Playpen: The Story of the FBI’s Unprecedented and Illegal Hacking Operation

Playpen: The Story of the FBI’s Unprecedented and Illegal Hacking Operation


By: Mark Rumold
Date: 2016-09-15

In December 2014, the FBI received a tip from a foreign law enforcement agency that a Tor Hidden Service site called “Playpen” was hosting child pornography. That tip would ultimately lead to the largest known hacking operation in U.S. law enforcement history.

The Playpen investigation—driven by the FBI’s hacking campaign—resulted in hundreds of criminal prosecutions that are currently working their way through the federal courts. The issues in these cases are technical and the alleged crimes are distasteful. As a result, relatively little attention has been paid to the significant legal questions these cases raise.

But make no mistake: these cases are laying the foundation for the future expansion of law enforcement hacking in domestic criminal investigations, and the precedent these cases create is likely to impact the digital privacy rights of Internet users for years to come. In a series of blog posts in the coming days and weeks, we'll explain what the legal issues are and why these cases matter to Internet users the world over.

So how did the Playpen investigation unfold? The tip the FBI received pointed out that Playpen was misconfigured, and its actual IP address was publicly available and appeared to resolve to a location within the U.S. After some additional investigation, the FBI obtained a search warrant and seized the server hosting the site. But the FBI didn’t just shut it down. Instead, the FBI operated the site for nearly two weeks, allowing thousands of images of child pornography to be downloaded (a federal crime, which carries steep penalties). That decision, alone, has spurred serious debate.

But it’s what happened next that could end up having a lasting impact on our digital rights.  

While the FBI was running Playpen, it began sending malware to visitors of the site, exploiting (we believe) a vulnerability in Firefox bundled in the Tor browser. The government, in an effort to downplay the intrusiveness of its technique, euphemistically calls the malware it used a “NIT”—short for “Network Investigative Technique.” The NIT copied certain identifying information from a user’s computer and sent it back to the FBI in Alexandria, Virginia. Over a thousand computers, located around the world, were searched in this way.

As far as we are aware, this is the most extensive use of malware a U.S. law enforcement agency has ever employed in a domestic criminal investigation. And, to top it all off, all of the hacking was done on the basis of a single warrant. (You can see our FAQ here for a bit more information about the investigation.)

As it stands now, the government has arrested and charged hundreds of suspects as a result of the investigation. Now defendants are pushing back, challenging the tenuous legal basis for the FBI’s warrant and its refusal to disclose exactly how its malware operated. Some courts have upheld the FBI’s actions in dangerous decisions that, if ultimately upheld, threaten to undermine individuals’ constitutional privacy protections in personal computers. 

The federal courts have never dealt with a set of cases like this—both in terms of the volume of prosecutions arising from a single, identical set of facts and the legal and technical issues involved. For the past few months, we’ve been working to help educate judges and attorneys about the important issues at stake in these prosecutions. And to emphasize one thing: these cases are important. Not just for those accused, but for all us.

There are very few rules that currently govern law enforcement hacking, and the decisions being generated in these cases will likely shape those rules for years to come. These cases raise serious questions related to the Fourth Amendment, Rule 41 (an important rule of criminal procedure, which the Department of Justice is in the process of trying to change), the government’s obligation to disclose information to criminal defendants, and about vulnerabilities in widely used software products. We’ll tackle each of these issues, and others, in our series of blog posts designed to explain the FBI’s takedown of Playpen matters for all of us.

The article is reproduced in accordance with Section 107 of title 17 of the Copyright Law of the United States relating to fair-use and is for the purposes of criticism, comment, news reporting, teaching, scholarship, and research.

No comments: