The U.S. Department of Justice is current prosecuting Ross Ulbricht for being the apparent mastermind of the illegal narcotics website Silk Road, which was run for years on a hidden website. In defending the prosecution, the U.S. Attorney’s Office recently filed a very interesting brief explaining how investigators found the computer server that was hosting the Silk Road (SR) server. Although the brief is about the Fourth Amendment, it has very interesting implications for the Computer Fraud and Abuse Act, the federal computer hacking statute.
The brief explains how the FBI found the SR server:
The Internet protocol (“IP”) address of the SR Server (the “Subject IP Address”) was “leaking” from the site due to an apparent misconfiguration of the user login interface by the site administrator i.e., Ulbricht. FBI agents noticed the leak upon reviewing the data sent back by the Silk Road website when they logged on or attempted to log on as users of the site. A close examination of the headers in this data revealed a certain IP address not associated with the Tor network (the Subject IP Address as the source of some of the data). FBI personnel entered the Subject IP Address directly into an ordinary (non-Tor) web browser, and it brought up a screen associated with the Silk Road login interface, confirming that the IP address belonged to the SR Server.
The FBI’s declaration explains that the investigating agent entered “miscellaneous” information into the login prompt of the Silk Road server and received an error message. A forensic analysis of the error message found that it contained an IP address not associated with Tor. That IP address was the address of the Silk Road server.
The DOJ brief argues that there was “nothing unconstitutional or otherwise unlawful” about obtaining the inadvertently leaked IP address from the Silk Road server:
There was nothing unconstitutional or otherwise unlawful in the FBI’s detection of that leak. The Silk Road website, including its user login interface, was fully accessible to the public, and the FBI was entitled to access it as well. See United States v. Meregildo, 883 F. Supp. 2d 523, 525 (S.D.N.Y. 2012) (noting that web content accessible to the public is not protected by the Fourth Amendment and can be viewed by law enforcement agents without a warrant). The FBI was equally entitled to review the headers of the communications the Silk Road website sent back when the FBI interacted with the user login interface, which is how the Subject IP Address was found.
It does not matter that Ulbricht intended to conceal the IP address of the SR Server from public view. He failed to do so competently, and as a result the IP address was transmitted to another party — which turned out to be the FBI — who could lawfully take notice of it. See United States v. Borowy, 595 F.3d 1045, 1048 (9th Cir. 2010) (finding that defendant had no legitimate privacy interest in child pornography files posted on peer-sharing website, notwithstanding that defendant had made “ineffectual effort” to use site feature that would have prevented his files from being shared); United States v. Post , __ F. Supp. 2d __, 2014 WL 345992, at *2-*3 (S.D. Tex. Jan. 30, 2014) (finding that defendant had no legitimate privacy interest in metadata used to identify him that was embedded in file he had posted on Tor website, notwithstanding that “he did not realize he was releasing that information and he intended to remain anonymous”).
In short, the FBI’s location of the SR Server was lawful, and nothing about the way it was accomplished
taints any evidence subsequently recovered in the Government’s investigation.
I wonder: Does DOJ’s position that there is “nothing . . . unlawful” about this procedure mean that DOJ concedes that it would not violate the Computer Fraud and Abuse Act, 18 U.S.C. 1030, the federal computer hacking statute?
The FBI’s location of the SR server brings to mind the prosecution of my former client Andrew Auernheimer, aka “weev,” who readers may recall was criminally prosecuted for his role in visiting website addresses on an AT&T server that AT&T had thought and hoped would not be found by the public. Auernheimer’s co-conspirator found that AT&T had posted e-mail addresses on its server at IP addresses that the public was not expected to find.
In defending its prosecution, DOJ took the view that obtaining information at the website addresses was criminal unauthorized access because AT&T had not intended for the public to see it and it was in a place where an ordinary computer user would likely not find it. (The Third Circuit ultimately overturned the conviction on venue grounds without reaching the lawfulness of the conduct under the CFAA.) In defending conduct in the Silk Road case, however, DOJ takes the view that there is “nothing . . . unlawful” about taking advantage of a server misconfiguration to obtain data inadvertently “leaked” by the server because that information is “fully accessible to the public.”
In Auernheimer, DOJ argued that data on a webserver was protected by law if an ordinary user could not find it. In the Silk Road case, DOJ argues that data on a webserver is unprotected by law if the system administrator configured the network incompetently so that an FBI expert could find the data. It sounds like there’s some significant tension between the government’s position in the two cases.
Granted, the CFAA and the Fourth Amendment are not the same thing. Further, the CFAA has an exception for “lawfully authorized investigative . . activity of a law enforcement agency of the United States,” although the Silk Road brief does not rely on it. But there’s an interesting tension there. Perhaps the difference just reflects the different positions of two different prosecutors or two different offices litigating the two different cases. Or, more cynically, maybe it’s just natural to view the lawfulness of conduct differently when prosecuting versus defending it.