FBI's Questionable Actions and Cybersecurity
In July 2015, the FBI seized a Tor-hidden website involved in the exploitation of minors. Although arrests were made and the website was removed from access, the FBI’s methods and activities during the operation were cause for scrutiny from the cybersecurity community and raised questions about the legality of it all.
Tor is a piece of software freely available on the Internet. It is also a network. Tor allows users to access what is called the “dark net,” which is the part of the Internet either normally unserved by mainstream search engines or accessible only through special browsers that utilize a specific kind of communication to provide maximum anonymity to the user. This is usually accomplished by disallowing certain plugins, like Adobe Flash or Java, that could compromise the user’s anonymity and “bouncing” signals between multiple servers across the world before reaching the destination. While services such as Tor are host to many illegal or extralegal activities, it can also be used to bypass government censorship in countries with regulation-heavy Internet access. Obviously, such a network is usually under intense law enforcement watch.
In this case, the FBI was able to bust a minor sexual exploitation website on the Tor network. However, as is often the case with the new field of cyber law enforcement, even the take down of a heinous website is not without question.
There are two particular questions in this case: whether the warrant used by the FBI was specific enough to be legal and second, whether it was legal for the FBI to run the website under its own power in order to catch other suspects.
The first issue is a result of current judicial system not yet understanding the nature of cyber crimes nor possessing the technical expertise to make fair judgements or issue fair warrants. The best example is the affidavit for the case, which never refers to the Tor network by name nor refers to the name of the illegal website. There are vague mentions of “a network” with an anonymizing capability and that “Website A” is hidden on it.
Additionally, the affidavit even goes on to describe a kind of malware that would be injected into the website and would specifically be used to infect additional suspects’ computers. This malware would stealthily track, identify and locate the suspect’s computer without their knowledge or consent.
For the second question, there are concerns over whether or not the FBI should have continued to allow the website to exist in order to catch new suspects. On the surface, it makes sense to allow the website to run for a few weeks to stealthily catch new criminals. But there are ethical questions about leaving such a website accessible when law enforcement has the power to take it down outright. Other than being controlled by law enforcement, the website is unchanged. The images continue to exist and users can still upload new ones and circulate them.
A quote from USA Today put it best. “At some point, the government investigation becomes indistinguishable from the crime, and we should ask whether that’s OK,” Elizabeth Joh, a University of California Davis law professor said.
Finally comes the issue inherent to the global nature of the Internet: some of the suspects could be in other countries– outside of the FBI’s jurisdiction. Installing malware on a suspect’s computer across country lines could be seen as hacking or at least a violation of a country’s sovereignty.
With this particular case, the crime was terrible enough for almost all concerns to be outweighed by the benefits of catching the perpetrators. But the questions of cybersecurity, privacy and the jurisdiction of law enforcement on the Internet need to be addressed before they become larger issues.