Warrant For FBI's Hacking Technique Makes No Mention Of Hacking Or Malware

from the just-a-big-ol'-auto-scoop,-but-delivered-secretly dept

Motherboard has obtained a copy of the warrant used by the FBI to deploy its NIT (Network Investigative Tool) to obtain information about visitors to child porn site "Playpen." This site was seized by the FBI and left running for two weeks while it gathered information.

The prosecutions tied to this investigation have been interesting, to say the least. The FBI's short run as child porn site hosts received a judicial shrug -- something courts have done in the past when confronted with disturbing government behavior in service of combating crime. These have also led to the government arguing -- and the court echoing -- that Tor users have no expectation of privacy, as sooner or later, everything comes down to an IP address.

The warrant itself is slightly redacted, but that's hardly a surprise. More surprising is the fact that it has been released at all, as the FBI usually argues for the sealing of documents related to its investigations, especially in cases where law enforcement tech and methods are discussed.

As far as the details contained within, most of what's known about the FBI's NIT has already been discussed. As Motherboard's Joseph Cox points out, there are a few interesting aspects to the warrant request. For one, it makes it clear the FBI will be running a child porn site for the duration of the "search."

“While the TARGET WEBSITE operates at a government facility, such request data associated with a user's actions on the TARGET WEBSITE will be collected,” the affidavit, signed by Douglas Macfarlane, an FBI special agent, reads.
While the document claims the FBI has no other way to ascertain the IP addresses and locations of users connecting to the website, it also goes light on the details of what it plans to do. The NIT is discussed in terms of what it's capable of gathering, but goes very, very light on technical details. Nowhere in the document does the FBI refer to its NIT in terms more applicable to its function, like "malware," "spyware" or "hacking." The FBI describes its NIT this way:
In the normal course of operation, websites send content to visitors. A user's computer downloads that content and uses it to display web pages on the user's computer. Under the NIT authorized by this warrant, the TARGET WEBSITE, which will be located in Newington, Virginia, in the Eastern District of Virginia, would augment that content with additional computer instructions. When a user's computer successfully downloads those instructions from the TARGET WEB SITE..., the instructions, which comprise the NIT, are designed to cause the user's "activating" computer to transmit certain information to a computer controlled by or known to the government. That information is described with particularity on the warrant (in Attachment B of this affidavit), and the warrant authorizes obtaining no other information. The NIT will not deny the user of the "activating" computer access to any data or functionality of the user's computer.
This lack of details could be problematic.
Critics are worried that the language of NIT applications is too vague for judges to grasp what exactly it is they are authorizing; the words "malware" or "hacking" are never used, for example. (Magistrate Judge Theresa C. Buchanan, who signed off on the NIT, has repeatedly declined to answer questions from Motherboard.) The NIT was used to access computers in the US, Greece, Chile, and likely elsewhere.
Speaking of foreign nations, the FBI apparently had some outside assistance in this case.
In December of 2014, a foreign law enforcement agency advised the FBI that it suspected IP address 192.198.81.106 , which is a US-based IP address, to be associated with the TARGET WEBSITE. A publicly available website provided information that the IP Address 192.198.81.106 was owned by [REDACTED] a server hosting company headquartered at [REDACTED] Through further investigation, FBI verified that the TARGET WEBSITE was hosted from the previously referenced IP address. [...] Further investigation has identified a resident of Naples, FL, as the suspected administrator of the TARGET WEBSITE, who has administrative control over the computer server in Lenoir, NC, that hosts the TARGET WEBSITE.
The fact that documents from sealed cases related to the FBI's Playpen investigation are being released publicly shows that even opposed forces can sometimes arrive at the same plan of actions, even if their motivations are completely different.

In Washington, the lawyer for a defendant captured with the assistance of the FBI's NIT is hoping to put the FBI's apparent overreach on display by requesting the unsealing of documents. The FBI, on the other hand, isn't putting up much of a fight to keep these sealed. The affidavit in this related case contains graphic descriptions of child porn images found on the site. People who generally don't believe the ends justifies the means often make exceptions for more heinous criminal activity like this. The public outing of sealed docs could persuade fence-sitters to come down on the side of the FBI, even if the agency's use of NITs is hardly limited to cases involving crime the public overwhelmingly finds completely repugnant.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 10 Mar 2016 @ 8:49am

    The constraints of the Constitution

    The bill of rights were not created to grant people the rights listed, they were created to constrain the government from acting however it wishes. The ends never justify the means when it involves trampling of rights. The bloating ghost of the US government that is still using the name today is nothing at all like the original.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Mar 2016 @ 8:58am

      Re: The constraints of the Constitution

      Well said, unfortunately a lot of people know nothing of how this all is supposed to work.

