While investigating bomb threats, the FBI seized the server of a group known as May First/People Link (MF/PL) which offers encrypted data services to people fighting oppressive regimes.
The agents hung onto the server for four days in early April, then snuck in and hooked the server back up without a word of explanation.
MF/PL is worried that some code, perhaps spyware, was installed to attempt to track down communications.
According to coverage from MSNBC.com, FBI agents first came knocking on the door of MF/PL on April 11.
MF/PL defines itself on its website as "a politically progressive member-run and controlled organization that redefines the concept of 'Internet Service Provider' in a collective and collaborative way."
Together with sister organization RiseUp, MF/PL offers email services, mailing list support and other web tools to help people organize. Most importantly for such people is the fact that the group guarantees anonymity, as all data is encrypted.
When FBI agents first flashed their badges and requested entry, MF/PL organizer Jamie McClelland refused, he told MSNBC.
The agents didn't force their way in or anything dramatic. They did show McClelland emails with full headers, telling him that they were related to a spate of bomb threats directed against the University of Pittsburgh in April.
No number of bomb threats is reasonable, but the volume at the University of Pittsburgh was boggling: by April 24, over 100 threats had emptied dorms and disrupted classes, according to an article in the New York Times.
A group calling itself the Threateners had claimed responsibility for dozens of threats that had been delivered by email to Pittsburgh-area news outlets since March 30, reported the New York Times.
The Threateners said in an open letter to the university's chancellor that it would stop the threats if the university withdrew a $50,000 reward for information leading to the arrest of those responsible for the threats.
But that was all to come later. As of April 11, the FBI only had email with headers that they said were related to the threats, the agents told McClelland. The agents asked if he knew anything about ECN.org, the server that appeared in the e-mail headers.
He knew nothing of the Threateners and hadn't heard of the bomb scares, he told the agents.
After the agents left, McClelland and his partner, Alfredo Lopez, set to work to determine if a member might have been hacked by this ECN.org group. They also contacted the Electronic Frontier Foundation for legal help.
A tangled web of sub-subcontracted server space began to reveal itself. ECN, it turns out, stands for the European Counter Network, an independent European ISP with a similar mission to that of MF/PL, hosting a parallel system for anonymizing users.
ECN.org uses multiple servers to pass along messages, each of them stripping out and falsifying header information, making it near impossible to trace messages to original senders.
ECN.org had subcontracted space on RiseUp's New York server, and RiseUp had then subcontracted that space from MF/PL, according to MSNBC.
The FBI were apparently investigating the possibility that the threats were linked to ECN, and that's how they wound up at MF/PL's door.
The next day, the FBI subpoenaed information from MF/PL. The group responded to the all queries, but that apparently wasn't enough to satisfy the FBI.
On April 18, the FBI, without informing McClelland or Lopez or anybody else at MF/PL, went to the XO Communications Manhattan server farm. Armed with a warrant, the FBI walked off with the server they wanted, abruptly kicking offline hundreds of mailing lists, websites and email accounts.
The FBI kept the server for a mere four days - a blink of an eye in FBI time, given that the agency typically hangs on to confiscated technology devices for months or years.
At some point during those four days, MF/PL decided to install a surveillance camera with motion detection: a belated defense against a server being swiped from under their noses.
That camera was activated on April 23, the same day the FBI agents returned to reinstall the server on the rack, plugging it in and watching for a few minutes as if they wanted to make sure it was running correctly.
Why? Why take the server, keep it for a mere four days, and then sneak back in and hook it back up?
Lopez's theory: the FBI likely installed malware that could defeat the server's anonymizing software.
As Lopez told MSNBC, there's no way that thing's going back online at this point:
"There was not even a scintilla of expectation that this server would return to our rack. It's the most amazing thing," Lopez said. "It's possible they put device on it or a virus or Trojan of some kind."
MF/PL plans to run diagnostics on the server to see what they can find. The FBI, for its part, won't comment.
Even if MF/PL finds nothing, Lopez is furious that the government would cripple internet access for groups fighting for democratic rights as agents seek nonexistent evidence.
Here's what he told MSNBC:
"Look at the atrocity of them going in and taking a computer ... and disrupting all this information, and potentially getting all this information from hundreds of people not even accused of a crime. ... This is serious ... for people all over the world who depend on this stuff for their day to day work. To have it taken away by some other government, it's really unfair to them in every conceivable way."
But there is a silver lining. MF/PL came through, evidently, with shining colors. No user's anonymity was compromised.
Cartoon image courtesy of Shutterstock