The Yale Law Journal

January 2018

Government Hacking

PrivacyCriminal Procedure

abstract. The United States government hacks computer systems for law enforcement purposes. As encryption and anonymization tools become more prevalent, the government will foreseeably increase its resort to malware.

Law enforcement hacking poses novel puzzles for criminal procedure. Courts are just beginning to piece through the doctrine, and scholarship is scant. This Article provides the first comprehensive examination of how federal law regulates government malware.

Part I of the Article considers whether the Fourth Amendment regulates law enforcement hacking. This issue has sharply divided district courts because, unlike a conventional computer search, hacking usually does not involve physical contact with a suspect’s property. The Article provides a technical framework for analyzing government malware, then argues that a faithful application of Fourth Amendment principles compels the conclusion that government hacking is inherently a search.

Part II analyzes the positive law that governs law enforcement hacking, answering fundamental criminal procedure questions about initiating a search, establishing probable cause and particularity, venue, search duration, and notice. A review of unsealed court filings demonstrates that the government has a spotty compliance record with these procedural requirements. The Article also argues for reinvigorating super-warrant procedures and applying them to law enforcement hacking.

Finally, Part III uses government malware to illuminate longstanding scholarly debates about Fourth Amendment law and the structure of surveillance regulation. Law enforcement hacking sheds new light on the interbranch dynamics of surveillance, equilibrium adjustment theories for calibrating Fourth Amendment law, and the interplay between statutory and constitutional privacy protections.

author. Cyber Initiative Fellow, Stanford University; Assistant Professor of Computer Science and Public Affairs, Princeton University (effective March 2018); J.D., Stanford Law School; Ph.D. candidate, Stanford University Department of Computer Science. The author currently serves as a Legislative Fellow in the Office of United States Senator Kamala D. Harris. All views are solely the author’s own and do not reflect the position of the United States government. This work draws upon conversations at the Federal Judicial Center Fourth Circuit Workshop, Federal Judicial Center Sixth Circuit Workshop, Federal Judicial Center Ninth Circuit Mid-Winter Workshop, Federal Judicial Center Workshop for United States Magistrate Judges, the Privacy Law Scholars Conference, and the Rethinking Privacy and Surveillance in the Digital Age event at Harvard Law School. The project benefits from the wisdom and feedback of countless colleagues, including Julia Angwin, Kevin Bankston, Dan Boneh, Ryan Calo, Cindy Cohn, Laura Donohue, Hanni Fakhoury, Nick Feamster, Ed Felten, Laura Fong, Jennifer Granick, James Grimmelmann, Marcia Hofmann, Orin Kerr, Mark Lemley, Whitney Merrill, John Mitchell, Ellen Nakashima, Paul Ohm, Kurt Opsahl, David Pozen, Chris Riley, Barbara van Schewick, Michael Shih, David Sklansky, Peter Swire, Elisabeth Theodore, Lee Tien, George Triantis, and Tyce Walters. The editors of the Yale Law Journal, led by Jeremy Aron-Dine, provided invaluable recommendations on the Article’s substance and organization. The author is especially grateful to the federal judges, attorneys, and law enforcement officers who informed this Article’s discussion of the law, policy, and technology issues associated with government hacking.