Judge tosses evidence in FBI Tor hacking child abuse case

A US federal judge on Wednesday excluded all evidence in a child pornography case that was acquired by the FBI through an exploit compromising the Tor network. The federal government hasn’t announced what it’ll do next, but if it can’t prevail in an appeal, its case against Vancouver, Washington teacher Jay Michaud may well be doomed.

The background: early last year, the FBI used malware to take control of “Playpen,” a Tor-protected child abuse imagery site, run it for 13 days, and capture detailed information about the identities of visitors, including actual IP addresses that Tor would normally hide.

The government captured well over 1,000 IP addresses, leading to the arrest of 135 suspects. That, according to a January 2016 report in Motherboard, represented a small fraction of Playpen’s 215,000 member accounts, 11,000 unique visitors per week, and 117,000 posts, many containing “some of the most extreme child abuse imagery one could imagine… [and] advice on how sexual abusers could avoid detection online.”

As criminal cases have rolled in, some US defense attorneys have objected vigorously, demanding access to the full code for the “Network Investigative Technique” the FBI used to catch their clients.

Michaud’s attorney, Colin Fieman, argued that his forensic experts needed the code to:

…independently determine the full extent of the information the government seized from Mr. Michaud’s computer when it deployed the NIT… whether the government’s representations about how the NIT works… were complete and accurate… [and] to establish the electronic “chain of custody” for the data that allegedly links a computer purportedly used by Mr. Michaud to activities [on Playpen].

The federal government has consistently refused to reveal its code, in contrast to its one-time willingness to tell a court about its use of Metasploit in an earlier case.

So Fieman told the court it had a choice:

…between deferring to the government’s position that it will not or cannot comply with the court’s discovery order [or] upholding Mr. Michaud’s constitutional rights to effective representation and a fair trial… The Supreme Court has already made plain that, in situations like this, a defendant’s constitutional rights must prevail.

US District Court Judge Robert J. Bryan hasn’t dismissed Michaud’s case yet, but he has excluded all evidence arising from the FBI’s hack – and that doesn’t seem to leave much.

Bryan isn’t the only judge to take this position, either: judges in Oklahoma and Massachusetts recently suppressed evidence against other “Playpen” defendants, and in West Virginia, another defendant – seeing what’s happening to the government’s evidence in the other cases – is seeking to withdraw his guilty plea.

What the government will ultimately do about all this remains to be seen, but one thing seems clear: in the post-Snowden era, formerly compliant courts are becoming more skeptical of the US government’s claims on electronic search and privacy, and more willing to throw roadblocks in its way.