When Weev Auernheimer exploited a mistake in the configuration of AT&T’s access for iPads, the government prosecuted him for violating the Computer Fraud and Abuse Act. When the government wanted to nail Silk Road’s Dread Pirate Roberts, the shoe was on the other foot.
Via Orin Kerr at WaPo Conspiracy:
In defending the prosecution, the U.S. Attorney’s Office recently filed a very interesting brief explaining how investigators found the computer server that was hosting the Silk Road (SR) server. Although the brief is about the Fourth Amendment, it has very interesting implications for the Computer Fraud and Abuse Act, the federal computer hacking statute.
The brief explains how the FBI found the SR server:
The Internet protocol (“IP”) address of the SR Server (the “Subject IP Address”) was “leaking” from the site due to an apparent misconfiguration of the user login interface by the site administrator i.e., Ulbricht. FBI agents noticed the leak upon reviewing the data sent back by the Silk Road website when they logged on or attempted to log on as users of the site. A close examination of the headers in this data revealed a certain IP address not associated with the Tor network (the Subject IP Address as the source of some of the data). FBI personnel entered the Subject IP Address directly into an ordinary (non-Tor) web browser, and it brought up a screen associated with the Silk Road login interface, confirming that the IP address belonged to the SR Server.
The FBI’s declaration explains that the investigating agent entered “miscellaneous” information into the login prompt of the Silk Road server and received an error message. A forensic analysis of the error message found that it contained an IP address not associated with Tor. That IP address was the address of the Silk Road server.
Before opsec guys jump all over this, Rob Graham explained to me that the language used in the government’s argument is goofy and could well be parallel construction, but could also just be the typical improper technical language that clueless lawyers use when explaining something they don’t grasp to an even more clueless judge. In any event, it’s not really important whether this is factually accurate or complete malarkey. What matters is that the government used this argument, that their hacking was lawful, thus circumventing 4th Amendment constraints.
Is the analogy perfect? Of course not, but it is close enough to do damage.
There was nothing unconstitutional or otherwise unlawful in the FBI’s detection of that leak. The Silk Road website, including its user login interface, was fully accessible to the public, and the FBI was entitled to access it as well. See United States v. Meregildo, 883 F. Supp. 2d 523, 525 (S.D.N.Y. 2012) (noting that web content accessible to the public is not protected by the Fourth Amendment and can be viewed by law enforcement agents without a warrant). The FBI was equally entitled to review the headers of the communications the Silk Road website sent back when the FBI interacted with the user login interface, which is how the Subject IP Address was found.
It does not matter that Ulbricht intended to conceal the IP address of the SR Server from public view. He failed to do so competently, and as a result the IP address was transmitted to another party — which turned out to be the FBI — who could lawfully take notice of it…
In short, the FBI’s location of the SR Server was lawful, and nothing about the way it was accomplished taints any evidence subsequently recovered in the Government’s investigation.
Replace the name Ulbricht in the quote above and substitute any person or business . Replace the name FBI and substitute the name of a defendant. Then read it again.
In Auernheimer, DOJ argued that data on a webserver was protected by law if an ordinary user could not find it. In the Silk Road case, DOJ argues that data on a webserver is unprotected by law if the system administrator configured the network incompetently so that an FBI expert could find the data. It sounds like there’s some significant tension between the government’s position in the two cases.
At the same time, Orin notes the obvious distinction:
Granted, the CFAA and the Fourth Amendment are not the same thing. Further, the CFAA has an exception for “lawfully authorized investigative . . activity of a law enforcement agency of the United States,” although the Silk Road brief does not rely on it. But there’s an interesting tension there. Perhaps the difference just reflects the different positions of two different prosecutors or two different offices litigating the two different cases. Or, more cynically, maybe it’s just natural to view the lawfulness of conduct differently when prosecuting versus defending it.
Is it cynical to note that the view looks very different when the party under scrutiny is the good guy or the bad guy? Do those who are inclined to grant latitude to law enforcement because they are there to protect us from the Weevs of the world recognize that it’s the conduct, not the favored status of the party performing the conduct, that distinguishes lawful from unlawful?
But then again, the law favors law enforcement so that it can perform its very important duty to protect us from the criminals, even if you can’t tell who is who from what they do.
Discover more from Simple Justice
Subscribe to get the latest posts sent to your email.
