Posted by Martin Zinaich on July 1, 2016.
Is there a reasonable expectation of privacy on the Internet?
A senior US district judge recently stated the technically obvious, but it may come as a shock to many. The FBI seized control of Playpen, a dark net website dedicated to child porn distribution (yes disgusting and good for the FBI). In building their case, the FBI utilized something known as “network investigative technique” (NIT) – which also included grabbing source IP addresses out of the TOR network.
The defense tried to get the FBI to reveal its code under discovery. Federal judge Robert J. Bryan ordered the FBI to hand over the TOR browser exploit code so that the defense could better understand how the agency hacked over 1,000 computers and if the evidence gathered was covered under the scope of the warrant.
However, Judge Henry Coke Morgan, Jr. ruled differently:
“the Court FINDS that Defendant has failed to show that the full NIT code specifically, the exploit – is material under Rule 16(a)(1)(E). Thus, the Court DENIES Defendant’s Motion to Compel Discovery, Doc.37. Additionally, even if the Court were to find that Defendant made a sufficient showing of materiality, the Court would not require the Government to disclose the full source code due to the law enforcement privilege.”
I guess there is no way the code is being released, no surprise. Nevertheless, the judge made a few other rulings that may invoke surprise. These rulings were made without deference to the child pornography crime, but in general terms:
“the Court FINDS that Defendant possessed no reasonable expectation of privacy in his computer’s IP address, so the Government’s acquisition of the IP address did not represent prohibited Fourth Amendment search”
“Generally, one has no reasonable expectation of privacy in an IP address when using the Internet.”
“Even an Internet user who employs the Tor network in an attempt to mask his or her IP address lacks a reasonable expectation of privacy in his or her IP address.”
These are facts as much as they are rulings. Yet, it does not stop there:
“b. Defendant Has No Reasonable Expectation of Privacy in His Computer”
“Thus, the Government’s use of a technique that causes a computer to regurgitate certain information, thereby revealing additional information that the suspect already exposed to a third party – here, the IP address – does not represent a search under these circumstances.”
“Therefore, the Government did not need to obtain a warrant before deploying the NIT and obtaining Defendant’s IP address in this case, so any potential defects in the warrant or in the issuance of the warrant are immaterial.”
We now seem to be stretching the law into uncomfortable contortions. And the final back bending ending…
“Hacking is much more prevalent now than it was even nine years ago, and the rise of computer hacking via the Internet has changed the public’s reasonable expectations of privacy.”
Oh really now? I can assure the judge that when I buy something online with a credit card over a SSL channel, I very much expect privacy regardless if someone has been able to break SSL 2.0, SSL 3.0 and TLS 1.0 encryption!
We presumably have a good and righteous case being prosecuted. We have some outstanding facts from a judge that every computer user and business need to understand. Then we have some very bad reasoning and overreach. I am no lawyer but I do understand there is a difference between Reasonable Expectation of Privacy when persons acting on behalf of a city, state, or federal government use it in connection with searches versus when a private citizen compromises the solitude or seclusion of another private citizen. What I am trying to figure out now is do the judge’s rulings protect hackers?Submitted in: Martin Zinaich |