This story is over 5 years old.


FBI: Our Malware Sends Unencrypted Evidence, and That's a Good Thing

In fact, it's good for the defendants in the Playpen case, FBI agent says.
Janus Rose
New York, US
Image: FBI.

The FBI is facing plenty of controversy over its Network Investigative Technique (NIT), the innocuously-named malware it used to identify thousands of anonymous users viewing images of child abuse on a hidden darkweb site called Playpen.

Under a single warrant, the NIT (which the FBI staunchly refuses to call "malware") infected thousands of computers around the globe, injecting malicious code that caused any machine visiting the Playpen site to quietly transmit information back to the FBI—most importantly, their IP address, which is normally obscured by the anonymous Tor network. The hacking tool sent that information back to the FBI unencrypted, leaving it open to interception or manipulation by third parties.


But the government doesn't seem to think that's such a big deal. In fact, the FBI argued earlier this week in one of the Playpen cases that not encrypting the information captured by the NIT is actually a good thing, because it allows the defendants to see the transmitted data and use it in their defense.

"In fact, the network data stream that has been made available for defense review would be of no evidentiary value had it been transmitted in an encrypted format," wrote FBI Special Agent Daniel Alfin, in a testimony for the case of Edward Joseph Matish III, one of the Playpen defendants. "Because the data is not encrypted, Matish can analyze the data stream and confirm that the data collected by the government is within the scope of the search warrant that authorized the use of the NIT."

According to Alfin, that unencrypted data stream, which included the IP address, also "confirms that the data sent from Matish's computer is identical to the data the government provided as part of discovery" for Matish's case. He asserts that because it wasn't encrypted, it's now possible to perform various forensic tests on the data to prove the veracity of the evidence the FBI is presenting against Matish.

Alfin's argument is part of an ongoing conflict in the Playpen cases over whether the FBI must disclose the malware code it used to infect the defendants' computers and discover their IP addresses. To avoid having to surrender that code, the FBI is trying to show that the available evidence—including the network stream of the NIT malware phoning home—is sufficient for the defense to confirm that the data retrieved by the FBI from Matish's computer is accurate and untampered-with.

The problem is, because the data sent by the NIT was not authenticated, there's actually no way to cryptographically prove that the data the FBI received wasn't modified in transit using only the unencrypted network stream. The only thing that might confirm that, the defense argues, is by forcing the FBI to reveal the full malware code so the defense can examine exactly how it generated a unique identifier assigned to each computer infected by the NIT.

But so far, the government has resisted having to disclose that code, arguing that doing so would reveal a valuable investigative technique. In another Playpen-related case, a judge threw out evidence obtained from a NIT after the Department of Justice made clear it would not reveal the malware's code under any circumstances.