FBI vs. The Dark Web

September 27, 2016

larson-imageThe Fourth Amendment guarantees a right to privacy… or so we all thought.  In the recent string of Playpen cases pending now across the United States, this issue has arisen after the discovery of thousands of users of the child pornography website.  Was the Federal Bureau of Investigations (FBI) able to legally hack into private users’ computers and track the Internet Protocol (IP) addresses associated with the child pornography website to locate users?  The answer: lawyers, scholars, and courts are in dispute if the FBI’s hacking tactics are legal.
The FBI discovered thousands of users on Playpen after receiving a tip from a foreign law enforcement agency that the site was not hidden as believed, but rather misconfigured making the server’s IP address publicly known.  Playpen was supposed to be hidden through an anonymous virtual private network (VPN) called Tor, specifically through Tor’s hidden network, which would have concealed the identity and location of its users.  The Tor network connects users through a series of virtual tunnels (as opposed to a direct connection) that reroute traffic to a different location while masking the location and real IP address, allowing users to maintain their privacy, security, and prevent tracking, thus creating a “dark web site.”  Once the FBI realized the IP address was publicly available, it obtained a search warrant and located the server hosting the site to a computer in Lenoir, North Carolina.
Instead of shutting the site down, however, the FBI actually took over the “dark web site” and continued to operate it for almost two weeks.  While Playpen was under FBI control, thousands of users were hacked using a network investigative technique (NIT).  NIT works by sending malware to site visitors and copying identifying information from each user’s computer before sending it back to the malware sender, e.g. the FBI.  This technique led to hundreds of arrests.

According to the Electronic Frontier Foundation, this is the most extensive domestic use of malware by a U.S. law enforcement agency to date, and it was all done through a single search warrant.

The use of NIT has raised serious right to privacy issues.  How was the FBI allowed to hack thousands of computers with only a single warrant for one computer linked to the server IP address?  For every computer the FBI sent malware to, they were able to obtain the computer’s IP address, a unique identifier generated by the NIT to distinguish the data from that of other activating computers, what operating system was used, the host name, operating system username, and MAC address.  By using the NIT, the FBI was able to obtain a myriad of private information, all without the owner even knowing their computer was being “searched.”  Armed with IP addresses, the FBI subpoenaed internet service providers for the names and home addresses of suspected users.
The search and seizure of this information has led to a debate about whether the FBI’s use of NIT violates the Fourth Amendment.  Many of the accused users and those generally opposed to using this tactic view this as an unwarranted search and seizure of private property.  They argue by using NIT, the FBI’s malware “seized” the users’ computers by turning them into a surveillance tool controlled by the FBI, “searched” the computer for certain identifying information, and “seized” this information by sending it back to the FBI.  These actions presumably involved personal computers kept in private residences, therefore intruding upon privacy rights.  Those opposing this method believe that using malware should be evaluated the same way a physical search would be conducted – with an agent physically taking a computer and looking through it for information.  By this reasoning, there is a clear violation of privacy.
On the other hand, the Ninth Circuit’s reasoning in one of the many Playpen cases, United States v. Acevedo-Lemus, presents the other side of the debate.  The Court declared that the “Defendant could not have had a subjective expectation that his IP address would remain private because he routinely disclosed it to third parties, including Time Warner, the Tor network, and websites he visited on the open Internet.”  Therefore, because the user made his IP address known to some, and the FBI obtained the address from a third party, it was no longer private information.  The Ninth Circuit has, on several occasions, concluded that “[i]nternet users do not have reasonable expectations of privacy in their IP addresses or the IP addresses of the websites they visit” because it is generally regarded as public information, despite the fact that users attempted to “hide” their identity using an anonymized network.  Some of those who agree with the Ninth Circuit’s reasoning even go so far as to believe that all internet usage is public information.
Given these differing viewpoints, the issue will not simply disappear into the “dark web.”  With the ever-growing use of the internet by the public and the government’s use to police the nation, a clear precedent should, and likely will, be established.