A Texas judge has denied the FBI’s request for a search warrant allowing it to install spyware on an unknown computer in an unknown location, in hopes of catching an alleged hacker and identity thief attempting bank fraud.

Judge Stephen Smith, of Texas’s Southern District, rejected the FBI’s attempt to install the same type of intrusive malware which the FBI, in other contexts, warns Americans to protect themselves against.

Smith felt the agency’s request was too broad—even if the FBI did manage to catch the actual bad guy, there was no guarantee they wouldn’t compromise the privacy of countless innocent people as well.

In his 13-page ruling and analysis, Judge Smith laid out the following background story: Early this year, an unknown person hacked into the email of a Texas resident identified only as John Doe (the court agreed to keep some details of the warrant secret, to avoid compromising the ongoing FBI investigation). The hacker, whose IP address originated from somewhere outside the U.S., then used Doe’s email to break into his bank account.

After John Doe discovered the security breach and took steps to re-secure his email, another email account with an address only one letter removed from Doe’s attempted to make “a sizeable wire transfer” out of Doe’s account into a foreign bank. The FBI has no idea where the actual offending computer, let alone the hacker who used it, actually is.

There’s no denying the FBI has good grounds to suspect criminal wrongdoing. However, as Judge Smith noted, “The Government does not seek a garden-variety search warrant” in this case.

The agency sought to record all activity on that computer for 30 days. Among other things, it would install keylogging software, use the webcam to surreptitiously photograph computer users, and monitor chat logs, email, and all websites visited, all in hope of determining who tried breaking into John Doe’s bank account.

Smith’s analysis says the FBI’s claim raises three questions, involving the “territorial limits” required of a search warrant; the “particularity requirements” of the Fourth Amendment, and “whether the Fourth Amendment requirements for video camera surveillance are known.”

The FBI fell short of all three. It failed the “territorial limits” standard because, basically, it set no such limits at all; its actual search certainly would not take place in the district over which the FBI or the magistrate has any authority. Furthermore:

“Contrary to the current metaphor often used by Internet-based service providers, digital information is not actually stored in clouds; it resides on a computer or some other form of electronic media that has a physical location. Before that digital information can be accessed by the Government’s computers in this district, a search of the Target Computer must be made. That search takes place, not in the airy nothing of cyberspace, but in physical space with a local habitation and a name. Since the current location of the Target Computer is unknown, it necessarily follows that the current location of the information on the Target Computer is also unknown.”

In other words, the territorial limits require a search of a discrete physical location under U.S. jurisdiction, neither of which apply to the FBI’s request.

The “particularity requirements” were not met because the FBI was too vague regarding just how it would find the offending computer. As Smith pointed out, merely knowing the ISP is not enough.

“The Government’s application contains little or no explanation of how the Target Computer will be found. Presumably, the Government would contact the Target Computer via the counterfeit email address, on the assumption that only the actual culprits would have access to that email account. [….] It is not unusual for those engaged in illegal computer activity to “spoof” Internet Protocol addresses as a way of disguising their actual on-line presence; in such a case the Government’s search might be routed through one or more “innocent” computers on its way to the Target Computer. The Government’s application offers nothing but indirect and conclusory assurance that its search technique will avoid infecting innocent computers or devices.”

Smith raised a number of highly plausible hypotheticals in which the FBI, while looking for the hacker, could wind up spying on innocent people as well:

“What if the Target Computer is located in a public library, an Internet café, or a workplace accessible to others? What if the computer is used by family or friends uninvolved in the illegal scheme? What if the counterfeit email address is used for legitimate reasons by others unconnected to the criminal conspiracy? What if the email address is accessed by more than one computer, or by a cell phone and other digital devices? There may well be sufficient answers to these questions, but the Government’s application does not supply them.”

Smith also said the FBI had failed to show that “alternative investigative methods have been tried and failed or reasonably appear to be unlikely to succeed if tried or would be too dangerous” and “the surveillance will be minimized to effectuate only the purposes for which the order is issued” (i.e., spying on criminals rather than innocents).

H/T Gawker | Illustration by Fernando Alfonso III