The user’s online handle was “Pewter,” and while logged on at a website called Playpen, he allegedly downloaded images of young girls being sexually molested.
In order to uncover Pewter’s true identity and location, the FBI quietly turned to a technique more typically used by hackers. The agency, with a warrant, surreptitiously placed computer code, or malware, on all computers that logged into the Playpen site. When Pewter connected, the malware exploited a flaw in his browser, forcing his computer to reveal its true Internet protocol address. From there, a subpoena to Comcast yielded his real name and address.
Pewter was unmasked last year as Jay Michaud, a 62-year-old public schools administrator in Vancouver, Wash. With a second warrant, agents searched the suspect’s home and found a thumb drive that allegedly contained multiple images of children engaged in sex acts. Last July, Michaud was arrested and charged with possession of child pornography.
Michaud’s is the lead case in a sweeping national investigation into child porn on what is known as the dark Web, a universe of sites that are off Google’s radar where users can operate with anonymity.
As criminals become more savvy about using technology such as Tor to hide their tracks, investigators are turning to hacking tools to thwart them. In some cases, members of law enforcement agencies are placing malware on sites that might have thousands of users. Some privacy advocates and analysts worry that in doing so, investigators may also wind up hacking and identifying the computers of law-abiding people who are seeking to remain anonymous, people who can also include political dissidents and journalists.
“As the hacking techniques become more ambitious, failure in execution can lead to large-scale privacy and civil liberties abuses at home and abroad,” said Ahmed Ghappour, a professor at the University of California’s Hastings College of the Law. “It’s imperative that Congress step in to regulate exactly who and how law enforcement may hack.”
But Justice Department officials said that the government investigates crimes based on evidence of illegal activities. “When we obtain a warrant, it’s because we have convinced a judge that there is probable cause that we’ll be able to find evidence in a particular location,” said a senior department official, who spoke on the condition of anonymity under ground rules set by the department.
In the Playpen case, the government activated malware on a site with 215,000 members, as of last February, and obtained Internet protocol addresses of 1,300 computers. Out of that group, the government said it has charged 137 people.
“It’s a lot of people,” said Colin Fieman, a public defender in Tacoma, Wash., who is representing Michaud. “There never has been any warrant I’ve seen that allows searches on that scale. It is unprecedented.”
Michaud is arguing to have his charges dismissed on grounds that the government’s use of the tool violated the Fourth Amendment. Fieman argues that some people might have gone to the site seeking to express fantasies that, while repugnant, are legal. The site, he said, does not clearly advertise itself as devoted to child pornography.
He likened the government’s warrant to a “general warrant,” referring to the British practice during the Colonial era of allowing government searches without any individualized suspicion.
The judge in Michaud’s case is scheduled Friday to hear several motions that could result in the dismissal of charges against him.
“This is a gray area in the law,” said Thomas Brown, a former federal prosecutor in the Southern District of New York who has handled cases involving the use of hacking techniques. “It’s another instance where you’ve got technology outstripping the law.”
Fieman also said that rules established by the federal courts, grounded in constitutional principles, require that a warrant be deployed in the district in which it is issued — in this case, the Eastern District of Virginia. Michaud’s computer was in Vancouver.
But prosecutors argue that the technique is lawful and that, in general, a warrant may be issued even when the location to be searched is unknown, as long as there is probable cause that the search will turn up evidence of a crime.
“The Supreme Court has made clear that the Fourth Amendment . . . does not preclude use of warrants where the purpose of the search is to discover the location of the place to be searched,” said David Bitkower, then a deputy assistant attorney general, in a December 2014 letter to a federal courts committee weighing changes to the rule that governs how search warrants are issued.
In the Playpen case, the government argued that it had probable cause to search the computers of anyone who navigated to the site — whether one person or 10,000 people — on the grounds that the site was devoted to child porn and anybody who knew how to get to it probably did so with the intent to view the content. The site cannot be found through a Google search and can be reached only by users who know its exact, algorithm-generated Web address and are using special software that connects to the Tor network.
In such a case, “we have an obligation to investigate all 10,000 [people], not just one,” prosecutor Keith Becker told Judge Robert J. Bryan of the U.S. District Court for the Western District of Washington in December at a hearing in Tacoma.
The FBI seized Playpen last year, and after operating it for two weeks, shut it down. During those two weeks, according to court documents, it deployed what it obliquely calls a “network investigative technique,” or NIT, to capture the Internet protocol address of anyone who logged in on the website.
“In general, the Constitution doesn’t say that we have to stop investigating just because we need to use a computer technique to identify suspects rather than opening a letter or entering a private house,” said the senior Justice official. “The law doesn’t give online pedophiles immunity from court-authorized search warrants just because they’re using modern software.”
Fieman also argued that the government itself violated the law when it seized Playpen last year, then rather than shut it down immediately or find ways to reroute visitors, continued to operate the child-porn site.
“What the government did is comparable to flooding a neighborhood with heroin in the hope of snaring an assortment of low-level drug users,” Fieman said in a motion to dismiss filed in November.
Justice spokesman Peter Carr said that “at no time in an operation like this does the FBI post any images, videos or links to images of child pornography.” Any such postings are done by website users, not the FBI, he said. Also, he said, immediately shutting down a website would prevent law enforcement from identifying the offenders and frustrate efforts to identify and rescue child victims from abuse.
Without using the hacking technique, officials said, it would be very difficult to locate pedophiles who go to great lengths to hide their tracks.
The issue, said Ghappour, the law professor, is not the use of the malware per se, but “whether hacking warrants are written narrowly enough to guarantee that only those culpable set the trigger [to launch the NIT], and consequently get hacked,” he said. “Given the scale of these operations, the smallest mistake could result in hundreds, if not thousands, of privacy violations.”
Privacy advocates concerned about the government doing mass hacks point to the case of TorMail, an anonymous email service, now shuttered. TorMail, which despite the name is not affiliated with the group behind Tor, was used by a range of people, from criminals to dissidents and journalists.
In the summer of 2013, reports surfaced of people trying to log in to TorMail and finding a “down for maintenance” message instead, then finding suspicious-looking code included in the TorMail Web page. Security researchers who analyzed the code concluded that it was likely placed there by the FBI.
At the time, the government would not confirm that the bureau was behind the hack. This week, people familiar with the investigation confirmed that the FBI had used an NIT on TorMail. But, they said, the bureau obtained a warrant that listed specific email accounts within TorMail for which there was probable cause to think that the true user was engaged in illicit child-pornography activities. In that way, the sources said, only suspects whose accounts had in some way been linked to involvement in child porn would have their computers infected.
An FBI official who spoke under a similar condition of anonymity said the bureau recognizes that the use of an NIT is “intrusive” and should only be deployed “in the most serious cases.” He said the FBI uses the tool only against offenders who are “the worst of the worst.”
