Why a Judge Threw Out Evidence From an FBI Mass Hacking Campaign

It involves the seniority of the judge and where exactly the malware's search took place.

|
Apr 21 2016, 2:13pm

Photo: FBI.gov

On Wednesday, a judge threw out evidence obtained via a piece of FBI malware for the first time. The ruling centered around a warrant used to hack visitors of dark web child pornography site "Playpen," and specifically the seniority of judge signed who that warrant.

The move could have consequences for the hundreds, if not over a thousand remaining cases in the US, and perhaps further afield.

The order came in response to a motion to suppress evidence—in other words, to exclude particular pieces of evidence brought forwarded by investigators—from the case, and was filed by lawyers for Alex Levin. Investigators searched Levin's residence in August 2015 and found seven illegal videos and a photo on one of his laptops. That search was conducted after the FBI used a network investigative technique (NIT), or hacking tool, on the Playpen site which obtained Levin's alleged IP address.

It's the warrant the FBI used to deploy the NIT which Levin's attorney, J W Carney, Jr., held issue with.

"The Government's search of the defendant's computer, along with those of individuals across the country, was in violation of the jurisdictional requirement for searches under Fed. R. Crim. P. 41 and 28 U.S.C. § 636(a)," he writes.

The two rules he mentions relate to what sort of searches magistrate judges can authorize, and, in short, mean that a magistrate judge can only sign off on seizures that relate to a location within their judicial district. There is a short list of exemptions—such as terrorism cases—but they don't apply here.

"It was not objectively reasonable for law enforcement... to believe that the NIT Warrant was properly issued considering the plain mandate of Rule 41(b)."

The judge who signed the NIT warrant was Magistrate Judge Theresa C. Buchanan in the Eastern District of Virginia (Buchanan's office has repeatedly declined to answer questions from Motherboard over the course of its reporting). In his motion to dismiss, Carney, Jr. writes, "Rule 41 simply does not permit a magistrate judge in Virginia to authorize the search of the defendant's computer located in Massachusetts."

The warrant, Carney, Jr. writes, "inaccurately states that the evidence sought is 'located in the Eastern District of Virginia,'" as this is the district from which the FBI ran the child pornography site in order to deliver the malware. But the actual place to be searched, he argues, was the location of the computers which were infected by the NIT.

William G. Young, the judge who was tasked with assessing the motion to suppress, largely agreed.

"That the Website A server is located in the Eastern District of Virginia is, for purposes of Rule 41(b)(1), immaterial, since it is not the server itself from which the relevant information was sought," he wrote in Tuesdays order.

"Even were the Court to conclude that the Rule 41(b) violation was ministerial, suppression would still be appropriate, as Levin has demonstrated that he suffered prejudice," Young writes. In this context, prejudice means that a defendant was subjected to a search that might not have happened in the first place, if Rule 41—the rule governing judges' reach—had been correctly followed. In this case, that didn't happen, as the search of Levin's house and his laptops was based on the NIT warrant.

Law enforcement is sometimes granted something called the good-faith exception—that is, if the investigators are considered to have acted on what they believed was a legal, robust warrant. But Young writes that even if the good-faith exception could apply to a warrant issued without jurisdiction (he notes that whether the exception can apply where a warrant is void is "an unresolved question"), he wouldn't lean towards it.

"It was not objectively reasonable for law enforcement—particuarly 'a veteran FBI
agent with 19 years of federal law enforcement experience[,]' […] to believe that the NIT Warrant was properly issued considering the plain mandate of Rule 41(b)," he states.

The Department of Justice, Young writes, claimed that suppressing evidence generated from this warrant would create "an insurmountable legal barrier" to law enforcement who are trying to tackle this sort of crime.

Young, however, disagrees, partly because amendments to Rule 41(b) have been proposed that wouldallow magistrates to authorize these sort of cross-state, and even cross-border, electronic searches. These amendments are specifically in response to the rise of anonymity technologies such as the Tor network, or, to quote the proposed amendments, "because the target of the search has deliberately disguised the location of the media or information to be searched." (Levin's attorneys argue that the Government was "clearly aware that the NIT Warrant was not authorized when it made its application in February, 2015" for this reason).

On top of this, Young says the FBI could have approached a district judge, which is a more senior position than a magistrate judge, to fulfill the agency's request. The rules in question, Young writes, say "nothing about the authority of district judges to issue warrants to search property located outside their judicial districts."

He notes that four district judges, and three senior judges, regularly sit in the same courthouse as judge Buchanan, and the agency used one of the other judges to obtain another warrant to intercept communications on the child pornography site.

In all, Young ordered that all evidence gleaned from the NIT warrant—including the images of child pornography eventually found at Levin's residence—should be excluded.

"Based on the foregoing analysis, the Court concludes that the NIT Warrant was issued without jurisdiction and thus was void ab initio. It follows that the resulting search was conducted as though there were no warrant at all," Young writes.