Arguments were heard in an appeals court on Wednesday involving a controversial government hacking case in which the FBI participated in the distribution of child pornography. This is the most recent legal test of the FBI’s ability to hack any computer, anywhere.
In February 2015, the US Federal Bureau of Investigation seized control of a server located in North Carolina used at the time to host a forum where thousands of dark net users traded photos and videos of children being sexually abused. The website wasn’t immediately shut down. Instead, for roughly two weeks, the FBI maintained the website while it conducted a massive hacking operation, resulting in hundreds of criminal cases.
More than 23,000 sexually explicit images and videos of young children were shared on the website after the FBI seized control, according to court filings. Some of the children depicted were barely old enough to attend kindergarten, the Justice Department has said.
The obvious cost of this operation is that, while the FBI maintained this website — revoltingly titled “Playpen” — it was also technically aiding in the circulation of child pornography. However, the FBI argues this is ultimately justified by the arrests of hundreds of alleged paedophiles.
At the time of the seizure, Playpen is said to have had roughly 215,000 users worldwide. In August, the FBI was accused by one defendant (a former Playpen administrator) of not only running the website, but improving its performance.
That the FBI did not immediately shut down the forum, but instead kept it running for 13 days, has been deservedly scrutinised by digital rights groups, and in the press. “If the government is going to break the law in order to enforce it, it must justify how any resulting benefits outweigh any harms,” Elizabeth E. Joh, a law school professor, wrote in the New York Times last January. “When the government participates in the distribution of contraband,” she said, “it has little control over who will use those illegal guns, drugs or child pornography, and little ability to protect victims from these harms.”
The subject of Wednesday’s hearing, however, involves a separate issue, but one which has equally far-reaching consequences: The FBI, which targeted as many as 8000 devices internationally, carried out its entire hacking campaign after obtaining only a single warrant. Should the court determine that the FBI’s actions were lawful, it is likely to repeat this tactic in the future, and perhaps in cases not centred around the distribution of child pornography.
In court on Wednesday, attorneys at the Electronic Frontier Foundation (EFF) argued that, even taking into consideration the hellish nature of the allegations facing the accused, the FBI, too, violated the law and the US Constitution.
Before the US Court of Appeals for the First Circuit, EFF Attorney Mark Rumold asserted that the government’s use of malware to remotely attack computers, which were “located in unknown places, in states across the country, in countries across the world”, vastly exceeded the scope of agency’s authority. “No court,” he said, “would seriously consider a comparable warrant in the physical world. A warrant that authorised the search of hundreds or thousands of homes, without identifying specific buildings or specifying where the buildings were located, would be rejected out of hand even if those searches were limited to identifying the person residing there.”
In the EFF’s view, the sheer breadth of the FBI’s cyberattack indicates that it did not meet the “particularity” required of the Fourth Amendment, under which Americans’ rights against unlawful search and seizure are protected. The warrant, “which did not describe any particular person or place,” Rumold wrote, was, therefore, invalid.
What’s more, EFF attorneys argue that the FBI’s warrant is invalidated by the fact that the bureau acted outside its capacity: The malware it spread to identify Playpen’s users is not the same as the installation of a device to track a target’s location — which is what the warrant actually authorised.
In its amicus brief, which was filed alongside the ACLU of Massachusetts, the EFF states that, although the information seized “may ultimately have assisted the FBI in identifying a particular user”, what it obtained offered little in the way of helping the bureau locate the suspects. Even in cases where the FBI was able to assess a user’s IP address, that information alone is not enough to identify the user’s location. “In this investigation,” Rumold said, “it was generally only after the FBI took additional investigative steps that any reliable information related to location was actually obtained.”
Moreover, the EFF takes issue with the fact that the FBI’s malware — what it refers to euphemistically as a network investigative technique (NIT) — was not installed within the jurisdiction of the authorising court, in the Eastern District of Virginia, but rather in other jurisdictions where the accused actually reside. The government’s argument is that the suspects made a “virtual trip via the Internet to Virginia”, but even if that’s true, the FBI’s malware did not take effect until after it reached the defendants’ homes.
The case also has bearing on international law. Many of the computers hacked by the FBI were located in foreign countries, some of which may have treaties with the US restricting how authorities may collect electronic evidence against its citizens — an issue the appellate may be sensitive to, even if the FBI is not.
In an interview with Gizmodo following the hearing, Rumold said it wasn’t immediately apparent which way the court was leaning. “I think they definitely believe some type of violation occurred,” he said, but whether or not it was a violation of criminal procedure, or a Fourth Amendment violation, remains unclear.
It may be several months, he said, before a decision is reached.