In one of the many ongoing legal cases surrounding a dark web child pornography site, a judge has written that the FBI did not require a warrant to hack a suspect’s computer.
According to activists, the ruling could have serious implications for how law enforcement is able to conduct remote searches.
“The Court finds that no Fourth Amendment violation occurred here because the Government did not need a warrant to capture Defendant’s IP address,” Henry Coke Morgan, Jr., a senior United States District Judge, wrote in an opinion and order on Tuesday. He adds that the government did not require a warrant to extract other information from the suspect’s computer either.
Morgan, Jr. was ruling on a number of motions pushed by the defense of Edward Matish, who is charged with child pornography crimes. Matish wanted access to the full source code of the malware deployed by the FBI, as well as evidence to be thrown out.
The case stems from the FBI’s investigation of child pornography site Playpen, which the agency took over in February 2015 and deployed a network investigative technique (NIT)—read: malware—in an attempt to identify the site’s visitors.
Morgan, Jr. wrote that the warrant the FBI used to deploy the malware was above board, but he also took the rather extraordinary step of adding that a warrant would not have been necessary at all.
“The implications for the decision, if upheld, are staggering: law enforcement would be free to remotely search and seize information from your computer, without a warrant, without probable cause, or without any suspicion at all,” Mark Rumold, senior staff attorney at the Electronic Frontier Foundation wrote in a blog post on Thursday
The FBI’s malware actually grabbed more than just suspects’ IP addresses.
Some of the opinion hinges around IP addresses, and whether they are private and subject to the Fourth Amendment, or already public.
“Generally, one has no reasonable expectation of privacy in an IP address when using the internet,” Morgan, Jr. writes. This, he posits, is because we all voluntarily give up our IP addresses to third parties everyday, such as internet service providers. And when it comes to Tor, users have to connect to and disclose their IP address to an initial node of the network.
This argument echoes that found in other FBI hacking cases, in which judges have written that suspects have no reasonable expectation of privacy when it comes to their IP address. It came up in another Playpen case, and also a case affected by Carnegie Mellon University’s Software Engineering Institute’s broad attack on the Tor network in 2014. But those judges didn’t go as far to say that a warrant wasn’t necessary to hack a computer.
But, the FBI’s malware actually grabbed more than just suspects’ IP addresses. It also beamed their username and some other system information to the FBI; information that is undoubtedly within a user’s computer—no two ways about it.
This doesn’t phase the judge either, who writes that the defendant “has no reasonable expectation of privacy in his computer,” in part because the malware collected a relatively limited amount of details.
“The NIT only obtained identifying information; it did not cross the line between collecting addressing information and gathering the contents of any suspect’s computer,” he writes.
“It seems unreasonable to think that a computer connected to the Web is immune from invasion,” Morgan, Jr. adds. “Indeed, the opposite holds true: in today’s digital world, it appears to be a virtual certainty that computers accessing the Internet can—and eventually will—be hacked,” he writes, and then points to a series of media reports on high profile hacks. He posits that users of Tor cannot expect to be safe from hackers.
Rumold from EFF added that “the decision underscores a broader trend in these cases: courts across the country, faced with unfamiliar technology and unsympathetic defendants, are issuing decisions that threaten everyone’s rights.”
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.