United States v. Levin (and similar cases) (FBI Hacking)

On 10 February 2017, Privacy International filed an amicus curiae brief in U.S. v. Levin in the U.S. Court of Appeals for the First Circuit. On 26 April 2017, Privacy International filed an amicus curiae brief in U.S. v. Werdene in the U.S. Court of Appeals for the Third Circuit. On 18 May 2017, Privacy International filed an amicus curiae brief in U.S. v. Eure in the U.S. Court of Appeals for the Fourth Circuit. On 20 October 2017, Privacy International filed an amicus curiae brief in U.S. v. Tippens in the U.S. Court of Appeals for the Ninth Circuit.

These cases stem from an FBI hacking operation conducted in 2015 pursuant to a warrant issued by a magistrate judge in the Eastern District of Virginia. The warrant authorized the FBI to execute a hacking technique – what it calls a “network investigative technique” (“NIT”) – on untold numbers of computers located anywhere in the world. On the basis of this single warrant, the FBI ultimately hacked over 8,700 computers, in 120 countries and territories. Over 83% of these computers were located outside the United States.

Our briefs draw attention to the international implications of the FBI’s hacking operation. Well-established international law and practice prohibits the government from undertaking law enforcement functions in other countries without those countries’ consent, which there is no evidence the government sought here. This principle is reflected in the warrant authority, which does not permit judges to authorize extraterritorial action. These legal constraints protect against the foreign relations risks incurred when the U.S. acts extraterritorially, risks that are particularly amplified when the U.S. interferes with the devices of thousands of individuals abroad.