Even the Wild West needed a sheriff. And today’s law enforcement agents, to be effective, need more than a Colt .45 and a gold star. Criminal actors have an increasing ability to commit serious crimes remotely via computers, while concealing their identity and location through the use of various means, including Tor hidden service protocols. To effectively identify and apprehend these criminals, law enforcement must be nimble and technologically savvy, and must employ regularly updated investigative tools. These tools include Network Investigative Techniques (NITs), which enable law enforcement (pursuant to court-authorized warrants) to identify the real IP address of web users, regardless of proxy settings. Some NITs also reveal users’ operating systems, CPU architecture, and session identification, and others (pursuant to a Title III or FISA warrant) can allow real-time, full-system monitoring.
There has been some level of controversy recently regarding the FBI’s use of NITs. But as criminals evolve and become increasingly sophisticated through the use of Tor and encryption techniques, so too must law enforcement’s investigative measures evolve, provided they are employed in accordance with lawful procedures and adequate constitutional safeguards.
It was through a NIT that the FBI, in 2015, was able to successfully take down one of the largest dark web child exploitation sites in the world, to apprehend child predators. The site, disturbingly named “Playpen,” provided thousands of pedophiles with images of horrifying sexual abuse of children, as well as guidance on how the molesters could avoid being detected. The Playpen site is reported to have had as many as 215,000 accounts within the first year, and an average of 11,000 unique visitors per week. The FBI, pursuant to a court order, seized the web host server in North Carolina and, rather than shutting it down immediately, ran it under FBI control for a limited, two-week period. During that time, the FBI used a NIT, which exploited a security vulnerability in the Tor Browser Bundle, to identify more than 1,300 true IP addresses. Notably, this was done pursuant to a court order and warrant. The FBI had similar success in its “Operation Torpedo” in 2012, when it seized control of three child exploitation sites on the Dark Net and used a “Metasploit Decloaking Engine.” There, the NIT used an Adobe Flash application to send the users’ real IP addresses back to the FBI server, rather than having them routed through the Tor network, which would have provided a cloak of anonymity. This reportedly enabled the FBI to identify 25 users of the child exploitation site in the United States, and more users overseas.
Critics of these tactics call this an “extraordinary expansion of government surveillance and use of illegal search methods on a massive scale.” But it is no such thing. This is the technological equivalent of covert operations that the FBI and other law enforcement agencies have conducted — with court oversight and approval — for decades. For example, court-authorized warrants can be used to search email accounts, a home, or an office, while Title III wiretaps can allow for real-time monitoring of telephones, email accounts, and meeting places, including, for example, using keystroke loggers to monitor correspondence and online activities, or placing hidden video cameras in a room where a number of people convene to conduct illicit transactions. These search and surveillance methods are not illegal. They are carried out pursuant to long-tested laws allowing court-authorized law enforcement searches and real-time surveillance. To obtain a warrant for real-time access to a server, computer, or email account, the government is required to establish, to a court’s satisfaction, that there is probable cause that the facility is currently being used to commit a specified predicate offense, and that the evidence could not be obtained through any less intrusive available means.
There is no need to update the law to enable the FBI and other law enforcement to conduct court-authorized surveillance in real-time through NITs. Laws currently on the books, including Rule 41 of the Federal Rules of Criminal Procedure, the Electronic Communications Privacy Act (ECPA) and the Foreign Intelligence Surveillance Act (FISA) allow for this type of law enforcement surveillance, all with judicial oversight. More on federal statutes governing wiretapping and electronic eavesdropping is available here.
Naysayers attack prosecutors and agents for not properly revealing, and educating judges on, the techniques available when these warrants for searches or real-time surveillance of computers are authorized. They thereby also criticize judges for not being sufficiently technologically savvy to ask the right questions when determining whether to approve the applications for seizure and wiretap warrants. Such claims are only superficially an attack on the FBI’s use of NITs. Instead, those arguments, in essence, are an unsupported and misinformed attack on the judicial system, and on our judges and prosecutors who operate within that system.
To do its job effectively, law enforcement is, or should be, empowered to use legally available means to identify, investigate, and apprehend criminals, including those operating online under a mask designed for anonymity. To obtain a search warrant or tracking device pursuant to Rule 41, the government is required to show, to a court’s satisfaction, that there is probable cause that evidence of a crime is located at the premises to be searched, or would be obtained (or a person identified) via the tracking device. A warrant for real-time surveillance pursuant to Title III, because it is more intrusive, requires a higher standard, including showing to the court’s satisfaction that less-intrusive means are not available to obtain the evidence needed. Prosecutors seeking a Title III wiretap also must comply with other controls and oversight, including approval at Main Justice in DC before the Assistant US Attorneys can present their application to a federal judge for her review and approval.
In the Playpen takedown, the FBI’s conduct was proper pursuant to a search warrant (rather than a Title III wiretap) because they sought only to identify the targets who visited the child exploitation website, and were not remotely accessing targets’ computers or otherwise interfering with system operability; the FBI also did not permanently install malware on the computer or transmit information regarding the content on the computer.
It was also proper, under Rule 41, to use a single warrant to identify 1,300 pedophiles on the Playpen site. At the time of the warrant, the actual identity, quantity, and locations of targets were not known, but the warrant set forth in detail the deliberate way in which users would access the site, Therefore, it was sufficiently particular and specific to satisfy Rule 41. Also, the Playpen website existed for the sole purpose of child exploitation, and the FBI’s NIT was only triggered by users who proactively visited and attempted to log into the Playpen site. Under the circumstances, it would be neither necessary nor feasible to obtain a warrant for each individual user. What is sufficient is the fact that the site existed solely for the purpose of child exploitation, users took deliberate and specific steps to access the site, and, therefore, there was sufficient probable cause to obtain the IP address and other identifying information of those who sought to access the site.
Critics of the FBI’s use of covert surveillance to investigate and apprehend online criminals also express concern that these techniques can be used by nefarious government actors in various countries to conduct improper surveillance to curb and violate civil rights. Protecting civil rights and privacy from unlawful intrusions is a critical concern. But that is not the point here. Tying the hands of US law enforcement agents by sending them into the field with antiquated techniques and restricting their innovation in how they investigate crime is naïve and irresponsible. And it does nothing to prevent bad actors from bypassing the law and using those techniques, without judicial oversight and approval, to cross boundaries for oppression and illegal surveillance. ECPA and FISA mandate judicial oversight and approval for electronic surveillance; as long as law enforcement is operating properly within the bounds of the law, they should be encouraged to think creatively and adapt to developing technologies to do their jobs.
There is a persistent complaint by many that the government should be doing more to protect our cyber infrastructure, and to assist US citizens and companies who are personally vulnerable and whose networks and data are under constant threat of cyber criminals. To stay ahead of, or at least not too far behind, cyber criminals, we need law enforcement to be nimble, innovative, and proactive. That includes the use of NITs pursuant to court-authorized warrants.