Acting on a single warrant, the FBI installed spyware on thousands of personal computers running Tor, a piece of software that obscures a user's IP address by bouncing information between relays around the world.
The FBI operation was conducted as part of a child porn sting, reports Vice's Motherboard. They obtained a warrant that "effectively authorizes an unlimited number of searches, against unidentified targets, anywhere in the world," says Colin Feiman, federal public defender in charge of some of the cases related to the sting.
The warrant targeted users of a website called Playpen, described in the FBI's complaint as "the largest remaining known child pornography hidden service in the world." Playpen averaged 11,000 unique visitors per week, had almost 215,000 users and 117,000 total posts containing imagery of extreme child abuse, as well as advice on how abusers could avoid detection online. In order to access Playpen, users needed to use Tor, which anonymizes internet connections, making it nearly impossible for law enforcement to link IP addresses to real-world people.
According to Feiman, "If you visited the homepage, and started to sign up for a membership, or started to log in, the warrant authorized deployment of the NIT."
NIT stands for Network Investigative Technique and consists of a flash application downloaded on the target's computer that sends technical information, including the unobscured IP address, directly to an FBI server, bypassing Tor.
According to court papers, over one thousand of the IP addresses were based in the U.S. The remaining ones came from computers in Australia, Austria, Chile, Colombia, Denmark, Greece, and likely the U.K., Turkey, and Norway.
In all, 14 court decisions have found that the warrant, signed by Magistrate Judge Theresa C. Buchanan, was not issued pursuant to Rule 41 of the Federal Rules of Criminal Procedure. Buchanan was not authorized to sign off on searches beyond her district, the eastern district of Virginia. Changes to Rule 41 that will permit warrants like the one used against Playpen are likely to come into play Dec. 1.
The changes will "give rank and file law enforcement officers way too much discretion to conduct hacking techniques within and outside the United States," according to Ahmed Ghappour, visiting assistant UC Hastings College of Law professor and author of a paper on the subject.
According to Wired, the sweeping authority of the FBI to inject spyware onto Tor users' computers isn't new. In 2013, Wired reported that the FBI took over Freedom Hosting, a service that hosts sites on the deep web, some of which contain child porn. But on Aug. 4, 2013, anyone who visited a site stored on Freedom Hosting's servers were met with an error message. The error page contained hidden code that injected a NIT onto the user's computer, whether or not they were visiting an illegal site or a legal one.
Christopher Soghoian, principal technologist at the American Civil Liberties Union, says we can expect more broad actions like these from the FBI and other agencies. "With the changes to Rule 41," he says, "this is probably the new normal. We should expect to see future operations of this scale conducted not just by the FBI, but by other federal, state and local law enforcement agencies, and we should expect to see foreign law enforcement agencies hacking individuals in the United States, too."