• Tag Archives Playpen

  • FBI Search Warrant That Fueled Massive Government Hacking Was Unconstitutional

    Posted on by Azrael Comment

    Appeals Court Should Find Warrant Violated Fourth Amendment Protections

    Boston—An FBI search warrant used to hack into thousands of computers around the world was unconstitutional, the Electronic Frontier Foundation (EFF) told a federal appeals court today in a case about a controversial criminal investigation that resulted in the largest known government hacking campaign in domestic law enforcement history.

    The Constitution requires law enforcement officers seeking a search warrant to show specific evidence of a possible crime, and tie that evidence to specific persons and places they want to search. These fundamental rules protect people from invasions of privacy and police fishing expeditions.

    But the government violated those rules while investigating “Playpen,” a child pornography website operating as a Tor hidden service. During the investigation, the FBI secretly seized servers running the website and, in a controversial decision, continued to operate it for two weeks rather than shut it down, allowing thousands of images to be downloaded. While running the site, the bureau began to hack its visitors, sending malware that it called a “Network Investigative Technique” (NIT) to visitors’ computers. The malware was then used to identify users of the site. Ultimately, the FBI hacked into 8,000 devices located in 120 countries around the world. All of this hacking was done on the basis of a single warrant. The FBI charged hundreds of suspects who visited the website, several of whom are challenging the validity of the warrant.

    In a filing today in one such case, U.S. v. Levin, EFF and the American Civil Liberties Union of Massachusetts urged the U.S. Court of Appeals for the First Circuit to rule that the warrant is invalid and the searches it authorized unconstitutional because the warrant lacked specifics about who was subject to search and what locations and specific devices should be searched. Because it was running the website, the government was already in possession of information about visitors and their computers. Rather than taking the necessary steps to obtain narrow search warrants using that specific information, the FBI instead sought a single, general warrant to authorize its massive hacking operation. The breadth of that warrant violated the Fourth Amendment.

    “No one questions the need for the FBI to investigate serious crimes like child pornography. But even serious crimes can’t justify throwing out our basic constitutional principles. Here, on the basis of a single warrant, the FBI searched 8,000 computers located all over the world. If the FBI tried to get a single warrant to search 8,000 houses, such a request would unquestionably be denied. We can’t let unfamiliar technology and unsavory crimes lead to an erosion of everyone’s Fourth Amendment rights,” said EFF Senior Staff Attorney Mark Rumold.

    EFF filed a brief in January in a similar case in the Eighth Circuit Court of Appeals, and will be filing briefs in Playpen cases in the Third and Tenth Circuits in March. Some trial courts have upheld the FBI’s actions in dangerous decisions that, if ultimately upheld, threaten to undermine individuals’ constitutional privacy protections over information on personal computers. 

    “These cases will be cited for the future expansion of law enforcement hacking in domestic criminal investigations, and the precedent is likely to impact the digital privacy rights of all Internet users for years to come,” said Andrew Crocker, EFF Staff Attorney. “Recent changes to federal rules for issuing warrants may allow the government to hack into thousands of devices at a time. These devices can belong not just to suspected criminals but also to victims of botnets and other hacking crimes. For that reason, courts need to send a very clear message that vague search warrants that lack the required specifics about who and what is to be searched won’t be upheld.”

    Source: FBI Search Warrant That Fueled Massive Government Hacking Was Unconstitutional, EFF Tells Court | Electronic Frontier Foundation


    📂This entry was posted in News and Politics 📎and tagged

  • Why the Warrant to Hack in the Playpen Case Was an Unconstitutional General Warrant

    Posted on by Azrael Comment

    Should the government be able to get a warrant to search a potentially unlimited number of computers belonging to unknown people located anywhere in the world? That’s the question posed by the Playpen case, involving the FBI’s use of malware against over a thousand visitors to a site hosting child pornography. The prosecutions resulting from this mass hacking operation are unprecedented in many ways, but the scope of the single warrant that purportedly authorized the FBI’s actions represents perhaps the biggest departure from traditional criminal procedure.

