A senior US district judge recently stated the technically
obvious, but it may come as a shock to many. The FBI seized control of Playpen,
a dark net website dedicated to child porn distribution (yes disgusting and
good for the FBI). In building their case, the FBI utilized something known as
“network investigative technique” (NIT) – which also included grabbing source
IP addresses out of the TOR network.
The defense tried to get the FBI to reveal its code under
discovery. Federal judge Robert J. Bryan ordered the FBI to hand over the TOR
browser exploit code so that the defense could better understand how the
agency hacked over 1,000 computers and if the evidence gathered was covered
under the scope of the warrant.
However, Judge Henry Coke Morgan, Jr. ruled
differently:
“the
Court FINDS that Defendant has failed to show that the full NIT code
specifically, the exploit - is material under Rule 16(a)(1)(E). Thus, the Court
DENIES Defendant's Motion to Compel Discovery, Doc.37. Additionally, even if
the Court were to find that Defendant made a sufficient showing of materiality,
the Court would not require the Government to disclose the full source code due
to the law enforcement privilege.”
I guess there is no way the code is being released, no
surprise. Nevertheless, the judge made a few other rulings that may invoke surprise.
These rulings were made without deference to the child pornography crime, but
in general terms:
“the
Court FINDS that Defendant possessed no reasonable expectation of privacy in
his computer's IP address, so the Government's acquisition of the IP address
did not represent prohibited Fourth Amendment search”
“Generally,
one has no reasonable expectation of privacy in an IP address when using the
Internet.”
“Even
an Internet user who employs the Tor network in an attempt to mask his or her
IP address lacks a reasonable expectation of privacy in his or her IP address.”
These are facts as much as they are rulings. Yet, it does
not stop there:
“b.
Defendant Has No Reasonable Expectation of Privacy in His Computer”
“Thus,
the Government's use of a technique that causes a computer to regurgitate certain
information, thereby revealing additional information that the suspect already
exposed to a third party - here, the IP address - does not represent a search
under these circumstances.”
“Therefore,
the Government did not need to obtain a warrant before deploying the NIT and
obtaining Defendant's IP address in this case, so any potential defects in the
warrant or in the issuance of the warrant are immaterial.”
We now seem to be stretching the law into uncomfortable contortions.
And the final back bending ending…
“Hacking
is much more prevalent now than it was even nine years ago, and the rise of
computer hacking via the Internet has changed the public's reasonable
expectations of privacy.”
Oh really now? I can assure the judge that when I buy
something online with a credit card over a SSL channel, I very much expect
privacy regardless if someone has been able to break SSL 2.0, SSL 3.0 and TLS
1.0 encryption!
We presumably have a good and righteous case being
prosecuted. We have some outstanding facts from a judge that every computer
user and business need to understand. Then we have some very bad reasoning and
overreach. I am no lawyer but I do understand there is a difference between Reasonable
Expectation of Privacy when persons acting on behalf of a city, state, or
federal government use it in connection with searches versus when a private
citizen compromises the solitude or seclusion of another private citizen. What
I am trying to figure out now is do the judge’s rulings protect hackers?