We didn’t hack our way into Silk Road, prosecutors said last month.
But even if we did, it was perfectly kosher, they said on Monday.
Back in September, the US government had said in court records that while most of the Silk Road site was hidden behind a sort of virtual Tor ‘curtain’ a tiny little bit of it was left poking out.
Silk Road’s CAPTCHA service was not protected by Tor and that allowed the Feds to pull back the curtain and reveal the location of the hidden website.
And that’s how we found it, they claimed:
The IP address leak we discovered came from the Silk Road user login interface. Upon examining the individual packets of data being sent back from the website, we noticed that the headers of some of the packets reflected a certain IP address not associated with any known Tor node as the source of the packets. This IP address (the "Subject IP Address") was the only non-Tor source IP address reflected in the traffic we examined.
The Subject IP Address caught our attention because, if a hidden service is properly configured to work on Tor, the source IP address of traffic sent from the hidden service should appear as the IP address of a Tor node, as opposed to the true IP address of the hidden service, which Tor is designed to conceal. When I typed the Subject IP Address into an ordinary (non-Tor) web browser, a part of the Silk Road login screen (the CAPTCHA prompt) appeared. Based on my training and experience, this indicated that the Subject IP Address was the IP address of the SR Server, and that it was 'leaking' from the SR Server because the computer code underlying the login interface was not properly configured at the time to work on Tor.
Don’t buy it? Some people did not, including the lawyers for alleged Silk Road captain Ross W. Ulbricht.
Well, tough luck, prosecutors said on Monday.
Even if FBI agents did hack their way into Silk Road without a warrant – and they’re most certainly not confessing to that, mind you – the intrusion would have been an upstanding, law-abiding, Fourth Amendment-respecting act of criminal investigation.
Wired has posted the full filing from the prosecutors.
The government’s rationale for why such a warrantless search would have been valid is sitting on top of these arguing points:
- The Silk Road server’s location: The server was located offshore in a data center in Reykjavik, Iceland. Once the FBI figured out its location, it was Reykjavik police who accessed and secretly copied the data on it. Being agents of a foreign government, they don’t need no stinkin’ badges – or, in this case, no stinkin’ warrant from no stinkin’ US authority.
- We only got the metadata: Prosecutors claim that they didn’t use a pen register for surveillance, as Ulbricht’s lawyer had claimed – rather, agents merely collected metadata, not the actual content of his communications. Thus, they weren’t required to prove probable cause to a judge.
- It wasn’t Ulbricht’s server: He didn’t own the server, the Feds wrote. He allegedly rented it through a third-party service, which in turn rented space in Iceland. The web host’s terms of service warn that “systems may be monitored for all lawful purposes, including to ensure that use is authorized”, the prosecutors pointed out. Given that Ulbricht allegedly violated the company’s terms of service by using its computers to conduct unlawful acts such as dealing in narcotics and other contraband, the web host was exempted from any obligation to protect his privacy. Ulbricht’s caught in a Catch-22 here, given that he hasn’t claimed personal possession of the computer’s data, and doing so would very likely incriminate him. From Monday’s filing:
Because Ulbricht has not submitted any affidavit alleging that he had any possessory interest in the SR Server - let alone one that would give him a reasonable expectation of privacy - his motion should be denied.
- Silk Road had a bad reputation: The site was already notorious for being a haven for criminals. From Monday’s filing:
Even if the FBI had somehow 'hacked' into the [Silk Road] Server in order to identify its IP address, such an investigative measure would not have run afoul of the Fourth Amendment. Given that the SR Server was hosting a blatantly criminal website, it would have been reasonable for the FBI to 'hack' into it in order to search it, as any such 'hack' would simply have constituted a search of foreign property known to contain criminal evidence, for which a warrant was not necessary.
Jennifer Granick, director of civil liberties at Stanford Law School’s Center for Internet and Society, found the prosecutors’ arguments a bit thin.
Speaking to Wired, she said that Ulbricht didn’t need to declare ownership of the Silk Road server in order to claim the right of privacy for its data:
He doesn't have to own the server. Even if he's just communicating on that server, he already has a reasonable expectation of privacy.
With regards to the prosecution’s argument that off-shore servers holding Americans’ data can be searched without a warrant, Granick said that’s legally questionable:
This is not an obvious or open-shut argument at all...Overseas searches that target Americans still have to be reasonable. ...If the target is a US person and it's a US agent looking for information, the Fourth Amendment still applies.
I don't think this is a strong legal argument. I do think that the defendant has alleged sufficiently that his communications flowing over this system are protected by the Fourth Amendment, such that the government should have to explain why their investigation didn't cross that line.