The judge who authorized the FBI to hack 1,300 dark web users under a single warrant seems to be pretty confused about how the anonymity software Tor works. Newly unsealed documents suggest that the confusion stems from the US Department of Justice's own arguments.
In the documents, the DOJ argues that Tor users have no reasonable expectation of privacy when it comes to their IP address. This is the same argument that the judge used to justify the FBI implanting malware onto a dark web site in order to grab user IP addresses. It's also a counterintuitive point to make given that masking a computer's IP address is the whole point of using Tor.
The argument comes from the case of Jay Michaud, a public school employee in Vancouver, WA accused of accessing images of child abuse on a now-defunct hidden site called Play Pen, which the FBI seized and controversially continued running from its own server for 13 days. The Bureau hacked the computers of anyone accessing child abuse images on the seized site using malware called a Network Investigative Technique, or NIT, which infected the connecting machines and transmitted their true IP addresses back to the FBI.
One of the biggest issues raised in the case is whether a person using Tor has a reasonable expectation of privacy when it comes to their true IP address, which identifies users.
"Under normal use of the Internet, that communication to the site would have revealed Michaud's IP address"
Judge Robert J. Bryan ruled that Michaud didn't have an expectation of privacy, saying that his IP address was "public information" like an "unlisted phone number" because it was revealed to his Internet Service Provider during the process of connecting to the Tor network. That would mean the IP falls under the third party doctrine, which states that there's no expectation of privacy for data given to a third party, even if it's transmitted unwittingly.
That mischaracterization of how Tor works and why people use it seems almost identical to one advanced by US prosecutors in the government's counter-argument unsealed on Friday.
"[E]ven if a defendant wants to seek to hide his Internet Protocol address through the use of Tor, that does not cloak the IP address with an expectation of privacy," the government wrote, in a statement very similar to the opinion later written by Judge Bryan. "While Michaud may have a reasonable expectation of privacy in stored information contained on his computer, he lacks a reasonable expectation of privacy in IP address information that belongs to an internet service provider and that is voluntarily shared with others in the course of Internet communications."
Oddly, the prosecutors also claim that the defense's argument, which points out that Michaud never "shared" his IP address because the Tor network obfuscates it, "is not correct and is premised upon a misunderstanding of how Tor works."
"Under normal use of the Internet, that communication to the site would have revealed Michaud's IP address to the [FBI's] web server," the government wrote. "The authorized NIT merely caused Michaud's computer to send such information into the District."
But this ignores the fact that people use Tor specifically because they don't want to use the internet "normally," they want to use the internet anonymously. It's true that, like with any website or service, you expose your real IP address to an ISP when connecting to the Tor network. But that network is purposefully designed to bounce data around the globe so that you don't reveal your IP to the site you're connecting to.
Nevertheless, the judge and the prosecutors both suggest that Michaud voluntarily gave up his true IP address even while using Tor, because his IP could have been correlated with his anonymized connection to the hidden site by "other means," which they don't specify.
Michaud may have been caught red-handed, but his case continues to potentially have long-reaching legal implications for other Tor users.