Task Force Argo uses a scorpion in its insignia. Image: NPS/Robb Hannawacker
Australian authorities hacked Tor users in the US as part of a child pornography investigation, Motherboard has learned.The contours of this previously-unreported hacking operation have come to light through recently-filed US court documents. The case highlights how law enforcement around the world are increasingly pursuing targets overseas using hacking tools, raising legal questions around agencies' reach.
In one case, Australian authorities remotely hacked a computer in Michigan to obtain the suspect's IP address."I think that's problematic, because they've got no jurisdiction," Greg Barns, an Australian barrister who practices criminal and human rights law who's also a former national president of the Australian Lawyers Alliance, told Motherboard in a phone call."The Love Zone" was a prolific dark web child abuse site, where users were instructed to upload material at least once a month to maintain access to the forum. By July 2014, the site had over 29,000 members, according to US court documents, constituting what the US Department of Justice described as a "technologically sophisticated conspiracy."
In 2014, Queensland Police Service's Task Force Argos, a small, specialised unit focused on combating child exploitation crimes, identified the site's Australian administrator in part because of a localized greeting he signed messages with. The unit quietly took over his account, and for months ran the site in an undercover capacity, posing as its owner. Task Force Argos' logo includes a scorpion, and the tagline "Leave No Stone Unturned."Because The Love Zone was based on the dark web, users typically connected via the Tor network, masking their IP addresses even from the law enforcement agents who were secretly in control of the site. Task Force Argos could see what the users were viewing, and what pages they were visiting, but not where they were really connecting from.
"If they get your IP address from the Tor Browser, then it is law enforcement hacking"
In response, Australian authorities hacked some of the users to get their real IP addresses."The proprietors of TLZ [The Love Zone] designed the website to allow users anonymity when they visited the site, but after the Australians took it over, they unmasked the IP addresses of many of those who used the site," a court document from the case of Seth Piccolo reads. Last month, Piccolo, from Grand Rapids, Michigan, was sentenced to five years in prison after pleading guilty to distribution and possession of child pornography.
After hacking their targets, the Australians turned over information on US citizens to the FBI. A filing in another The Love Zone case suggests the FBI received IP addresses for more than 30 US-based users of the site."All of those users are currently under investigation for producing, distributing, receiving and accessing child pornography through this website," Department of Justice attorneys wrote in the document, unsealed in March of this year.Matthew Borgula, Piccolo's attorney, confirmed to Motherboard in an email that Australian authorities sent Piccolo a link that, once clicked, sent his real IP address to investigators.Details on how exactly this was achieved are limited, but according to a court document from another case, "When a user clicked on that hyperlink, the user was advised that the user was attempting to open a video file from an external website. If the user chose to open the file, a video file containing images of child pornography began to play, and the FLA [foreign law enforcement agency] captured and recorded the IP address of the user accessing the file."
The file was configured in such a way as to route the target's traffic outside of the Tor network, the document explains."If they get your IP address from the Tor Browser, then it is law enforcement hacking," Christopher Soghoian, principal technologist at the American Civil Liberties Union, told Motherboard in an encrypted phone call.The Love Zone's Australian owner, Shannon McCoole, is currently serving 35 years in jail for child sexual abuse. But things get more legally complicated when Australian authorities gather information on suspects overseas."The person would have to have a link to the jurisdiction," Barns, from Stawell Chambers, wrote in an email.He added that authorities might be able to argue that because the site's owner was Australian, that gives them the greenlight to conduct overseas searches for other suspects. At one point, The Love Zone server was also reportedly moved to Brisbane, giving Task Force Argos, the Queensland Police Service unit that took over the site, access to every private message on the site."But they can't simply wander around the world, assisting other law [enforcement], saying, 'We're here to help,'" Barns said.By the very virtue of the investigation, Australian authorities likely would not have known where the computer they wanted to hack was located; indeed, that was the exact problem that the Tor network presented.
Whether the Australian authorities hacked computers in other countries remains unclear.
It is unclear on what authority Australian law enforcement obtained a warrant, or whether one was obtained at all to gather IP addresses from Piccolo and others in the US. Task Force Argos declined to answer any questions or comment for this story.The Australian Federal Police (AFP) told Motherboard in an email that, "The AFP was not aware of, or involved with this operation." The AFP directed all enquiries back to the Queensland Police Service.Whether using a hacking tool to grab the real IP address of a Tor user constitutes a search in a legal sense has recently become a contentious issue in the US. Several judges have said that suspects do not have a reasonable expectation of privacy around their IP address when using the Tor network, meaning that it is not protected by the Fourth Amendment, and a hack grabbing it would not require a warrant. The Electronic Frontier Foundation, as well as some courts, have argued otherwise.Many judges presiding over cases stemming from the FBI's Playpen investigation, in which the agency hacked thousands of suspected visitors of another child pornography site, have found that the warrant was invalid because the judge who signed it did not have the authority to greenlight searches outside of her district. Previous Motherboard investigations have found that the FBI, as well as targeting suspects around the US, hacked computers in Austria, Denmark, and elsewhere."It's easy to think of law enforcement hacking just as a phenomenon where the US hacks people who are located around the world, and we have to remember that this works both ways," Soghoian told Motherboard.Whether the Australian authorities hacked computers in other countries remains unclear.Christopher Allen, a spokesperson for the FBI, declined to answer specific questions about the The Love Zone operation, but said that generally, "The FBI, led by its Legal Attaches in numerous countries around the world, seeks to foster strategic partnerships with foreign law enforcement, intelligence, and security services as well as with other US government agencies by sharing knowledge, experience, capabilities and by exploring joint operational opportunities."