It sounds a bit like they’re trying to create a digital version of the plain view doctrine.
Which wouldn’t be such a terrible thing, providing it cuts both ways.
Ah, there’s the rub.
I guess the legal definition of “ordinary user” is “as incompetent as the judge”…
BTW, a Tor hidden service server accessible with its Internet address? Really?
A Tor hidden service server shouldn’t even know its Internet address, or have one. It should only have a private or local IP address. Just in case.
I don’t know from such things, which is why I ask people who know more than me. And yes, all judges know that whatever they think is normal is, as a matter of law, normal, because they are the judge.
I have just noticed that the words “Tor hidden service” or “hidden service” or “.onion” aren’t even used in the document!
What is “web content” legally? Is that content accessible on an HTTP(/S) server on the Internet, with either a registered domain name or an Internet IP address?
Tor hidden service doesn’t have a normal, registered domain name. It isn’t accessible via an Internet IP address or a local IP address, only through the Tor network. Is it still web content? I would investigate that.
Also. The relevant part of the United States v. Christie, 624 F.3d 558, 574 (3d Cir. 2010) (no expectation of privacy in IP address conveyed to third-party) case seems to be:
“IP addresses are not merely passively conveyed through third party equipment, but rather are voluntarily turned over in order to direct the third party’s servers.”
But this only applies to packet headers (meta information), not content! Here the IP address was the content, the information, not meta. So this doctrine very clearly doesn’t apply. This seems like a VERY serious mistake.
“It does not matter that Ulbricht intended to conceal the IP address of the SR Server from public view.”
What? This can’t be right. If it doesn’t matter, then please don’t mention “United States v. Christie”.
I have no issue with what the FBI did. None. Nada.
But this line of argument is absolutely terrible. They shouldn’t cite a case to mean something else. IP address means something in context, it’s the IP address in IP packets (in binary), not a random IP address as text.
Bad arguments should be rejected, even when the conclusion is correct.
(IANAL)
This is a perfect comment to demonstrate the price of being pseudonymous. I have no clue if the substance is accurate, but I also have no basis to believe that you have any competence to offer an opinion. Sorry, but you can’t have it both ways. It’s not that I disagree with you, but that it means nothing to me.
And regardless, when you write, “I have no issue with what the FBI did. None. Nada.,” it means nothing since no one knows or cares who you are. That’s what comes of being pseudonymous. Just saying.
This was not an opinion, this was an argument.
It was neither, as far as I can tell. You see it differently because you know who you are and what you know. I do not.
Since he/she/it provided a helpful “(IANAL)” tag, I would assume you have some basis to assume at least impaired competence when discussing the applicability of a court opinion that was only mentioned in the government’s brief linked above. At least, that’s how it looks to another pseudonymous non-lawyer.
That was taken for granted. As for his mad computer skillz, I can’t vouch for that either. It’s the price of pseudonymity. His point (which may be 100% correct) stands on its own, but I can’t assess it. I make this point only so people recognize the limits of their choices.
SHG,
If you can’t judge his the content of his words, what makes you think you could judge his credentials?
I would expect the average layman to think that a lawprof would be an expert on whatever legal topic they might care to enlighten us upon, but I think that you or regular readers of this blog, would be quite a bit more skeptical of a lawprof’s knowledge of the realties of criminal defense. Do you think you would fare better?
Simple-touriste, has demonstrated his knowledge of both the the cited caselaw and IP networks in his comment, which makes his comment about him having no issue with what the FBI did mean something to me.
If you respect Robert Graham’s opinion, his blog post “The know-nothings of cybersecurity” offers a similar opinion on superiority of an argument that can be verified compared to one which rests upon the speaker’s authority.
FWIW, Simple-touriste is comparing the difference between the IP address in a packer header (similar to the a postal address on an envelope) and an IP address in the body of the packet (similar to a postal address on the letter inside the envelope).
This is a double fail in a single sentence. It’s a shame you don’t understand why. You may understand his tech discussion, but I don’t know if he knows squat about tech, and I can’t assess his tech knowledge. I do, on the other hand, know Rob and his expertise. On the other hand, because S-T cites to caselaw means nothing whatsoever. It may impress you, but it does nothing for me. And you probably aren’t getting any of this.
In any event, feel free to agree or disagree with S-T or me. That’s why I posted his comment. As for the lawyers here (remember, this is a law blog), it carries little weight.
