Searching Places Unknown: Law Enforcement Jurisdiction on the Dark Web

The use of hacking tools by law enforcement to pursue criminal suspects who have anonymized their communications on the dark web presents a looming flashpoint between criminal procedure and international law. Criminal actors who use the dark web (for instance, to commit crimes or to evade authorities) obscure digital footprints left behind with third parties, rendering existing surveillance methods obsolete. In response, law enforcement has implemented hacking techniques that deploy surveillance software over the Internet to directly access and control criminals’ devices. The practical reality of the underlying technologies makes it inevitable that foreign-located computers will be subject to remote “searches” and “seizures.” The result may well be the greatest extraterritorial expansion of enforcement jurisdiction in U.S. law enforcement history. This Article examines how the government’s use of hacking tools on the dark web profoundly disrupts the legal architecture on which cross-border criminal investigations rest. These overseas cyberoperations raise increasingly difficult questions regarding who may authorize these activities, where they may be deployed, and against whom they may lawfully be executed. The rules of criminal procedure fail to regulate law enforcement hacking because they allow these critical decisions to be made by rank-and-file officials despite potentially disruptive foreign relations implications. This Article outlines a regulatory framework that reallocates decisionmaking to the institutional actors who are best suited to determine U.S. foreign policy and avoids sacrificing law enforcement’s ability to identify and locate criminal suspects who have taken cover on the dark web

Tallinn, Hacking, and Customary International Law

Tallinn 2.0 grapples with the application of general international law principles through various hypothetical fact patterns addressed by its experts. In doing so, its commentary sections provide a nonbinding framework for thinking about sovereignty, raising important considerations for states as they begin to articulate norms to resolve the question of precisely what kinds of nonconsensual cyber activities violate well-established international laws — a question that will likely be the focus of international lawyers in this area for some time to come. This essay focuses on one area of state practice where states are already dealing with these issues: the use of hacking techniques by law enforcement agencies to collect evidence stored on foreign-located computers whose location is unknown at the time of the search. It shows how the resulting cross-border cyber-exfiltration operations are in tension with international legal norms, and face a greater risk of public exposure than those conducted by military or intelligence agencies. It then argues that, for the United States, these potential drawbacks may present an opportunity, by providing a specific context for the articulation of norms in cyberspace

Data Collection and the Regulatory State

The following remarks were given on January 27, 2017 during the Connecticut Law Review’s symposium, “Privacy, Security & Power: The State of Digital Surveillance.” Hillary Greene, the Zephaniah Swift Professor of Law at the University of Connecticut School of Law, offered introductory remarks and moderated the panel. The panel included Dr. Cooper, Associate Professor of Law and Director of the Program on Economics & Privacy at Antonin Scalia Law School at George Mason University, Professor Ghappour, Visiting Assistant Professor at UC Hastings College of the Law, Attorney Lieber, Senior Privacy Policy Counsel at Google, and Dr. Wu, Professor of Law and Faculty Director of the Cardozo Data Law Initiative at Benjamin N. Cardozo School of Law

Data Collection and the Regulatory State

The following remarks were given on January 27, 2017 during the Connecticut Law Review\u27s symposium, Privacy, Security & Power: The State of Digital Surveillance

Searching Places Unknown: Law Enforcement Jurisdiction on the Dark Web

The use of hacking tools by law enforcement to pursue criminal suspects who have anonymized their communications on the dark web presents a looming flashpoint between criminal procedure and international law. Criminal actors who use the dark web (for instance, to commit crimes or to evade authorities) obscure digital footprints left behind with third parties, rendering existing surveillance methods obsolete. In response, law enforcement has implemented hacking techniques that deploy surveillance software over the Internet to directly access and control criminals’ devices. The practical reality of the underlying technologies makes it inevitable that foreign-located computers will be subject to remote “searches” and “seizures.” The result may well be the greatest extraterritorial expansion of enforcement jurisdiction in U.S. law enforcement history. This Article examines how the government’s use of hacking tools on the dark web profoundly disrupts the legal architecture on which cross-border criminal investigations rest. These overseas cyberoperations raise increasingly difficult questions regarding who may authorize these activities, where they may be deployed, and against whom they may lawfully be executed. The rules of criminal procedure fail to regulate law enforcement hacking because they allow these critical decisions to be made by rank-and-file officials despite potentially disruptive foreign relations implications. This Article outlines a regulatory framework that reallocates decisionmaking to the institutional actors who are best suited to determine U.S. foreign policy and avoids sacrificing law enforcement’s ability to identify and locate criminal suspects who have taken cover on the dark web

Tallinn, Hacking, and Customary International Law

Tallinn 2.0 grapples with the application of general international law principles through various hypothetical fact patterns addressed by its experts. In doing so, its commentary sections provide a nonbinding framework for thinking about sovereignty, raising important considerations for states as they begin to articulate norms to resolve the question of precisely what kinds of nonconsensual cyber activities violate well-established international laws — a question that will likely be the focus of international lawyers in this area for some time to come. This essay focuses on one area of state practice where states are already dealing with these issues: the use of hacking techniques by law enforcement agencies to collect evidence stored on foreign-located computers whose location is unknown at the time of the search. It shows how the resulting cross-border cyber-exfiltration operations are in tension with international legal norms, and face a greater risk of public exposure than those conducted by military or intelligence agencies. It then argues that, for the United States, these potential drawbacks may present an opportunity, by providing a specific context for the articulation of norms in cyberspace

Data Collection and the Regulatory State

The following remarks were given on January 27, 2017 during the Connecticut Law Review’s symposium, “Privacy, Security & Power: The State of Digital Surveillance.” Hillary Greene, the Zephaniah Swift Professor of Law at the University of Connecticut School of Law, offered introductory remarks and moderated the panel. The panel included Dr. Cooper, Associate Professor of Law and Director of the Program on Economics & Privacy at Antonin Scalia Law School at George Mason University, Professor Ghappour, Visiting Assistant Professor at UC Hastings College of the Law, Attorney Lieber, Senior Privacy Policy Counsel at Google, and Dr. Wu, Professor of Law and Faculty Director of the Cardozo Data Law Initiative at Benjamin N. Cardozo School of Law

Tallinn, Hacking, and Customary International Law

Tallinn 2.0 grapples with the application of general international law principles through various hypothetical fact patterns addressed by its experts. In doing so, its commentary sections provide a nonbinding framework for thinking about sovereignty, raising important considerations for states as they begin to articulate norms to resolve the question of precisely what kinds of nonconsensual cyber activities violate well-established international laws — a question that will likely be the focus of international lawyers in this area for some time to come. This essay focuses on one area of state practice where states are already dealing with these issues: the use of hacking techniques by law enforcement agencies to collect evidence stored on foreign-located computers whose location is unknown at the time of the search. It shows how the resulting cross-border cyber-exfiltration operations are in tension with international legal norms, and face a greater risk of public exposure than those conducted by military or intelligence agencies. It then argues that, for the United States, these potential drawbacks may present an opportunity, by providing a specific context for the articulation of norms in cyberspace