Black Markets

Feds: If FBI Conducted Warrantless Hack of Silk Road, It Was Legal Because Servers Were Foreign

|

telegraph-screenshot

Ross Ulbricht, allegedly "Dread Pirate Roberts" who made a billion-dollar black market bazaar out of Silk Road (SR), is set to stand trial in a month for narcotics trafficking and related charges. His lawyers are currently duking it out with the Department of Justice in pre-trial motions about how the government found Ulbricht.

Because SR existed in the deep web and was accessible only through the anonymizing Tor browser, Ulbricht's attorneys say that in order to find SR's servers, the FBI must have hacked Ulbricht and conducted a warrantless search, thus violating the man's Fourth Amendment rights.

Assistant U.S. Attorney Serrin Turner filed a motion for the prosecution saying that if the FBI did hack – and he's not saying they did – but if they did, it was legal, because the servers were in Iceland:

In any event, even if the FBI had somehow 'hacked' into the SR Server in order to identify its IP address, such an investigative measure would not have run afoul of the Fourth Amendment. Because the SR Server was located outside the United States, the Fourth Amendment would not have required a warrant to search the server, whether for its IP address or otherwise.

Given that the SR Server was hosting a blatantly criminal website, it would have been reasonable for the FBI to 'hack' into it in order to search it, as any such 'hack' would simply have constituted a search of foreign property known to contain criminal evidence, for which a warrant was not necessary.

Turner's statements come in response to defense lawyer and tech specialist Joshua Horowitz who in a court filing last week stated that the "explanation of how the FBI discovered the server's IP address is implausible" and that their apparent "failure to preserve packet logs," or bundles of relevant data, "recorded while investigating the Silk Road servers would defy the most basic principles of forensic investigative techniques."

Wired points out that Turner doesn't "directly contest Horowitz's description of the FBI's investigation. … Instead, [he] obliquely argue that the foreign location of the site's server and its reputation as a criminal haven mean that Ulbricht's Fourth Amendment protections against unreasonable searches don't apply."

The government claims it discovered the servers' locations because of an improperly configured CAPCHTA (one of those "prove you're human" garbled typing tests). Several Internet security experts, like Brian Krebs of Krebs on Security, Nicholas Weaver of Berkeley's International Computer Science Institute, and Robert Graham of Errata Security have said that the FBI's story is full of technical holes

Click here for more Reason coverage of Silk Road 2.0, other Internet black markets, and how to search them

Advertisement

NEXT: U.S. Life Expectancy Increases by 6 Weeks - Needs to Go Up by 52 Weeks Per Year At Least

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. The base rule for privacy under the 4th Amendment is that people have privacy where they have a resonable expectation of it. People cannot control and in many cases have no knowledge of whether the information they put on the internet is stored or travels outside the United States. Yet, they most certainly have a reasonable expectation of privacy for non public information they put on the internet.

    If you apply the government’s logic here, a person who stores a document in a could server that happens to be located outside of the US or the information travels outside of the US in order to get to the server has no 4th Amendment protections. That is absurd. If tomorrow google decided to move their email servers to China, by the governments logic here, everyone with a gmail account would no longer have any 4th Amendment protection of that account.

    1. If tomorrow google decided to move their email servers to China, by the governments logic here, everyone with a gmail account would no longer have any 4th Amendment protection of that account.

      Isn’t that the point?

      1. Yes, yes it is.

    2. So if a person sitting at a desk in the United States hacks into a computer system outside the US, how many domestic, foreign (in the country where the server was located), and international laws does that person break?

      1. Depends. Is that person above the law or below it?

        1. In the US and outside the US? Interesting question.

          So when does Iceland start extradition proceeding against the agents that hacked into the system?

    3. If you apply the government’s logic here, a person who stores a document in a could server that happens to be located outside of the US or the information travels outside of the US in order to get to the server has no 4th Amendment protections.

      That scenario that I postulated was where the Feds don’t do the search, the foreign government does on behalf of the American government.

      “Oh hey, look what landed in my inbox? Wow that Latvian enforcement agency are nice guys. I didn’t even ask for it!”

      1. The case law is clear on that. The government cannot get other parties to act as their agents to do things the government can’t do. So for example the cops can’t ask a landlord to go into a rental property and nose around and tell the cops what he sees.

        The same logic applies here. The problem is that judges are either technologically ignorant, government hacks or both. So the law isn’t dealing with the internet very well. It shouldn’t matter where the server is physically located. If someone in the US stored the information reasonably expecting it to remain private, the cops should have to get a warrant.

        1. I think the foreign soil bit is a red herring. Really, they are saying that the FBI observed a crime in progress and thus had reasonable cause to “enter” the server and try to get evidence.