S-T established his expertise in my eyes by citing the relevant portion of Christie and then cogently explaining why the facts in this case are different. If that’s a failure, then your right that I don’t know why it is so.
However, my question remains unanswered:
if you lack the ability to judge someone’s argument, how can you judge their expertise?
So even though this is off-topic, you persist because you have a question and you somehow believe that you’re so entitled to an answer that I MUST RESOND!!! Oy. First, S-T may have established his expertise in your eyes. So what? When did “your eyes” become the measure of anything here? You’re not a lawyer. Anything remotely lawyerish sounding would be sufficient in your eyes, and you wouldn’t have a clue if it was brilliant or utter nonsense. And yet you think your non-lawyer opinion (who are you, anyway?) matters to anyone other than yourself? That’s crazy.
As to your unanswered question, credibility comes from three sources: attained, ascribed and attributed. The first means someone has achieved credibility by his own conduct. You believe him because he’s proven himself believable in the past.
The second, ascribed, means that they’re in a position that gives them inherent credibility, like a law professor, and so you believe them because their credibility is attributed to their status.
The third, attributed, means that someone/something (like a magazine) has told you that a person is credible. If you believe the person/entity who told you, then the person is credible because someone you believe vouched for him or you accept the source as credible.
With someone who has none of these, and who you can’t judge personally for lack of sufficient information (whether about them or about what they’re asserting), they lack credibility. This isn’t because they are not credible, but because they haven’t provided sufficient basis to establish credibility.
Now that you’ve taken far more of my time than I cared to give, we’re done with this.
What makes me smile is that they entered “miscellaneous data” into the Login Form and “analyzed error messages”. That’s a euphemism for SQL Injection attack.
An SQL Injection Attack is certainly the most likely method of getting information, but the FBI may also have done something clever with Javascript or maybe they exploited a vulnerability in the programming language or one of its libraries. (PHP?)
The implication I’m seeing (and I haven’t been following the case closely) is that the FBI put “miscellaneous data” into the login form without a warrant. For those who don’t speak tech-ish, entering “‘miscellaneous data’ into a login form” has the same implications as “entering ‘miscellaneous pieces of metal’ into the keyhole of a lock.” I’m pretty sure you need a warrant for that.
I’m not a lawyer, but I am currently building a complex website which allows user logins and I can safely assure everyone that the “miscellaneous data” needed to make my website throw up an error message that might be forensically useful is almost impossible to come by through any process that might come under the heading of “miscellaneous.” It takes high-level, domain specific knowledge to generate that kind of “miscellaneous data” and it’s essentially impossible to generate that data randomly.
The idea that some kind of “plain view” doctrine is applicable is ridiculous, unless “Your Honor, the contraband was in plain view as soon as we picked the suspect’s lock (without a warrant)” has become the law of the land.
In my opinion someone is trying to “mislead” the judge by putting “miscellaneous letters” into their declaration.
I should note one other item of technical interest. Weev did not mess with AT&T’s login page. He added a number to the end of the URL (Uniform Resource Locator) on AT&T’s web page. The FBI, on the other hand, used Silk Road’s login form.
The difference, with all the frailties to which an analogy might be vulnerable, is more or less as follows: Weev added a “suite number” to an address and viewed what was present on the outside of the suite. The FBI picked a specific lock on the door of a specific building using highly specialized “lock picking” techniques. How the technical differences might play out in court is not something I’m competent to comment about.
Nor should you be playing the analogy game. It’s not only unhelpful, but part of what gives rise to some fundamentally bad law.
Absolutely agreed on analogies making bad law. Fortunately, I’m engaging in casual conversation rather than making an argument in court. Unfortunately I suspect we’re stuck with it until a sufficient number of judges take up computer programming, which should probably be a requirement of any law school. (I’m aware that this is a fantasy on par with the idea that Scarlett Johansson will want me desperately, but I can dream!)
The one judge I have heard of who did understand computer programming (Oracle vs. Google (Android)) was overturned by an appeals court who collectively had 1/100th the knowledge he had with regard to the subject matter, and this did indeed produce a very bad decision. For more information of this subject I’d suggest searching Groklaw.
If it’s a bad idea elsewhere, it’s a bad idea here as well. Since it’s my blog, humor me.