The Electronic Frontier Foundation isn’t known for shying from its principles, even in the most controversial of debates. Take, for instance, the FBI’s use of “Network Information Technique” malware to decode the IP addresses of Tor browser users logging into the child porn site Playpen. In the EFF’s estimation, warrants to deploy NIT allow the “type of sweeping authority” the Fourth Amendment “was designed to precisely prevent.”
I recently caught up with EFF attorney Andrew Crocker to discuss the controversy and how it fits into a recent decision from the U.S. Court of Appeals for the Ninth Circuit deeming a NIT warrant unconstitutional, but allowing the evidence to be used on the basis that investigators were operating in good faith by assuming their actions were legal. Here’s some of the highlights from our chat.
What’s the implication of the Ninth Circuit joining other appellate courts in basically agreeing that the FBI’s NIT warrant was unconstitutional but OKing it on good faith?
The greater implication is the message it sends to the government. By that, I mean the government has indisputably violated Rule 41 [of the Criminal Rules of Civil Procedure] and the Constitution thousands of times with this single warrant to do these NIT searches. And the message sent by the Ninth Circuit and other courts that have reached similar conclusions is, “That’s totally fine. You can do similar kinds of violations around the edges, as long as you sort of immunize it after the fact it’s totally cool.” That’s really inconsistent with the idea of the Fourth Amendment. It’s sort of like saying to the government, “You’ve done everything wrong but came to the right conclusion, so don’t make the same mistake again.” But the government has no impetus to actually change the way they operate.
Tell us a bit why these NIT warrants are so inherently controversial.
The core of why it’s controversial is it’s a single warrant to search an unbounded number of computers, and not only is it unbounded in number, it’s not bounded in terms of who the people are. The only criterion that’s used to authorize the search in the warrant is [someone visits] a website. And there are certainly arguments back and forth in these cases about whether that’s the best that the government can do, or the whole idea that people visiting these websites are taking steps to remain anonymous. And that’s true but, in this [Ninth Circuit] case at least, the government controlled the website, controlled the Tor website, and so they had a lot more info at their disposal and at least arguably could have done a lot more to limit the terms of who they were searching.
So because the government was sending these users NIT code, controlling the servers, the approach they took with the warrant was questionable?
Yeah, they were acting as a site administrator, even though the way Tor works, they didn’t have the IP addresses of the visitors themselves. Because they were going through Tor, they had usernames, they could see how active each user was, had a warrant to monitor chats on the site. So they may have had a lot of identifying info about these users even though they didn’t have their IP addresses.
Is there any way to address what you see as problems with the NIT warrant? Could the FBI have done something differently?
I would say this—they did get a warrant, and by doing that acknowledge it’s an invasive search, and they have to satisfy the Fourth Amendment, and that’s a right because your computer is a private space and the government can’t just search. The main problem here is the expansiveness of what that warrant authorized. I think they could have proceeded in a more measured, piecemeal approach. They wanted to go after everyone at once. And I understand why that is, but that’s very much in tension with how the Fourth Amendment works.
And leaving little recourse for those being prosecuted.
Their challenge has been to the breadth of the warrant. And courts aren’t particularly interested in looking at it. And I think that’s a mistake.
Where are some other instances where this warrant is in question?
Probably a lot we don’t know about, because so much of this happens under seal. We’ve seen the government use NITs in a variety of cases, and one thing that’s sort of interesting is they’re not always this broad. They’re deployed against a single person and at least some larger effort is taken to identify who the target is going to be. And the way it’s deployed goes along with that.
I’ve seen cases where it’s sent in an email or a phishing link that the defendant target is manipulated into clicking on, and so there’s reason to believe that targeted person clicking is going to be the person the FBI is actually investigating. I don’t want to say that’s totally cool. There’s at least one other case where a judge has said that’s problematic because if you send it in an email you don’t know who is using the address. Maybe it’s more than one person, maybe the account has been hijacked. So maybe you have an innocent victim and the target of the investigation using the same email account. So there might still be problems, but it’s still clearly more limited in this case.