A Minnesota judge invalidated a warrant that the FBI obtained in the Playpen child pornography case, pointing out that the warrant was invalid from the moment it was requested because of both jurisdictional and particularity issues.
FBI’s Malware-Based NIT
FBI’s Network Investigative Technique (NIT) is a more positive-sounding name for a type of malware the agency uses to infect multiple computers at once to identify their IP addresses. The malware is deployed, for instance, in cases where the FBI wants to deanonymize some Tor users.
The first large-scale attack of this type to become public did so when the FBI tried to shut down the Playpen child pornography website (after running it itself more efficiently for a couple of weeks in an effort to catch more people who visited the website).
The NIT malware targeted over 8,000 computers in 120 countries, which quickly prompted many defense lawyers to make the case that the FBI had no jurisdiction in the first place. Other judges in some of the Playpen cases agreed, but the whole warrant wasn't put into question until it reached Minnesota judge Franklin Noel.
“[T]he Government claims legal authority from this single warrant, issued in the Eastern District of Virginia, to hack thousands of computers in 120 countries and to install malicious software for the purpose of investigating and searching the private property of uncounted individuals whose identities and crimes were unknown to the Government before launching this massive worldwide search,” said judge Franklin Noel.
Agent Macfarlane, who requested the warrant, feigned ignorance, implying that he wasn’t aware that the FBI's NIT malware would go beyond its jurisdiction. Of course, that would mean he had no idea how Tor works in the first place.
However, the whole idea of the Tor network is that it routes people’s connections through multiple countries before reaching the final destination. This is what gives Tor users “anonymity.” It’s unlikely that a law enforcement agent who targets Tor users with techniques specifically designed to catch them wouldn’t know how the tool works.
The judge also didn’t buy Macfarlane’s argument that he unknowingly violated proper procedure, enforced by Rule 41 jurisdictional limits that still existed at the time the warrant was requested.
"It was not objectively reasonable for Agent Macfarlane, a 'law enforcement . . . veteran' employed by the FBI 'for 19 years' to believe that the NIT warrant, which he knew could reasonably reach any computer in the world, was properly issued given the specific territorial limits under Rule 41(b) and the language of the warrant itself," said judge Noel.
"Put differently, it was not objectively reasonable for Agents to believe that a single warrant, which by its terms was explicitly limited to searches in the Eastern District of Virginia, could be used to electronically search Carlson's computer in Minnesota,” added judge Noel.
Rule 41 was changed last year to allow the FBI to go way beyond its jurisdiction with its NIT malware infections, so it’s likely that any new such warrants would not be found invalid due to this reason alone. However, warrants requested before Rule 41 was modified should still be affected by the old Rule 41 limits.
NIT Malware Violates Particularity Requirement For Warrants
The judge made another interesting argument, which may also affect future cases in which the NIT was used, even without the previous Rule 41 limits in place. He said that valid warrants require particularity, which means the warrant must name the person under investigation.
The FBI (or any other US law enforcement agency) can’t simply do a dragnet for the information of thousands of people and then look for crimes within that data. Yet that's exactly what the FBI did with its NIT malware, because it didn’t know who it was targeting. This argument could also be used against other mass surveillance techniques, as well by other defendants who learn that the government used NIT malware against them.