Congress Shouldn't Let Justices Make the Rules
The most dramatic moment of my legal education came when Professor Owen Fiss of Yale Law School threw his paperback copy of the Federal Rules of Civil Procedure 25 feet across a classroom into a waiting trash can.
It wasn’t just the eminent scholar’s aim that impressed me, but his point: that the federal rules of procedure are basically unconstitutional because of the way they’re adopted. Instead of being enacted by Congress and signed by the president like ordinary laws, procedural rules are written by the unelected Supreme Court, which transmits them to Congress, after which they ordinarily go into effect without change.
Yet rules of procedure are among the most important sources of law. My teacher’s lesson came immediately to my mind when I read that last Friday, the court sent Congress proposed amendments to the Federal Rules of Criminal Procedure that will make it easier for the government to hack into computers all over the country with the issuance of a single warrant by a single magistrate judge.
The proposal won’t be found unconstitutional by the court, you can bet – after all, the court made it. But it should be challenged in Congress, because it will change the balance between privacy and warrants executed by the government.
The key amendment, to Rule 41 of the criminal procedure rules, gives the authority to any magistrate judge “to issue a warrant to use remote access to search electronic storage media” both “within or outside” the magistrate’s own district, under two conditions. The first is that the relevant computers have been anonymized. The second is where an illegal hack has affected computers in five or more different judicial districts.
It’s the first of these that matters. Currently, a magistrate can only issue a warrant authorizing the search of computers within the district where he or she sits. The proposed rule enables the magistrate to issue a single order that would allow the government to hack into computers belonging not only to suspected criminals but also to their victims – which could include millions of users.
The Department of Justice explained that it sought the rule to access data that computer users may be holding in the cloud, outside the physical jurisdiction in which the computers are located. It also said the rule change would be helpful in pursuing botnet crimes in which malware may be spread across many jurisdictions.
The American Civil Liberties Union says that this amounts to a “major reorganization of judicial power.” That seems true. At present, the government has to show probable cause and serve a separate warrant on each service provider if it wants to search a suspect’s data stored through multiple apps or programs. Now it won’t have to do that.
Such a change shouldn’t be made by the Supreme Court without serious consideration by the legislative branch. If the rules governing our privacy are changing, our representatives should weigh in.
The ACLU also says that the new rule erodes the constitutional requirement that a warrant describe the particular places and objects to be searched. That’s not quite apt. A single search warrant has traditionally been able to authorize searches of more than one place -- someone’s home and office, for example -- looking for evidence of crime. Today, my virtual office might be spread across many platforms and locations.
The ACLU also argues that the proposed rule would let the government install malware of its own to download and capture vast amounts of information from huge numbers of computers that might have been the targets of criminal activity. That’s true – but it may be necessary to investigate complicated hacking crimes that are themselves produced by malware. The technical question deserves further consideration by Congress after some serious fact-finding.
Google also objects to the change. The company focuses chiefly on the international scope of the new rule, which would in principle allow the government to search entities abroad pursuant to warrants. That might violate international treaties, Google claims. That’s true technically. But it’s also beside the point, since the Constitution doesn’t require a warrant at all when the government is searching a foreigner abroad. More likely, Google wants to signal to European regulators and consumers that it’s trying to stand up for privacy.
So are these concerns reasons not to adopt the change? Constitutionally, the warrant requirement is the bedrock of privacy. And it won’t be violated here, since the new scope of search will still be pursuant to warrant.
Practically, the new rule will give the government substantial new powers. Those are probably necessary.
But the Supreme Court isn’t the right institution to be making these important changes. Congress should engage and take ownership. That way our collective views will be represented -- and if we don’t like the results, we’ll know whom to blame.
This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.
To contact the author of this story:
Noah Feldman at email@example.com
To contact the editor responsible for this story:
Jonathan Landman at firstname.lastname@example.org