      Bill of Right is a 100% absolute denial of Government creating laws on those subjects.

      The remainder of the Constitution is a 100% absolute dictation of the Power granted to various areas of the government, and if a power is not enumerated then it is a power the DON'T HAVE!!!!

      Organizations like the FBI, EPA, or FCC do not have the power to create rules like they do now, only Congress can and to some limited degree the Executive Branch.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 10 Mar 2016 @ 11:27am

        Re: Re: The constraints of the Constitution

        ...Organizations like the FBI, EPA, or FCC do not have the power to create rules...

        The FBI doesn't have rule making authority but EPA and FCC sure as hell does. Congress enacted legislation granting these agencies - and others - rule making authority years ago. Look at any US Code for the phrase "promulgate rules", "promulgation", or anything similar and there's your authority. Take a look at the Federal Register sometime; be prepared to have your brain go numb!

        reply to this | link to this | view in chronology ]

  • identicon
    Anon, 10 Mar 2016 @ 9:20am

    Maybe, but...

    It may be reprehensible that the FBI runs a porn sie in this case, but I'm going to give them my rare benefit of the doubt. I'm sure undercover officers are called upon to do all sorts of "interesting" things - whether selling actual drugs, or standing by while drug use or prostitution or even violence happens to victims, so as to not blow their cover.

    In this case, they did nothing that was not already being done - no evidence they added to the site with new content; indeed, the article does not mention it, but I assume there might be an upload option, so in fact they would be collecting incriminating evidence from more participants.

    Using (or not using) the words malware or hacking simply puts loaded words into the mix. The FBI does not disguise the fact their "NIT" is downloaded by the participants, and I doubt even a Jurassic judge would not assume this download happens with full consent and knowledge by the subject of what the NIT is and what it does. Of course it's surreptitious.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Mar 2016 @ 9:34am

    I am more concerned about them getting off scott free for knowingly distributing child pornography.

    ! law for you and another law for me is not healthy for long term stability.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Mar 2016 @ 9:57am

      Re:

      I think what you're saying is that you're concerned about there being no repercussions for the FBI knowingly distributing child pornography. That's a good point. However, the court exempted them from these when asked to, because they claimed it was necessary in order to identify those who had already been receiving the child pornography.

      What this article is about is the other issue: they also distributed malware, which is ALSO illegal, and they never really asked the court for an exemption here. Their request basically said "we're going to be adding some other instructions into what gets downloaded, but don't worry -- we're not installing ransomware on the victim's computers, we're only gathering additional information.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 10 Mar 2016 @ 10:59am

        Re: Re:

        That's a good point. However, the court exempted them from these when asked to, because they claimed it was necessary in order to identify those who had already been receiving the child pornography.

        How did they limit it to only "those who had already been receiving the child pornography"? I bet they didn't. I bet they created and Hoovered up as many first offenders as they could as well.

        reply to this | link to this | view in chronology ]

  • identicon
    SpaceLifeForm, 10 Mar 2016 @ 10:44am

    Picking a NIT

    It is javascript via ad-servers.

    reply to this | link to this | view in chronology ]

  • icon
    Adam (profile), 10 Mar 2016 @ 11:01am

    ...too wide.

    Having never used whatever this is (I guess it's called Tor), or knowing exactly how it creates anonymity for anyone, it would seem to me that by reading the document that one could not have deciphered exactly what they might be visiting by visiting the url listed as the site..

    While I'm sure there were plenty that intended to visit that url it seems as equally logical that there were others who had no intention to view that content and ended up there simply because they clicked a link that they could not have previously known what it might contain... of which most probably closed it immediately.

    I wonder how many knocks came at the doors of those people and got swept up in something that otherwise would have gone unnoticed... but the gov doesn't accept "accident" or "unintentional" as a reason anymore.. Guilty until proven innocent.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.