FBI-Child Porn-Hacking Case Results In Trashing Privacy Of Home Computers

Hold on to your hats folks, this one is going to get messy.  The FBI is defending itself on overreach.

It’s always best to start at the beginning, so here’s a little background.  There is a dark side of the internet.  Well, it’s more of an effort to ensure the privacy of the users by utilizing encryption software, and a series of relays that keeps the location of the users from being pinpointed.  The project was originally called The Onion Router.  Today, the system is known as Tor.

TOR is used by all sorts of humans who do not want to get caught doing illegal stuff.  One of those categories of criminal activity is accessing child pornography.  As repulsive as the thought of kiddie porn is, there are those who will go to great lengths to get their hands and eyes on the material.  Those people also don’t want to be identified, which is why child pornography is frequently a Tor offering.  The users’ locations can be shielded.

Maybe not so much anymore.

It seems that in tracing the users/subscribers of a Tor child pornography bulletin board website known as PlayPen, the FBI managed to crack Tor encryption and find a way to embed code on home computers of the users.  According to a disturbing article at Motherboard, in the process of cracking the website, the FBI hacked over 1,000 computers.

In order to fight what it has called one of the largest child pornography sites on the dark web, the FBI hacked over a thousand computers, according to court documents reviewed by Motherboard and interviews with legal parties involved.

“This kind of operation is simply unprecedented,” Christopher Soghoian, principal technologist at the American Civil Liberties Union (ACLU), told Motherboard in a phone interview.

At one point, Playpen had 150,000 registered users, and many of the posts offered advice on evading detection from law enforcement.  The site was seized in 2015.  Rather than shutting it down at the time, the FBI left the site up and  laid the code that would lead them to the site’s USERS.

While Playpen was being run out of a server in Virginia, and the hacking tool was infecting targets, “approximately 1300 true internet protocol (IP) addresses were identified during this time,” according to the same complaint.

It is estimated based on court documents that there may be as many as 1,500 criminal cases prosecuted as a result of the initial hacking of the Tor site.  What is interesting about this case is that the warrant obtained to go after Playpen – not the first child pornography site to be targeted – allowed for the collection of users’ ISP addresses.

It’s not totally clear exactly how it was deployed, but the warrant allowed for anyone who logged into the site to be hacked.

…“Basically, if you visited the homepage, and started to sign up for a membership, or started to log in, the warrant authorised deployment of the NIT,” Fieman said. From here, the NIT would send a target’s IP address, a unique identifier generated by the NIT, the operating system running on the computer and its architecture, information about whether the NIT had already been deployed to the same computer, the computer’s Host Name, operating system username, and the computer’s MAC address.

Experts say that the true nature of NITs—that is, as powerful hacking tools—is kept from judges when law enforcement ask for authorisation to deploy them.

“Although the application for the NIT in this case isn’t public, applications for NITs in other cases are,” said Soghoian. “Time and time again, we have seen the Department of Justice is very vague in the application they’re filing. They don’t make it clear to judges what they’re actually seeking to do. They don’t talk about exploiting browser flaws, they don’t use the word ‘hack.’”

“And even if judges know what they’re authorizing, there remain serious questions about whether judges can lawfully approve hacking at such scale,” Soghoian added.

NIT stands for “network investigative technique.”  That’s fancy language for putting a bug on your computer.

A year after the hack brought down Playpen and exposed over a thousand user names and ISP addresses, one of the court cases – this one in the state of Virginia – of a person caught in the net (Edward Joseph Matish)  sought to have the validity of the warrant thrown out based on the wide scope of it, and the reality that a private citizen has a reasonable expectation of privacy.  The judge’s response?  Yeah, not so much.

…Senior U.S. District Judge Henry Coke Morgan Jr. upheld the use of the warrant and even stated that the warrant is unnecessary because of the type of crime being investigated and because users should have no “objectively reasonable expectation of privacy.”Even using countermeasures, such as the Tor network, does not mean that the user should expect their location or their activities to remain private, according to the judge.

“It is clear to the Court that Defendant took great strides to hide his IP address via his use of the Tor network,” the judge wrote in the ruling. “However, the court FINDS that any such subjective expectation of privacy—if one even existed in this case—is not objectively reasonable.”…

“[H]acking is much more prevalent now than it was even nine years ago, and the rise of computer hacking via the Internet has changed the public’s reasonable expectations of privacy,” the judge wrote. “Now, it seems unreasonable to think that a computer connected to the Web is immune from invasion. Indeed, the opposite holds true: In today’s digital world, it appears to be a virtual certainty that computers accessing the Internet can—and eventually will—be hacked.”The judge argued that the FBI did not even need the original warrant to use the NIT against visitors to PlayPen.

Other courts have had different findings, but coming from a federal judge in the Eastern District of Virginia, this is stunning.  It essentially means that any computer on any public network can be hacked without the computer owner having an expectation of privacy – and that the FBI does not need a warrant to put an NIT on a personal computer.

Yes, the 14th Amendment protects a woman’s right to have an abortion, but not that citizens can use the internet without the expectation of being hacked by the FBI, according to this judge.

Industry lawyers are reeling from this decision as it is so far outside the norm, it is not even funny.  No one has sympathy for the defendant, but the method to catch him is considered to be invasive even in hacking circles.  Other defendants caught in this net have seen evidence against them thrown out as the warrant covering the collection was obtained and executed in Virginia, but the seizures took place in other states.  The Virginia case may be the exception to the rule based on the state in which the defendant resides.

Ultimately, United States vs. Matish is going to be an important court case for the future of internet and personal privacy.  Not only are there basic search and seizure rights on the line, privacy concerns and the like, but the FBI has sought to make their Tor penetrating NIT an industry secret, thereby basically not having to expose how it works in court.

Matish goes to trial in the fall.

About the Author

Cultural Limits
A resident of Flyover Country, Cultural Limits is a rare creature in American Conservatism - committed to not just small government, Christianity and traditional social roles, but non-profits and high arts and culture. Watching politics, observing human behavior and writing are all long-time interests. In her other life, CL writes romance novels under her nom de plume, Patricia Holden (@PatriciaHoldenAuthor on Facebook), and crochets like a mad woman (designs can be found on Facebook @BohemianFlairCrochet and on Pinterest on the Bohemian Flair Crochet board). In religion, CL is Catholic; in work, the jill of all trades when it comes to fundraising software manipulation and event planning; in play, a classically trained soprano and proud citizen of Cardinal Nation, although, during hockey season, Bleeds Blue. She lives in the Mid-Mississippi River Valley with family and two cute and charming tyrants...make that toy dogs.