    The Need for Particularity

    Warrants are often considered the basic building block of the Fourth Amendment. Whenever the government seeks to engage in a search or seizure, it must first get a warrant, unless a narrow exception applies. In a previous post, we explained the significance of the Fourth Amendment “events”—several searches and seizures—that occurred each time the government employed its malware against visitors to Playpen.

    But simply calling something a warrant doesn’t make it a constitutionally valid warrant. In fact, the “immediate evils” that motivated the drafters of the Bill of Rights were “general warrants,” also known as “writs of assistance,” which gave British officials broad discretion to search nearly everyone and everything for evidence of customs violations. In the words of colonial lawyer James Otis, general warrants “annihilate” the “freedom of one’s house” and place “the liberty of every man in the hands of every petty officer.”

    As a result, the Fourth Amendment says exactly what a warrant has to look like in order to be constitutional: “no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

    These requirements—the demonstration of probable cause and the particular description—accomplish separate objectives, but both ultimately work to narrow the authority given to officers executing a warrant, ensuring they won’t go on fishing expeditions and will instead conduct only searches authorized by a neutral and detached magistrate. Probable cause is a notoriously nebulous concept, but it generally ensures that the government has significant evidence supporting its application for a search warrant. Meanwhile, the particularity requirement works to limit the scope of the warrant: law enforcement must tie the specific evidence they have to specific persons or places they want to search. But, critically, bothelements must be satisfied for the warrant to be valid.

    As with other unconstitutional searches, courts deter the government from obtaining insufficiently particular search warrants by throwing out or “suppressing” evidence that results from searches under these warrants.

    Was the Playpen Warrant Constitutional?

    No. The warrant [.pdf] that the FBI obtained to install malware on computers visiting Playpen was astonishingly broad: it allowed the FBI to deploy the malware against any “activating computer,” defined as any computer logging into the site. The warrant and its attachments say nothing about whose computers these are or where they are located. Court documents reveal that the site had as many as 150,000 users, and that in the two weeks that the FBI operated the site and deployed its malware, the number of visitors subject to search was in the thousands. And when the FBI identified the visitors, they were located all over the country and indeed all over the world.

    The argument—advanced by EFF in amicus briefs in several Playpen cases—is that this warrant fails the Fourth Amendment’s particularity requirement:

    The Warrant here did not identify any particular person to search or seize. Nor did it identify any specific user of the targeted website. It did not even attempt to describe any series or group of particular users. Similarly, the Warrant failed to identify any particular device to be searched, or even a particular type of device. . . . Compounding matters, the Warrant failed to provide any specificity about the place to be searched—the location of the “activating computers.”

    As the Ninth Circuit Court of Appeals has explained, “Search warrants . . . are fundamentally offensive to the underlying principles of the Fourth Amendment when they are so bountiful and expansive in their language that they constitute a virtual, all-encompassing dragnet[.]” A warrant that authorizes the FBI to search a potentially unbounded number of users without specifying their locations or otherwise limiting the search is far closer to a “virtual, all-encompassing dragnet” than a specific, particularized warrant that satisfies the Fourth Amendment.

    Uncharted Territory

    The nature of the technology the FBI used in investigating Playpen puts the warrant in uncharted territory. As the noted professor of constitutional law and computer crime Orin Kerrwrites, it’s a “serious question” whether searches conducted using the government’s malware pursuant to the Playpen warrant can be properly analogized to searches in the physical world.

    Even when compared to extreme examples of warrants that seem to push against the boundaries of the particularity requirement, the Playpen warrant is vastly less specific in its description. For example, some courts have authorized “all persons warrants,” which allow officers to search everyone in a specific place, in scenarios where simply being on the premises provides probable cause that the person is committing a crime. But these searches are tied to a physical location and thus provide spatial limitations on both the area to be searched and the number of people who can be present. No court we’re aware of has ever upheld an all persons warrant authorizing the search of even 100 people, let alone thousands. Similar limitations are involved in a “roving wiretap,” a type of warrant that authorizes electronic surveillance of specific individuals who may move from place to place. Roving wiretaps allow the government to follow these people as they use burner phones, for example, but the warrant must specify who will be subject to such a wiretap. No court would authorize a roving wiretap on unspecified persons because such a wiretap would be indistinguishable from a general warrant.

