Tuesday, April 25, 2017

Government hacking and the dark net: coming soon to the Tenth Circuit

By Rich Federico – Staff Attorney (R&W)

Image result for pacifierIn February 2015, the FBI purposefully became one of the largest distributors of child pornography in the world. As part of Operation Pacifier, the FBI had just seized computer servers in North Carolina that hosted the Playpen website, which was designed and operated for the online exchange of child pornography. Users could access Playpen anonymously through the dark net. Once it seized the servers and arrested the site administrator, rather than shut it down, the FBI kept Playpen running for thirteen days to monitor traffic and gather information on users. The government estimates that during the time it operated the site, over 100,000 unique users logged into the website, and made available 9,000 images and 200 videos of child pornography.

The problem for the FBI was the anonymity of the users did not allow it to gather the information it needed to investigate the persons on the other end of the network connection. The FBI solved this problem by deploying malware to hack into thousands of computers around the world to unmask the users who accessed the Playpen site. Geographic borders and jurisdictional boundaries were no match for the government’s cyber tools. In using these tools, the FBI opened a new frontier into cyber law-enforcement investigations which will undoubtedly strain Fourth Amendment jurisprudence.

Let’s start with some very basic tech background for the non-techies amongst us (which includes the author of this post). “Malware” is software designed to damage computer systems or temporarily take control over their operations. In the context of the Playpen investigation, the malware was referred to by the FBI as a “Network Investigative Technique” (NIT). The NIT temporarily (think fractions of seconds) took control over users’ computers to transmit information back to the FBI, including the IP address of the user.

Image result for "operation pacifier"The “dark net” was accessed in these cases through “The Onion Router” (TOR) Network, which was originally designed by the government for intelligence communications and operates to mask user-identities by using a series of network relays. Only the “exit node” of the relays to a website can be identified; the original user cannot be traced. There is nothing illegal about using TOR, but it doesn’t take much imagination to consider how it can be used to facilitate illegal activity (e.g. the Silk Road cases). It also doesn’t take much tech-savvy to use, as the TOR bundle can easily be downloaded and installed.

The FBI’s use of the NIT to hack into anonymous users’ computers around the world was authorized by a single warrant issued by a U.S. magistrate judge in the Eastern District of Virginia. With this single grant of judicial authority, the FBI obtained user information that it then used to conduct investigations of the locations and persons by their IP address and other identifying information. Individual search warrants were obtained and executed, followed by many indictments.

Crafty defense lawyers recognized the NIT as a new cyber-tool for law enforcement. The NIT search warrant affidavit provided enough information to challenge its legality. Throughout the country, defense lawyers challenged the NIT search warrant as void ab initio, in that the magistrate judge lacked jurisdiction to issue a hacking warrant beyond the borders of the district (in violation of the then-controlling version of Federal Rule of Criminal Procedure 41 and the Federal Magistrates Act, 28 U.S.C. § 636). Additional challenges argued that the NIT warrant was a general warrant in violation of the Fourth Amendment in that it failed the particularity requirement. Other cases pushed courts to order the FBI to reveal the source code of the NIT warrant, to essentially unmask the FBI’s cyber-unmasking tool.

In the majority of cases, courts denied suppression. But there were several grants, all finding that the magistrate judge lacked jurisdiction under Rule 41 to authorize such a sweeping warrant. At least three suppression grants are currently pending on an appeal by the government in the First, Eighth, and Tenth Circuits. The Tenth Circuit case worth watching is United States v. Workman (No. 16-1401), which is scheduled to be argued on May 10, 2017 at 8:30 a.m. in Courtroom IV of the Byron White Courthouse in Denver.

In Workman, the district court found that the use of the NIT was a search and that the magistrate judge’s issuance of the warrant violated Rule 41. The court rejected the government’s argument that the NIT was a “tracking device” under Rule 41(b)(4). It also found that the good-faith exception could not save what amounted to a facially defective warrant. These findings align with the other suppression grants around the country, including the first grant that occurred in Massachusetts in United States v. Levin (appeal pending in the First Circuit), which we blogged about here.

Although there have been a few cases in the past of government using malware to surreptitiously hack into users’ computers, the vast majority of known cases arose out of the investigation into the Playpen website. In future cases, defense counsel would be wise to look closely at search-warrant affidavits for references to NIT (or similar terms), TOR network, Dark Net, etc. And don’t be intimidated by the technology—answers to explain the terminology can be readily found through simple internet searches.

Defense counsel should also be aware that Rule 41 was amended in December 2016 to add subsection (b)(6), which provides authority for a magistrate judge to issue an NIT warrant in the future. The Department of Justice lobbied for the change and, despite some inquiries and concerns of a few members of Congress, the amendment was passed with little fanfare. This amendment will limit suppression arguments in future cases but not eliminate them. As the government expands its cyber investigative capabilities, so too must defense lawyers be prepared to challenge these actions to preserve Fourth Amendment freedoms.

If you want to know more about this topic, I highly recommend you download the joint publication (ACLU, NACDL, and Electronic Frontier Foundation) “Challenging Government Hacking in Criminal Cases,” which can be found here.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.