FBI Mass Child-Porn Hack Ruled Illegal on a Technicality

When the FBI hacked over 1,000 computers to ensnare consumers of child pornography early last year, its actions were illegal, a federal judge ruled Wednesday.

But the decision was based on a violation of jurisdictional rules, not constitutional ones — and precisely the jurisdictional rules the government hopes the Supreme Court will change within the next few weeks.

In this case, a magistrate judge approved a warrant allowing the FBI to deploy malware to infect every visitor to a child-porn website called Playpen. Because users of the site were using Tor, a popular anonymity tool, the FBI couldn’t figure out who they were or where they were coming from — until the malware revealed their IP addresses.

Judge William Young of the U.S. District Court in Boston ruled that the FBI’s search of Playpen visitor Alex Levin’s computer — located in Massachusetts — was unlawful because the magistrate judge who issued the warrant was in Virginia. According to Rule 41 of federal criminal procedure, magistrate judges can’t authorize a warrant outside their geographical jurisdiction.

The Department of Justice is seeking to change that rule, but it hasn’t happened yet. “The government knew they had problems with Rule 41, and they didn’t wait for those changes to be approved. They went ahead with a mass hack,” Chris Soghoian, principal technologist for the American Civil Liberties Union, told The Intercept.

Government lawyers two years ago began the multi-stage process of changing the rule to allow judges to grant warrants for remote searches of computers located outside their district or when the location is unknown. Despite angry protests from civil liberties advocates and technologists, including the ACLU and Google, who described it as a power grab by the FBI to be able to conduct mass hacks with impunity, the rule change was approved by several judiciary panels, and is widely expected to be approved by the Supreme Court any day now. Congress has six months to modify or reject it, or else it will take effect.

“This is a serious, complicated issue that Congress needs to consider quickly, to ensure our laws are keeping up with technology,” Sen. Ron Wyden, D-Ore., said in a statement emailed to The Intercept. “The solution is not to allow an obscure bureaucratic process to vastly expand the government’s surveillance powers. This requires serious public debate, to guarantee there are strong safeguards and oversight when it comes to government hacking.”

Just this week, members of Congress first started asking substantive questions of the FBI about “lawful hacking” and the dynamics of getting around encryption by exploiting devices rather than trying to ban unbreakable encryption altogether.

The government’s takeover of the child-porn site also risks becoming a greater source of controversy. Soghoian said the government’s decision to keep the site running, rather than shut it down immediately, allowed hundreds of thousands of people to share and distribute new hurtful images while the FBI only caught a small percentage with its malware.

In his ruling, Judge Young compared the practice to the FBI selling drugs — not just pretending to — in order to catch drug dealers. “The judge clearly is not happy about the government operating a child-porn site,” said Soghoian.