District court judge: FBI's hacking trick does not require warrant
A U.S. District Court judge has ruled that the FBI did not need a warrant to execute the online hacking technique that it employed against users of the Playpen child pornography site.
A U.S. District Court judge in Eastern Virginia presiding over a child pornography criminal trial has sided definitively with U.S. law enforcement in ruling that investigators do not need a warrant to remotely hack into suspects' computers.
Judge Henry Coke Morgan Jr. last week publicly unsealed a ruling that he issued earlier this month in the case of United States v. Matish – one of numerous prosecutions against alleged users of the Playpen child porn website on the Tor network. In his court order, Morgan Jr. compared the FBI's use of a “network investigative technique” (NIT) to identify Playpen visitors' IP addresses with the act of a police officer “peering through broken blinds,” borrowing an old turn of phrase by Supreme Court Justice Stephen Breyer to convey a scenario in which warrants are not required.
As it so happens, a warrant was issued during the investigation, but the defense argued that the process was flawed. Morgan Jr. disagreed, ruling that the warrant was properly and appropriately executed, and denying the defense's request to suppress the evidence on a variety of grounds. At that point, the judge went further, declaring that the warrant was unnecessary in the first place because defendant Edward Joseph Matish had no reasonable expectation of privacy concerning either his IP address or his personal computer.
The judge explained that IP address data is already shared with third parties such as ISPs and, in the case of Tor, anonymous node operators, and therefore such information is fair game for authorities.
“Presumably, one using the Tor network hopes for, if not possesses, a subjective expectation of privacy in his or her identifying information… However, such an expectation is not objectively reasonable in light of the way the Tor network operates,” wrote Morgan Jr. in his decision.
Nor did Matish have a reasonable expectation that his own computer was off-limits, the judge continued. Calling it a “virtual certainty that computers accessing the Internet can and eventually will be hacked” due to the pervasiveness of cybercrime, Morgan Jr. argued that computer owners can no longer reasonably expect to maintain their privacy online. He also noted that the FBI grabbed only a very limited set of data that did not include any actual content stored on the machine. (Only later did the FBI seize content off the computer after they were able to identify Matish and then obtain yet another warrant.)
In summation, “A computer afforded Fourth Amendment protection in other circumstances is not protected from government actors who take advantage of an easily broken system to peer in to a user's computer,” wrote Morgan Jr., adding, “The government should be able to use the most advanced technological means to overcome criminal activity that is conducted in secret….”
Mark Rumold, a senior staff attorney at the Electronic Frontier Foundation (EFF), which earlier filed an amicus brief in the case, assailed the ruling. “The implications for the decision, if upheld, are staggering: law enforcement would be free to remotely search and seize information from your computer, without a warrant, without probable cause, or without any suspicion at all,” wrote Rumold on the EFF website. “To say the least, the decision is bad news for privacy. But it's also incorrect as a matter of law, and we expect there is little chance it would hold up on appeal.”
In another key aspect of the ruling, Morgan, Jr. asserted that the local magistrate who issued the initial warrant for the NIT was within her rights to do so and did not exceed her authority under Rule 41(b) of the Federal Rules of Criminal Procedure.
Other courts have disagreed, arguing that a higher-ranking judge should have issued the warrant because most of the alleged criminals nabbed in the FBI's Playpen sting were located outside of the magistrate's local jurisdiction, all across the country.
Morgan Jr. was unmoved by such arguments, explaining that Playpen users, regardless of their computer's physical location, made a “virtual trip via the Internet to Virginia” -- where the FBI was hosting its online sting operation -- when logging in to Playpen. Furthermore, Matish and his computer were based in Virginia anyway, placing him within the jurisdiction of the magistrate, Morgan Jr. continued.
The judge also ruled that there was no merit to the defendant's motion to review and analyze the complete NIT in order to determine if the technique compromised his computer in a manner that perhaps allowed a third-party to download porn on Matish's computer.
Finally, Morgan Jr. weighed in on the debate as to whether the NIT employed by the FBI fits the definition of malware, despite this controversy having little bearing on the case itself. The judge agreed with earlier testimony from FBI special agent Daniel Alfin, who argued the coding should not be deemed malware because it's intent was not malicious in nature.
Morgan Jr. said “perhaps malware is a better description for the program through which the provider of the pornography attempted to conceal its distribution of contraband over the Internet than for the efforts of the government to uncover the pornography.”