Warrant For FBI's Hacking Technique Makes No Mention Of Hacking Or Malware
from the just-a-big-ol'-auto-scoop,-but-delivered-secretly dept
Motherboard has obtained a copy of the warrant used by the FBI to deploy its NIT (Network Investigative Tool) to obtain information about visitors to child porn site "Playpen." This site was seized by the FBI and left running for two weeks while it gathered information.
The prosecutions tied to this investigation have been interesting, to say the least. The FBI's short run as child porn site hosts received a judicial shrug -- something courts have done in the past when confronted with disturbing government behavior in service of combating crime. These have also led to the government arguing -- and the court echoing -- that Tor users have no expectation of privacy, as sooner or later, everything comes down to an IP address.
The warrant itself is slightly redacted, but that's hardly a surprise. More surprising is the fact that it has been released at all, as the FBI usually argues for the sealing of documents related to its investigations, especially in cases where law enforcement tech and methods are discussed.
As far as the details contained within, most of what's known about the FBI's NIT has already been discussed. As Motherboard's Joseph Cox points out, there are a few interesting aspects to the warrant request. For one, it makes it clear the FBI will be running a child porn site for the duration of the "search."
“While the TARGET WEBSITE operates at a government facility, such request data associated with a user's actions on the TARGET WEBSITE will be collected,” the affidavit, signed by Douglas Macfarlane, an FBI special agent, reads.While the document claims the FBI has no other way to ascertain the IP addresses and locations of users connecting to the website, it also goes light on the details of what it plans to do. The NIT is discussed in terms of what it's capable of gathering, but goes very, very light on technical details. Nowhere in the document does the FBI refer to its NIT in terms more applicable to its function, like "malware," "spyware" or "hacking." The FBI describes its NIT this way:
In the normal course of operation, websites send content to visitors. A user's computer downloads that content and uses it to display web pages on the user's computer. Under the NIT authorized by this warrant, the TARGET WEBSITE, which will be located in Newington, Virginia, in the Eastern District of Virginia, would augment that content with additional computer instructions. When a user's computer successfully downloads those instructions from the TARGET WEB SITE..., the instructions, which comprise the NIT, are designed to cause the user's "activating" computer to transmit certain information to a computer controlled by or known to the government. That information is described with particularity on the warrant (in Attachment B of this affidavit), and the warrant authorizes obtaining no other information. The NIT will not deny the user of the "activating" computer access to any data or functionality of the user's computer.This lack of details could be problematic.
Critics are worried that the language of NIT applications is too vague for judges to grasp what exactly it is they are authorizing; the words "malware" or "hacking" are never used, for example. (Magistrate Judge Theresa C. Buchanan, who signed off on the NIT, has repeatedly declined to answer questions from Motherboard.) The NIT was used to access computers in the US, Greece, Chile, and likely elsewhere.Speaking of foreign nations, the FBI apparently had some outside assistance in this case.
In December of 2014, a foreign law enforcement agency advised the FBI that it suspected IP address 192.198.81.106 , which is a US-based IP address, to be associated with the TARGET WEBSITE. A publicly available website provided information that the IP Address 192.198.81.106 was owned by [REDACTED] a server hosting company headquartered at [REDACTED] Through further investigation, FBI verified that the TARGET WEBSITE was hosted from the previously referenced IP address. [...] Further investigation has identified a resident of Naples, FL, as the suspected administrator of the TARGET WEBSITE, who has administrative control over the computer server in Lenoir, NC, that hosts the TARGET WEBSITE.The fact that documents from sealed cases related to the FBI's Playpen investigation are being released publicly shows that even opposed forces can sometimes arrive at the same plan of actions, even if their motivations are completely different.
In Washington, the lawyer for a defendant captured with the assistance of the FBI's NIT is hoping to put the FBI's apparent overreach on display by requesting the unsealing of documents. The FBI, on the other hand, isn't putting up much of a fight to keep these sealed. The affidavit in this related case contains graphic descriptions of child porn images found on the site. People who generally don't believe the ends justifies the means often make exceptions for more heinous criminal activity like this. The public outing of sealed docs could persuade fence-sitters to come down on the side of the FBI, even if the agency's use of NITs is hardly limited to cases involving crime the public overwhelmingly finds completely repugnant.
Filed Under: darknet, doj, fbi, hacking, malware, network investigative tool, nit, playpen, tor, transparency, warrants
