Sophos Cloud Optix
Users of the darkweb sometimes do dark things and law enforcement is constantly searching for new ways to catch them.
But how far should police be allowed to go to, and what safeguards are there against unwarranted intrusion?
It’s an issue raised by the downing of a large and deeply unpleasant site on the darkweb called Playpen, used to distribute large numbers of child abuse images and videos between August 2014 and March 2015.
In February 2015, the FBI seized the US-based server hosting the site but kept it running for 13 days as part of a dragnet to identify as many of its users as it could.
Because Playpen was accessed using the Tor anonymity system that masks IP addresses, this wasn’t straightforward so the FBI employed a network investigative technique (NIT), a type of police malware, to identify them.
Court documents and exchanges made public as part of prosecutions against alleged US Playpen users are starting to reveal the impressive power of NITs.
The NIT communicated with the computers of users logged into the site (possibly exploiting a flaw in the Tor browser), capturing their real IP address, hardware MAC address and other identifying data.
When the first prosecutions hit the courts early this year it was believed that 1,000 users had been unmasked but new court exchanges reveal that this was more like 8,000 IP addresses in 120 countries.
This makes it one of the largest police operations ever conducted against a site on the darkweb pushing child abuse content, but privacy campaigners have expressed concern at some details of the operation.
There are two views on this. The first is that this was a horrible website and the users caught red-handed had all logged into it (the police could only target users who had logged in). Catching these people means using every technique available.
The second is that the FBI targeted thousands of people – including many in countries beyond the US – after obtaining a single warrant from a Virginia-based judge who, say defending attorneys, acted beyond her authority.
This matters because NIT-obtained evidence has been thrown out in four cases. However, changes to something called Rule 41 which come into force on December 1 will make it possible for judges at this level to authorise warrants, campaigners claim.
Christopher Soghoian of the American Civil Liberties Union (ACLU) told Motherboard:
“We should expect to see future operations of this scale conducted not just by the FBI, but by other federal, state and local law enforcement agencies, and we should expect to see foreign law enforcement agencies hacking individuals in the United States, too.”
Not surprisingly, this might bother some people.
The case is one part of an expanding mesh of cases where the FBI is accused of getting carried away. So far at least, the agency shows no signs of slowing down its use of NITs to peer deeper into Tor and the darkweb.
The FBI has no real jurisdiction outside the US borders, so how is 8000 IPs in 120 countries even relevant? In theory, they could pass on evidence to local law enforcement in the 119 other countries and hope for the best?!? Don’t get me wrong, the site and people they went after are disturbed and deserve to be caught, but, the concern I have is that this starts to be used to “police” otherwise innocent citizens; maybe some law enforcement agency decides, they want to preemptively look inside peoples private digital worlds, and see what crime they can root out, which is a slippery slide away from say religious based thought crimes? Am I just being paranoid here? With Trump assigning known religious zealots to positions like Judges, etc., is it really that far fetched to believe they would be secular in their decisions? Police have a tough job, and the internet certainly doesn’t make that easier, they have to walk a fine line, and going over that line leads to a police state, or worse, so, to use a line from a movie, “who watches the watchers?”
If you ignore Tor here, and the concomitant need to use what I assume is some kind of software vulnerability to reveal the real IP number of the visitor…
…then you can ask, “What should happen if the cops had a warrant to retrieve regular IP logs from a regular server?”
Those logs would almost certainly include visitors who were (or seemed to be) from overseas. Should the cops be forced to ignore any IP number outside their own country? Assuming they had collected the list under their warrant, should they be required by law to purge any overseas IPs from the list IP front?
If so, US online criminals could effectively immunise themselves from warrants by using a VPN – the investigation would never be allowed past that point. And overseas criminals could administer servers in the US without fear of being traced because they would know that they’d always be excluded up front from any server logs that might otherwise reveal who they were – even if those logs placed their actions squarely under US jurisdiction.
Incidentally, is there any suggestion in this case that the FBI “hacked” people randomly to see what they were up to, or was it the case that they they collected IP data from users who had already given “probable cause” due to showing up at a specific hidden site associated directly with serious criminal activity and named in a warrant?
PS. “Who watches the watchers” is actually a line from Juvenal, a Roman author who wrote satirical poetry back in about AD 100 🙂
Great work FBI, don’t stop now.
Scum like this do not give a damn about the rule of law,have absolutely no morals and whose only interest is satisfying their despicable desires.
You have the support and admiration of all those who feel these vermin should be locked away for life.
Clive
I think the arguments claiming the FBI over-reached are based on the fact that 8000 people got caught up in the “road block”, which sounds like an awful lot given the number who were ever ultimately charged with crimes.
Therefore lots of those on the list probably didn’t deserve to be there, given how bad it looks to be even vaguely associated with an investigation of this sort – even for those who are ultimately exonerated.
OTOH, if all 8000 were deemed to be of interest because they were already known to have visited a hidden web page inescapably associated with serious crimes…
…that changes the equation rather a lot.
Some of the people this bothered included members of the senate and house. They have been questioning the DOJ on how it plans to interpret the changes to the rule, and are also putting forward legislation to delay the changes to July to enable time for informed debate over the implications.
So please don’t attack me for my questions. I know I am not the usual commenter but this is a topic that interests me despite my lack of cyber knowledge. I’ve been following this story and I’m curious it seems just being logged into something at the wrong time could lead to being prosecuted. I understand these people were on a known child porn site and most probably deserve it..but in all fairness what about the people who didn’t know or do anything wrong? When I first heard of the dark or deep Web of course I was curious. I tried to explore what I could just out of curiosity. If I opened something I felt was wrong Id exit out but still. To anyone on the outside I’m sure my activity showed me in various chat rooms and sites. In all reality I was just a curious teen surfing a different type of web not a seasoned pedophile deserving of jail time.
Overseas Offices
The FBI has offices around the globe. These offices—called legal attachés or legats—are located in U.S. embassies.
came to new zealand a few time’s one time for Dotcom