2015] expressly allow[ed] a magistrate judge in one jurisdiction to authorize the search of a computer in a different jurisdiction."

But see United States v. Darby, 190 F. Supp. 3d 520, 536 (E.D. Va. 2016) ("Rule 41(b)(4) allows a magistrate judge to issue a warrant for a tracking device to be installed in the magistrate's district. Once installed, the tracking device may continue to operate even if the object tracked moves outside the district. This is exactly analogous to what the NIT Warrant authorized. Users of Playpen digitally touched down in the Eastern District of Virginia when they logged into the site. When they logged in, the government placed code on their home computers. Then their home computers, which may have been outside of the district, sent information to the government about their location. The magistrate judge did not violate Rule 41(b) in issuing the NIT Warrant.")

Even if the court would have found the warrant invalid (which it didn't), it still would have allowed the FBI to keep the evidence because the Fourth Amendment doesn't cover IP addresses.

Given that the Defendant's IP address was required to be disclosed to various third parties and Playpen to access the website, any subjective expectation of privacy the Defendant may have possessed was not objectively reasonable.

And if that wasn't enough, good faith is also granted, so any lack of a valid warrant still wouldn't have resulted in evidence suppression.

The warrant was not void at its issuance. Even if it had been, the Court concludes that the good faith exception would apply and that suppression would not be warranted."); but see Levin, 186 F. Supp. 3d at 44 (NIT Warrant was issued without jurisdiction and thus was void ab initio and the good-faith exception is inapplicable). This Court disagrees with Levin and the three or four other courts that have ordered suppression. If a judge signed a warrant without the necessary probable cause determination that warrant was akin to being void. But if an officer reasonably relies upon that signing and acts in good faith, Leon holds that the evidence seized should not be suppressed.

This will almost certainly be appealed. There's still plenty of appeals courts left that haven't explored these issues. The first two tries went the government's way, but more eyes on more cases may actually result in a successful suppression effort. The problem is the rules (well, Rule 41 anyway) have changed. Courts may see little value in suppressing evidence the government can now acquire lawfully with last year's Rule 41 changes. The Eighth Circuit Appeals Court came to exactly that conclusion earlier this year.

The thing is, the government should still be deterred from breaking rules they know still exist, even if governing statutes may change in the future. The government hasn't stopped locking up marijuana users and dealers even though legalization in a majority of US states seems inevitable. This standard should be applied to the government by the only entities capable of doing it: the US courts.