    Defenders of the Playpen warrant have described it as “anticipatory,” based on probable cause to believe that at some future time evidence of a crime will be found at a specific place. But anticipatory warrants require the government to demonstrate a likelihood that a “triggering condition” will occur in order to render the search valid. The Supreme Court has made clear that the government can’t get an anticipatory warrant to search every house in the country on the condition that a package containing contraband is delivered to the house; it has to demonstrate the likelihood that a specific house will receive such a package. The Playpen warrant does not demonstrate the likelihood of a specific user logging into the site, instead defining the activating condition as any user logging in. The result is a general search that can be executed on unknown computers in unknown places.

    Finally, it’s worth noting that the particularity requirement doesn’t mean the FBI is helpless to investigate serious crime occurring on hidden sites like Playpen and committed by users who take steps to hide their locations. As we described in an earlier post, the FBI took over the site’s server, enabling it to serve visitors with malware. But that also meant that the FBI had access to the server logs and a wealth of information about individual users (though the use of Tor would of course have obscured their public IP addresses). As a result, the FBI could have sought warrants to go after these individual users, describing their illegal activity on the site in a particularized way. This is more than just requiring the government to jump through hoops—it’s what stands between a constitutional, particularized search and precisely the type of generalized warrant the Fourth Amendment was designed to prevent.

    Source: Why the Warrant to Hack in the Playpen Case Was an Unconstitutional General Warrant | Electronic Frontier Foundation


    📂This entry was posted in News and Politics 📎and tagged

  • The Playpen Story: Some Fourth Amendment Basics and Law Enforcement Hacking

    Posted on by Azrael 1 Comment

    It’s an old legal adage: bad facts make bad law. And the bad facts present in the Playpen prosecutions—the alleged possession and distribution of child porn, coupled with technology unfamiliar to many judges—have resulted in a number of troubling decisions concerning the Fourth Amendment’s protections in the digital age.

    As we discussed in our previous post, courts have struggled to apply traditional rules limiting government searches—specifically, the Fourth Amendment, the Constitution’s primary protection against governmental invasions of privacy—to the technology at issue in this case, in some cases finding that the Fourth Amendment offers no protection from government hacking at all. That’s a serious problem.

    In this post, we’ll do two things: explain the Fourth Amendment “events”—that is, the types of searches and seizures—that take place when the government uses malware, explain how some of the courts considering this issue have gone astray (and some have gotten it right), and what all this means for our digital rights.

    Hacks, searches, seizures, and the Fourth Amendment

    The Fourth Amendment generally prohibits warrantless law enforcement searches and seizures. A Fourth Amendment “search” occurs when the government intrudes on an area or information in which a person has a reasonable expectation of privacy. A “seizure” occurs when the government substantially interferes with a person’s property or their liberty.

    As we’ve spelled out in an amicus brief filed in a number of the Playpen prosecutions, when the government hacks into a user’s computer, a series of significant Fourth Amendment searches and seizures occur:

    Each use [of the government’s malware] caused three Fourth Amendment events to occur: (1) a seizure of the user’s computer; (2) a search of the private areas of that computer; and (3) a seizure of private information from the computer.

    First, the government’s malware “seized” the user’s computer. More specifically, the execution of the government’s code on a user’s device “meaningful[ly] interfered” with the intended operation of the software: it turned a user’s computer into a tool for law enforcement surveillance. By hacking into the user’s device, the government exercised “dominion and control” over the device. And that type of interference and control over a device constitutes a “seizure” for Fourth Amendment purposes.

    Next, the government’s code “searched” the device to locate certain specific information from the computer: the MAC address, the operating system running on the computer, and other identifying information. In this instance, where the search occurred is central to the Fourth Amendment analysis: here, the search was carried out on a user’s personal computer, likely located inside their home. Given the wealth of sensitive information on a computer and the historical constitutional protections normally afforded peoples’ homes, a personal computer located within the home represents the fundamental core of the Fourth Amendment’s protections.

