Last Week in Tech Policy #48: Playpen and Government Hacking

(by Sergey Frolov, University of Colorado Computer Science Ph.D candidate)

In the U.S., it is illegal to produce, distribute, and possess child pornography. Playpen is a now-defunct child pornography website. The FBI managed to trace the site’s operators, then obtained a warrant and seized the web server on which the site ran.

However, instead of shutting the server down immediately, the FBI continued to operate Playpen for an additional 13 days. During that time, according to the Electronic Frontier Foundation, the FBI sent malware to visitors to the site in order to identify and prosecute them for possession of child pornography.

There are several controversies related to Playpen case. In no particular order:

  1. The FBI continued to operate Playpen after seizing control of the server.
    Playpen’s lawyers claim that, rather than shutting the site down, “Government agents worked hard to upgrade the website’s capability to distribute large amounts of child pornography quickly and efficiently,” and the improved performance attracted more users, growing the site’s membership by 30%.
  2. The FBI sent malware to thousands of computers based on a single warrant.
    EFF argues that such a warrant violates the particularity requirement of 4th Amendment, which “was designed to prevent precisely this type of sweeping authority.”
  3. Government malware implicates Rule of Criminal Procedure 41.
    According to EFF, “Rule 41 only authorize[d] federal magistrate judges to issue warrants to conduct searches in the judicial district where the magistrate is located—with limited exceptions that do not apply in this case.”
    Meanwhile, in December 2014, the advisory committee on criminal rules for the Judicial Conference of the United States proposed a new amendment to Rule 41 to allow the type of law enforcement activity that occurred in the Playpen case. EFF argued that the changes would be a “sweeping expansion of law enforcement’s ability to engage in hacking and surveillance”. Congress could have stopped this amendment from taking effect, but didn’t, which means that the rule change is now in effect.
  4. The FBI and DOJ decided to drop one of the cases, rather than disclose the underlying exploit.
    In the case brought against one alleged viewer, United States v. Jay Michaud, federal Judge Robert Bryan ordered the government to hand over the malware’s source code, leading DOJ to drop the case rather than burn the exploit. Annette Hayes, a federal prosecutor, wrote in a court filing that “Disclosure is not currently an option.” New York sex crime lawyer Zachary K. Goldman argued that “[t]he FBI is placing paramount importance on preserving the ability to use this technique in the future.”

Recent Developments

In Novermber 2016, DOJ stated that it had brought over 200 active prosecutions related to Playpen case using the results of the exploit.

In March 2017, EFF, the American Civil Liberties Union, and the National Association of Criminal Defense Lawyers published a guide on challenging government-sponsored hacking in criminal cases. Colin Fieman, a federal public defender, who represents two Playpen defendants, and Orin Kerr, a law professor at George Washington University and one of the nation’s top computer crime scholars commented positively on the guide. Kerr claims that the guide is needed to “level the playing field”, as “DOJ is coordinating its briefs, and that coordination helps the government put its best arguments forward. There is naturally less coordination on the defense side.”