          I’m not sure I disagree with this analysis.

          If you are a cop, and you see a person hitting a bong in their car, you now have every reason to search that car. You do not need to get a warrant.

          Likewise, if you are a cop and you see someone walk up to a house and engage in buying drugs, you have reasonable cause, and don’t need a warrant.

          If you went to silk road and you saw that it was selling drugs, it seems to me that the server is now premises to an ongoing crime, and a search- even without a warrant- isn’t necessarily unreasonable.

          The original defense was saying that FBI didn’t hack the server directly, but that they had been doing mass collection of data and mining it to put the bits together. In that case, they would have been searching an entire city block just because they knew a drug dealer had been spotted in the area.

          I don’t believe selling drugs should be illegal, but it sadly is. If law enforcement witnesses property being used to commit a crime, they have reason to search it.

          1. Likewise, if you are a cop and you see someone walk up to a house and engage in buying drugs, you have reasonable cause, and don’t need a warrant.

            That is not true. The cop have to get a warrant to search a house unless there is exigent circumstances like say they are see a kidnapping and see the victim dragged in the house. Just seeing the bong go in wouldn’t cut it.

            Cops don’t need a warrant to search the car because courts arbitrarily decided that cars don’t deserve the same expectation of privacy homes do. So what is a server most like a car or a home?

            I would say it is most like a home. A server is nothing but an electronic filing cabinet. A could server is nothing but an electronic extension of your home. So, cops should absolutely have to have a warrant to search them no matter where they are. What should matter is who is storing the information and what their expectation is.

            1. The cop have to get a warrant to search a house unless there is exigent circumstances like say they are see a kidnapping and see the victim dragged in the house. Just seeing the bong go in wouldn’t cut it.

              This is not true. If there is paraphernalia, or other evidence of a crime being committed in plain site, they ARE allowed to enter and do a sweep of your house. This is the Plain View doctrine. So if you are in front of the window hitting a bong and the smell of marijuana is strong, they can enter. If you running a meth lab with the curtains open, they can enter and sweep- no warrant needed.

              There are limits to what the officer can search when he does the sweep of your house, for example, he can’t compel you to unlock things, or open drawers and the like.

              I don’t think you can argue that evidence was in plain view that this site was conducting criminal activity. The question then is what “information gathering” on that server would be allowed and what requires a warrant. Since IP address (once you are on the host) is basic configuration information, I don’t think its unreasonable for a judge to find it is ok to ascertain (ifconfig -all). Now could he go into your email? Brute force encrypted documents? Install eavesdropping or keylogging software? Absolutely not.

              1. And, BTW: This is why we are so fucked. EVERYTHING WE DO is a crime these days. To the average police officer, it might not be as big of a deal. But when we are talking about federal officers- especially the FBI- we are talking about people who have spent a lot of time reading about every little possible law a person could be breaking. At that point, they have a pretext to do a lot of information gathering. At which point they can find another evidence of some crime, and another and another, until they can pin you on whatever they were after in the first case.

              2. This is the Plain View doctrine

                The Plain View (TX) doctrine is pretty specific to… plain view is it not? If they see the bong and bag of oregano on the couch, that’s in plain view. But they’re not allowed to rummage through your filing cabinets and cardboard boxes in the garage. There’s nothing “on” a server that’s in plain view, except what you can see on any public-facing interface.

        2. The case law is clear on that. The government cannot get other parties to act as their agents to do things the government can’t do.

          How can that be true? Isn’t the entire War on Terror based on us giving “grants” to foreign governments to root out terrorist elements in their midst?

    4. According to current law, the electronic communications of a US Person are protected no matter where they occur or where they are stored. On the other hand, the SERVER itself, if owned by a foreign entity, is not subject to US privacy laws. It’s going to come down to whether the judge sees this as a search of a foreign server, or a search of protected communications on a foreign server. The moral of the story is that we need judges that graduated law school at some point after 1990.

      1. It is absurd to say that the communications to the server are protected but the information on the server isn’t protected.

        1. That’s not what I’m saying at all. As the law is written, the communications to the server are protected if they are from a US Person, AND the stored communications are protected if they belong to a US Person. Think of it as a letter: It’s protected while in transit, and it’s protected sitting in your file cabinet. The problem is getting the judge to see it that way.

      2. Interesting, but irrelevant to the issue of whether the 4A applies to the government only in certain geographic regions, or applies to the government, period.

      3. The argument that the government is making though is that these aren’t communications. At issue is how they found his server and where it was located, right? That is configuration information of a server currently involved in a crime, not a search of your personal communications.

