Thursday, July 30, 2015
The United States government hacks computer systems, for law enforcement purposes. According to public disclosures, both the Federal Bureau of Investigation and Drug Enforcement Administration are increasingly resorting to computer intrusions as an investigative technique. This article provides the first comprehensive examination of how the Constitution should regulate government malware.
When applied to computer systems, the Fourth Amendment safeguards two independent values: the integrity of a device as against government breach, and the privacy properties of data contained in a device. Courts have not yet conceptualized how these theories of privacy should be reconciled.
Government malware forces a constitutional privacy reckoning. Investigators can algorithmically constrain the information that they retrieve from a hacked device, ensuring they receive only data that is — in isolation — constitutionally unprotected. According to declassified documents, FBI officials have theorized that the Fourth Amendment does not apply in this scenario. A substantially better view of the law, I conclude, is that the Fourth Amendment’s dual protections are cumulative, not mutually exclusive.
Applying this two-stage framework, I find that the Fourth Amendment imposes a warrant requirement on almost all law enforcement malware. The warrant must be valid throughout the duration of the malware’s operation, and must provide reasonable ex post notice to a computer’s owner. In certain technical configurations, the Constitution goes even further, requiring law enforcement to satisfy an exacting “super-warrant” standard. Reviewing public disclosures, I find that the government has a spotty record of compliance with these foundational privacy safeguards.
Moving beyond established doctrine and current practice, I normatively argue that the super-warrant standard should apply to government hacking. The same considerations that prompted heightened judicial review of wiretapping in the 1960s should prompt close scrutiny of law enforcement malware today.