The FBI has served up a redacted version of the warrant it requested to deposit identity-exposing malware on the computers of those who used private TorMail accounts to visit child pornography sites hidden on the dark web.
The takeaway: it looks like the agency exceeded the bounds of its warrant, and may have indiscriminately infected others who had nothing to do with child porn.
As ACLU principal technologist Christopher Soghoian told Motherboard,
While the warrant authorized hacking with a scalpel, the FBI delivered their malware to TorMail users with a grenade.
The background, according to Motherboard: Back in 2013, the FBI seized servers belonging to Freedom Hosting, then a well-known host of dark websites and services, many child pornography sites among them.
Rather than instantly shutting down Freedom Hosting’s sites, the FBI requested a federal warrant to “deploy a network investigative technique (NIT) – a piece of malware – designed to obtain the real IP address” of visitors.
Soon thereafter, reported WIRED, an error page began appearing in place of the login page of the TorMail application. Those error pages downloaded the FBI’s malware – but the download occurred before a user logged into TorMail or any other Freedom Hosting site.
To critics like Soghoian, such targeting seemed to go far beyond any reasonable warrant. It was likely to reveal the identities of individuals who were guilty of no crime.
They might have been journalists or dissidents using TorMail to communicate privately, not there to visit a Freedom Hosting-based child porn site or illegal drug emporium.
Whilst there is undoubtedly a lot of criminal activity on the dark web there are also plenty of people using it for entirely legitimate purposes too.
Before we had access to the warrant, it was hard to tell whether it may have been exceeded – but now we do have access.
Twenty-three child pornography sites were targeted, and over 300 specific usernames. But the warrant specifically targeted those who’ve logged into any of those sites “by entering a username and password,” or otherwise entered “any sections of any of Websites 1¬23 where child pornography may be accessed, or upload[ed]…”
In other words, the judge authorized FBI agents only to infect computers that were clearly seeking, accessing, or sharing child pornography. But users received the FBI’s “NIT” before they did so, or even demonstrated intent to do so.
The FBI’s response? Motherboard quotes agency spokesman Christopher Allen:
As a matter of practice the FBI narrowly tailors warrants, and we do not exceed the scope of those warrants.
Ongoing battles over the FBI’s use of malware against Tor users remain controversial. In April, we covered one judge’s decision to toss evidence because the FBI’s warrant was granted by a federal magistrate judge for a case outside her jurisdiction.
In May, we covered another case where evidence was excluded because the government wouldn’t turn over its exploit code for defendant’s examination.
If in fact the FBI exceeded its warrant in the current case – and especially if it hasn’t told the judge the full extent of its activities, as Soghoian suspects – the courts won’t be pleased.
Nevertheless, rules changes to make it easier to get NIT warrants against users of illicit Tor sites are still rolling towards their December 1st implementation date.