Judge: child porn evidence obtained via FBI’s Tor hack must be suppressed

Third judge rules that Playpen search warrant was invalid from the start.

Cyrus Farivar

Andrew Brookes / Getty Images News

A federal judge in Iowa has ordered the suppression of child pornography evidence derived from an invalid warrant. The warrant was issued as part of a controversial government-sanctioned operation to hack Tor users. Out of nearly 200 such cases nationwide that involve the Tor-hidden child porn site known as "Playpen," US District Judge Robert Pratt is just the third to make such a ruling.

"Any search conducted pursuant to such warrant is the equivalent of a warrantless search," Judge Pratt wrote Monday in his 19-page order in United States v. Croghan.

While the charges against Beau Croghan have not been dropped yet, the ruling significantly hinders the government's case.

Earlier this year, federal judges in Massachusetts and Oklahoma made similar rulings and similarly tossed the relevant evidence. Thirteen other judges, meanwhile, have found that while the warrants to search the defendants' computers via the hacking tool were invalid, they did not take the extra step of ordering suppression of the evidence. The corresponding judges in the remainder of the cases have yet to rule on the warrant question.

In all of these cases related to Playpen, a federal magistrate judge in Virginia issued a warrant that was then used to authorize the deployment of this tool, known as a "network investigative technique," or NIT, as a way to locate users.

Under current rules of federal jurisprudence, magistrate judges only have the authority to issue warrants within their own district. However, a change in this rule will almost certainly expand this power to magistrate judges later this year, absent Congressional action. As of now, only more senior federal judges, known as district judges, have the authority to issue out-of-district warrants. So, Judge Pratt concluded, because the warrant was invalid ab initio, or from the beginning, any evidence that resulted from that search must be suppressed.

"Here, by contrast, law enforcement caused an NIT to be deployed directly onto Defendants' home computers, which then caused those computers to relay specific information stored on those computers to the Government without Defendants' consent or knowledge," Judge Pratt wrote.

"There is a significant difference between obtaining an IP address from a third party and obtaining it directly from a defendant’s computer."

As the judge continued:

If a defendant writes his IP address on a piece of paper and places it in a drawer in his home, there would be no question that law enforcement would need a warrant to access that piece of paper—even accepting that the defendant had no reasonable expectation of privacy in the IP address itself. Here, Defendants' IP addresses were stored on their computers in their homes rather than in a drawer.

Our tax dollars at work

As Ars has reported before, investigators in early 2015 used the NIT to force Playpen users to cough up their actual IP address, which made tracking them down trivial. In yet another related case prosecuted out of New York, an FBI search warrant affidavit described both the types of child pornography available to Playpen's 150,000 members and the malware's capabilities.

As a way to ensnare users, the FBI even took control of Playpen and ran it for 13 days before shutting it down. During that period, with many users' Tor-enabled digital shields down—revealing their true IP addresses—the government was then able to identify and arrest the nearly 200 child porn suspects. (However, nearly 1,000 IP addresses were revealed as a result of the NIT’s deployment, which could suggest that even more charges could be filed.)

Privacy-minded experts applauded Judge Pratt's reasoning—that the government should not have the ability, absent proper warrants, to hack into people's computers.

"Judge Pratt correctly interpreted the NIT's function and picked the correct analogy," Fred Jennings, a New York-based lawyer who has worked on numerous computer crime cases, told Ars. Jennings continues:

[Pratt] correctly points out that the usual analogies, to tracking devices or IP information turned over by a third-party service provider, are inapplicable to this type of government hacking. A common theme in digital privacy, with Fourth Amendment issues especially, is the difficulty of analogizing to apt precedent—there are nuances to digital communication that simply don't trace back well to 20th-century precedent about physical intrusion or literal wiretapping.

By contrast to Judge Pratt, other courts have struggled with the basics of how Tor and IP addresses work.

"In attempting to salvage the mess they made with Playpen, [the Department of Justice] has tried to say that the NIT is like a GPS tracking device," Chris Soghoian, a technologist for the American Civil Liberties Union, told Ars.

"And, sadly, several judges have bought it, saying that the defendants traveled virtually to Virginia, and that the NITs were installed in Virginia while they were virtually there."

For its part, the government has said it is not sure how it will deal with the suppression order in Croghan.

"Our office is still in the process of reviewing the judge's order that was issued yesterday," Rachel Scherle, a federal prosecutor in Iowa, told Ars by e-mail. "No decisions have been made as to dismissal or appeal at this time, but I will keep you posted."