Constitutional Malware

79 Pages Posted: 21 Jul 2015 Last revised: 15 Nov 2016

See all articles by Jonathan Mayer

Jonathan Mayer

Princeton University, School of Engineering and Applied Science, Department of Computer Science; Princeton University, Woodrow Wilson School of Public and International Affairs

Date Written: November 14, 2016


The United States government hacks computer systems, for law enforcement purposes. Both the Federal Bureau of Investigation and the Drug Enforcement Administration have adopted computer intrusion as an investigative technique. As encryption becomes more pervasive, and as anonymization tools become easier to use, the government will foreseeably increase its resort to malware.

Law enforcement hacking poses novel puzzles for criminal procedure law, grounded in the Fourth Amendment, the Electronic Communications Privacy Act, the Federal Magistrates Act, and the Federal Rules of Criminal Procedure. Courts are just beginning to piece through the doctrine, and scholarship is scant. This Article provides the first comprehensive examination of how federal law regulates government malware.

The Article’s lead-off contribution is an analysis of whether law enforcement hacking constitutes a Fourth Amendment search, as a matter of positive constitutional law. When applied to modern computing, existing doctrine safeguards two independent values: the integrity of a device as against government breach, and the confidentiality of certain categories of data. Courts have struggled to conceptualize how these theories of privacy are related, and how they should be reconciled.

Government hacking forces a constitutional privacy reckoning. In its most common configuration, law enforcement malware selectively reports from a device, retrieving only data that is — in isolation — constitutionally unprotected. A majority of courts have concluded that this type of hacking falls outside the Fourth Amendment’s privacy protections. This Article respectfully posits that the courts are going astray, and have not recognized that the two theories of constitutional privacy are overlapping and cumulative. Fidelity to doctrine compels the conclusion that law enforcement hacking is necessarily a Fourth Amendment search.

The Article’s next contribution is theoretical. Government malware is the latest flashpoint for electronic surveillance, and it illuminates longstanding scholarly debates about Fourth Amendment law and the structure of surveillance regulation. Law enforcement hacking is a case study in why not to defer to Congress for modern surveillance rules — but also in why the courts are highly imperfect vehicles for developing privacy protections, and in how executive branch policy can exceed judicial safeguards. Government malware also demonstrates the limits of equilibrium adjustment as a mechanism for calibrating Fourth Amendment law. While a useful theoretical construct for tallying up policy considerations, equilibrium adjustment provides no objective guidance — or worse, highly misleading guidance — on the appropriate legal safeguards for modern surveillance techniques. Finally, law enforcement hacking highlights how restrictions on private surveillance can inform the scope of constitutional regulation of government surveillance.

The third part of the Article returns to positive law, leveraging the two theories of Fourth Amendment protection to answer fundamental criminal procedure questions about law enforcement hacking. Government access to data becomes a search, at minimum, when officers circumvent a security protection on a device. Officers can satisfy probable cause and particularity requirements if they can articulate an adequate triggering condition for malware. If the location of the target device is known, venue is usually appropriate before a magistrate judge in that district; if the location is unknown, venue is appropriate before a district court judge wherever the crime occurred. The search continues so long as law enforcement malware is resident on the device. Ex post notice of the search is mandatory, even if investigators have not identified the device’s owner. In certain malware configurations, the Fourth Amendment’s “reasonableness” requirement goes beyond ordinary warrant safeguards, and requires that officers satisfy an exacting “super-warrant” standard. A review of unsealed court filings demonstrates that the government has a spotty compliance record with these fundamental privacy protections.

The Article’s conclusion, and final contribution, is a normative argument for reinvigorating super-warrant procedures and applying them to law enforcement hacking. Most scholarly and judicial analysis of modern surveillance technology has focused on whether particular practices should be subject to a warrant requirement. Courts should impose heightened safeguards to channel law enforcement away from surveillance techniques that impose additional negative externalities.

Suggested Citation

Mayer, Jonathan, Constitutional Malware (November 14, 2016). Available at SSRN: or

Jonathan Mayer (Contact Author)

Princeton University, School of Engineering and Applied Science, Department of Computer Science ( email )

35 Olden Street
Princeton, NJ 08540
United States

Princeton University, Woodrow Wilson School of Public and International Affairs ( email )

Princeton University
Princeton, NJ 08544-1021
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics