It was only a few months ago that everyone was privy to the ugly attempts of the FBI to force Apple to unlock an iPhone used by one of the San Bernadino terrorists. Those attempts were roundly—and deservedly—condemned by legal scholars as a tremendous and terrifying overreach. Here’s hoping that the legal community gets behind condemning this latest bit of awful technology-related legal news, in which a federal district court in Virginia ruled that it is fine if the government hacks your computer because someone else could hack it anyway (pdf).
Back in 2015, the FBI managed to seize a Tor server whose primary purpose was to allow users to disseminate child pornography anonymously.1 Rather than shutting the server down, the FBI kept it running and used it as a virtual honeypot. Eventually, the FBI hacked over 1000 computers that accessed the server. The hack scooped up IP addresses, which are of course public, but the FBI’s hacking tool also grabbed MAC addresses, the operating system the computer was using, and the computer’s host name.
These things may seem relatively benign at first glance, but there is a fundamental difference between those and an IP address: they all live inside a computer. By definition, the FBI is breaking into computers to get that information. Even in pursuit of a noble goal—catching individuals creating and trading child pornography—this is still troubling because it is a warrantless intrusion into someone’s computer. According to the federal district court for the Eastern District of Virginia, that’s really no problem at all because computers are hacked all the time. From Motherboard’s summary of the decision:
[The judge, Henry Coke Morgan, Jr. wrote] that the defendant “has no reasonable expectation of privacy in his computer,” in part because the malware collected a relatively limited amount of details.
“The NIT [which is what the FBI calls its hacking tools] only obtained identifying information; it did not cross the line between collecting addressing information and gathering the contents of any suspect’s computer,” he writes.
“It seems unreasonable to think that a computer connected to the Web is immune from invasion,” Morgan, Jr. adds. “Indeed, the opposite holds true: in today’s digital world, it appears to be a virtual certainty that computers accessing the Internet can—and eventually will—be hacked,” he writes, and then points to a series of media reports on high profile hacks. He posits that users of Tor cannot expect to be safe from hackers.
All of that is highly disturbing. It’s as if the judge had said: “well, your car could be broken into by literally anyone on the street, so if the government breaks in, it’s just no big deal.” The last part of the judge’s analysis is also notable from both a technical and legal standpoint: using a Tor server is not a bulletproof guarantee of security. From Morgan Jr.’s opinion:
In United States v. Farrell, researchers operating the Tor nodes observed the IP address of the alleged operator of Silk Road 2.0, a Tor hidden service. Pursuant to a subpoena, the researchers turned over the information to law enforcement. In finding no Fourth Amendment violation, the Western District of Washington noted that “in order for  prospective user[s] to use the Tor network they must disclose information, including their IP addresses, to unknown individuals running Tor nodes, so that their communications can be directed toward their destinations.” The Western District of Washington noted that under “such a system, an individual would necessarily be disclosing his identifying information to complete strangers.” Indeed, the Tor Project itself even warns visitors “that the Tor network has vulnerabilities and that users might not remain anonymous.”
Tor is often recommended (including by us) as a way to hide your identifying information when surfing the internet, but it has been accessed—and compromised—by the government on more than one occasion. Attorneys should remain mindful of this, both in their own usage and in advising clients of how to stay hidden on the internet.
At root, all of this arises because the digital sphere is still somewhat perplexing as courts try to cram searching computers into a Fourth Amendment framework built entirely around searching physical locations. While some confusion is understandable, the end result of that confusion can’t simply be that the government gets more access to private spaces simply because those spaces are virtual.