Last Week in Tech Law & Policy, Vol. 32: Is government hacking a “search” under the Fourth Amendment?

(by Kiki Council, Colorado Law 3L)

Last week’s blog post concerned the ramifications of sponsored and compelled government hacking with the use of backdoor encryption. This week’s post concerns how government hacks of computers using the Tor browser, and whether those hacks are considered a “search” under the Fourth Amendment.

Background: How the government hacked computers using Tor

In February 2015, the Federal Bureau of Investigations filed an affidavit in support of a search warrant in the Eastern District of Virginia to investigate what has been described as “Website A.” Website A is a hidden service site on the Tor network, and its primary purpose was the advertisement and distribution of child pornography. That same month, the FBI executed a search warrant at the residence of the alleged administrator of Website A and began operating Website A from a government server in Virginia.

The February warrant sought to employ a network investigative technique (“NIT”) to target those who accessed Website A. This particular NIT deployed a set of computer code to an “activating computer” that accessed the website. Once a user logged into Website A with a username and password, the activating computer, now using the government’s code, would send certain information to a different computer run by the government. That information included the IP address of the activating computer, a unique identifier generated by the NIT to distinguish activating computers from each other, and the operating system of the activating computer. The information obtained would be used to assist the FBI in identifying activating computers and their users.

Due to the sheer size of the NIT used by the FBI on Website A, several users had their computers traced and searched—all based on the single warrant issued in Virginia. Based on those searches, many users were arrested and prosecuted pursuant to federal child pornography statutes.

Many of those criminal defendants now seek to suppress the evidence found in their homes or on their computers, arguing that the evidence is the fruit of a poisoned tree. These suppression motions raise a valid question in today’s technologically enmeshed world: is government hacking a search or not?

Legal arguments and policy in favor of government hacking

The Fourth Amendment of the United States provides that citizens have a right to be secure in their persons, house, papers, and effects,” and “unreasonable searches and seizures.” The government is not allowed to issue a warrant without probable cause, and that warrant must be particular about the place to be searched and the things to be seized.

To determine whether a search occurred, a court must consider whether a person has exhibited a subjective expectation of privacy, and that this privacy expectation is one that society recognizes as reasonable.

Proponents of government hacking of Tor websites, especially in the manner conducted by the FBI NIT, argue that Tor users have no reasonable expectation of privacy in their IP address. The Department of Justice agrees, pointing out that Tor users reveal their true IP address to another computer when entering a Tor network through entry points called guard nodes. Because there is no expectation of privacy as to this information, a search warrant from the government is arguably not required at all.

Several courts have held that one does not have an expectation of privacy in their IP address when using the internet because “Internet users ‘should know that this information is provided to and used by Internet service providers for the specific purpose of directing the routing of information.’” Based on that reasoning, one court in the recent NIT FBI cases has further found that “the fact that the government needed to deploy the NIT to a computer does not change the fact that Defendant had no reasonable of expectation of privacy in his IP address”—primarily because the IP address was revealed “in transit” when the NIT sent information to the FBI. The court reasoned that the government’s use of a technique to “regurgitate certain information, thereby revealing additional information that the suspect had already exposed to a third party” does not represent a search. The court found that the deployment of NIT to capture the identifying information does not represent a search, and thus no warrant was needed.

From a public policy perspective, courts can (and have) additionally argued that Tor networks can be abused by criminals and used to mask criminal activity. If a government agency were required to issue a warrant for each search conducted using an NIT on a Tor network, it would arguably be thwarted in its attempts to mitigate criminal activity.

Legal arguments and policy against government hacking

In September 2016, a judge in the Western District of Texas held that a search had been conducted by the FBI despite the fact that citizens generally lack an expectation of privacy in their IP addresses. The court pointed to the fact that the NIT “placed code on [defendant’s] computer without his permission, causing it to transmit his IP address and other identifying data to the government.”   The court determined that the fact that the defendant did not have a reasonable expectation of privacy in his IP address as having “no import.” The NIT used was “unquestionably” a search under the Fourth Amendment.

Despite finding that the use of NIT by the FBI was a search, the court still ruled that the evidence was admissible because it could not be proven that the FBI had willfully violated Federal Rule of Criminal Procedure 41(b), which is meant to prevent judges from authorizing searches conducted outside of their districts. However, the judge aptly noted that “the instant NIT warrant has brought to light the need for Congressional clarification regarding a magistrate’s authority to issue a warrant in the internet age, where the location of criminal activity is obscured through the use of sophisticated systems of serves designed to mask a user’s identity.”

Public policy from this perspective argues that the government is increasingly able to remotely compromise computers. Such ability is not a good thing, despite what criminal activity may take place on the internet and Tor browsers. Further, proponents of this perspective argue that computers, and all that they encompass, necessarily entail a privacy interest, because so much personal information can be stored within them.

Questions

Similar to the subjects of last week’s blog post, these cases raise important questions of how to balance the competing interests in privacy, data security, and law enforcement. Does a middle ground between these sometimes opposing interests exist? Further, how should courts square the Fourth Amendment with the existence of such technology as the Tor browser? Does this issue in particular expose the difficulty posed by using “traditional” law or legal analogies in the context of the internet? Some argue that these rulings are a result of a lack of technological sophistication by judges. Does that criticism have merit?