  2. Feds: If FBI Conducted Warrantless Hack of Silk Road, It Was Legal Because Servers Were Foreign

    HA! I fucking said so. It’ll be interesting to see if this ultimately holds up. And if the Feds’ argument does hold, it’s going to have HUGE implications for offsite hosting of anything.

    1. It’s legal under the FYTW Clause of the Constitution.

    2. So if the server is overseas it’s not covered by US law? Sweet! I guess I can contact that server in the Cayman Islands and start putting down bets on the games this weekend, right?

  3. I want to see a court blow away this bullshit that the FBI and other spook agencies keep tossing off when they claim that they’re only bound by the constitution within US borders. The constitution is the entirety of the legal basis for the government’s very existence, and it is binding up on the government at all times, in all places. When the government acts outside of the powers the constitution grants, it is usurpation.

    -jcr

    1. I want a winning Powerball ticket.

      I fear that the odds of me getting what you want are greater than the odds of you getting what you want.

  4. They obtained their information illegally, and then reverse engineered an investigation?

    I thought only the DEA did that!

  5. OT: Some fun from TreasonousPhilosohy:

    http://thinkprogress.org/justi…..ents-home/

    Eighteen-year-old DeShawn Currie was walking into his foster parents’ unlocked side door after school Monday afternoon, when a neighbor called 911 to report what they perceived to be a burglary on the residential block in Fuquay-Varina, North Carolina. When cops arrived, they walked inside the house and ordered Currie to put his hands up, as Currie, confused, questioned what he had done wrong. Cops responded by pointing to a picture on the wall that showed several white children together, implying that Currie, black, did not belong.

    1. Maybe one of the cops was part of that lesbian couple who is suing the sperm bank for giving them a mix race kid.

      1. Why don’t they just write “other” in the race box on the birth certificate?

  6. So, at what point, if any, do judges start to get just a little bit pissy that the state is blatantly lying to them about the evidence it collects?

    When it’s national security, they can at least rationalize it by thinking in terms of existential threats, nuclear bombs going off or whatever. But contraband is pretty much just standard-issue law enforcement. If feds can bullshit about evidence here, they can bullshit about evidence anywhere and anytime.

  7. American laws apply anywhere on the planet, unless they are a hindrance to American law enforcement agencies. Just like in America.

    Got it.

    1. American laws apply to you world wide 24 seven. Your constitutional rights however stop when you get within a hundred miles of the border.

  8. How about this?

    I agree to concede that the search was legal, if the FBI concedes that the people who testified to the court and filed affidavits with the court are liars and perjurers, and immediately brings them up on charges.

    And if the judge immediately instructs the jury to discount any evidence produced by anyone on the same investigative or prosecutorial team.

    How’s that?

    1. And extradite them to the country where the server was located to be tried for the crime of hacking. Don’t forget that.

      1. Right. The FBI argues that a warrantless hack doesn’t violate an American’s consitutional rights. But isn’t the FBI admitting in court they broke the law in Iceland?

        1. They are. I doubt they would be fine with China hacking American servers to convict some member of the Fulon Gong. They violated the sovereignty of Iceland and committed a crime there.

          1. Too bad the right thing won’t happen now.

          2. “if the FBI did hack ? and he’s not saying they did ? but if they did, it was legal, because the servers were in Iceland:”

            1. I think the government of Iceland might be a little more hard nosed about it.

              1. I hope so. I pray this turns into an international crises as soon as possible.

  9. The FBI,following in the foot steps of J.Edgar

    1. I think they are following in the black leather hi heeled pumps of J. Edgar. NTTAWWT

  10. This crazy notion that the entire rest of the world is a Constitution-free zone for the feds needs to be slapped down, and slapped down hard.

    1. So, do you think the Constitution should apply to say, Yemenis in Yemen?

  11. I don’t think a Camden cop can write me a ticket for an illegal turn I made in Philadelphia, just because he saw it a youtube video. No hacking involved. That might be a sloppy analogy, but I’m wondering what the FBI’s jurisdiction is here.

  12. If the 4th amendment doesn’t apply in Iceland, then neither do our federal laws.

  13. My copy of the Constitution does not contain the “Your rights stop at the water’s edge” clause.

  14. Even if… Ha! I’ll bet the FBI, in hacking SR, violated Icelandic law. Will Obama extradite the agents to face charges in Iceland? Not likely.

  15. Wait! Hacking is legal in Iceland?

  16. My guess is that they got the data from European allies. European data protection against government intrusion is horrifically weak, allowing European governments to spy on pretty much anybody on a whim. They are probably keeping mum about it because they don’t want to get their European buddies into politically hot water, because Icelandic police handing over data to the FBI wouldn’t go over well with their voters.

Please to post comments

Comments are closed.