    Finally, the government conducted a “seizure” when its malware copied and sent the information obtained from the user’s device over the internet and back to the FBI. (As an aside, it was sent unencrypted—but more on that in a later blog post about the evidentiary issues arising from these cases.) For its part, the government doesn’t even contest that the copying of this information is a seizure: it described that information as the “information to be seized” in the warrant.

    Law enforcement deploying malware against a user in this way should, from a constitutional perspective, be understood the same way as if the search were carried out in the physical world: a police officer physically taking a computer away, looking through it for identifying information, and writing down the information the officer finds for later use. 

    Fourth Amendment principles meet digital dissonance

    In the physical world, courts would have no problem recognizing the Fourth Amendment consequences of law enforcement physically seizing and searching a computer. Yet, the Playpen cases, and the relatively unfamiliar technology at issue in them, have complicated the application of settled Fourth Amendment law.

    Some courts have held that the Fourth Amendment was not implicated by the government’s malware, incorrectly focusing on the information obtained from the search—critically, the IP address—and not how and where the searches and seizures occurred. Those courts have relied on a separate line of cases that held that, when the government obtains an IP address from an ISP or other third party, the user lacks a reasonable expectation of privacy in the IP address, precisely because it was in the hands of a third party.

    Even if we agreed with that precedent (generally, we don’t), it has no application to the Playpen cases. The government didn’t obtain the IP address and other information from a third party: it got it directly from searching and seizing the user’s device. As one court correctly held:

    The government is not permitted to conduct a warrantless search of a place in which a defendant has a reasonable expectation of privacy simply because it intends to seize property for which the defendant does not have a reasonable expectation of privacy. For example, if [the defendant] had written his IP address [] down on a piece of paper and placed it on his desk in his home, the government would not be permitted to conduct a warrantless search of his home to obtain that IP address. The same is true here.

    As we wrote before, one court went so far as to say that the defendant had no reasonable expectation of privacy—and, thus, no Fourth Amendment protection—in a personal computer, located within a private home, because it was connected to the Internet. Personal computers inside the home should receive the greatest Fourth Amendment protection, not none at all, so it was deeply concerning to see a judge reach that conclusion.

    Essentially, that court held that software vulnerabilities are akin to broken blinds in a person’s house, which allow the government to peer in and see illegal activity—an investigative technique that, although creepy, does not require a warrant. The court held that “Government actors who take advantage of an easily broken system to peer into a user’s computer” are essentially peering in through the digital equivalent of broken blinds.

    Setting aside the difference between looking in a window from the street and actively hacking a computer, tying the protections of the Fourth Amendment to the relative strength of security measures sets a dangerous precedent. Many (if not most) physical security features, like a lock on a door, are easily defeated, yet no court would conclude that the government can warrantlessly search a home, simply because the lock could be picked.

    What these decisions mean for the law of government hacking

    There’s cause for concern about these decisions, but it’s not quite time to panic.

    The legal rules that could ultimately flow from decisions, like those described above—that the government may warrantlessly search an electronic device so long as it is only obtaining information that, in other contexts, has been disclosed to a third party; or that the government’s ability to warrantlessly search devices is checked only by their technological capacity to do so—are very bad for privacy, to say the least.

    Fortunately, the decisions so far have all been at the district court level. That means that although another court might consider the decision persuasive, the decisions do not establish legal rules that other courts or the government must follow. It will be critically important to watch these cases on appeal, though. Decisions of the federal courts of appeals and the Supreme Court are binding on other courts and the government, so the rules the Playpen cases generate on appeal will create lasting legal rules.

    Nevertheless, the cases are still creating a body of troubling decisions in an area that, until now, was relatively lightly covered in the federal courts, creating a kind of bedrock layer of precedent for government hacking. Before the Playpen prosecutions, only a handful of decisions involving government hacking existed; when these cases are all said and done, there may be a hundred. That makes it all the more critical that we get these cases right—and set the right limits on government hacking—at the outset.

    Source: The Playpen Story: Some Fourth Amendment Basics and Law Enforcement Hacking | Electronic Frontier Foundation


    📂This entry was posted in News and Politics 📎and tagged