Tech by VICE

Should Hacking a Tor User to Get an IP Address Require a Warrant?

Judges are divided on whether the FBI grabbing dark web users' IPs constitutes a search.

by Joseph Cox
Sep 21 2016, 4:30pm

Image: US Army/Wikimedia

On Monday, a judge chucked out all evidence obtained by a piece of FBI malware in a child porn case, becoming the third court to suppress evidence related to the FBI's investigation of dark web site Playpen.

But US District Court Judge Robert W Pratt also threw a punch in an ongoing legal debate with implications that stretch beyond any single case.

In recent months, judges, defense lawyers, and the government have fought over whether obtaining a Tor user's real IP address, perhaps through hacking, counts as a search under the Fourth Amendment. The debate has serious consequences for whether law enforcement requires a warrant to break into a suspect's computer, even if it's only to learn the target's IP address.

Pratt argued that when the FBI hacked suspected Playpen users and grabbed their IP addresses, that constituted a search.

"If a defendant writes his IP address on a piece of paper and places it in a drawer in his home, there would be no question that law enforcement would need a warrant to access that piece of paper—even accepting that the defendant had no reasonable expectation of privacy in the IP address itself," Pratt writes in his order.

"It doesn't matter whether the information is an IP address, it matters how the information is obtained"

In the same vein, if an IP address is stored "on" a suspect's computer, which is in their home, law enforcement would also need a warrant to remotely search that computer. A Texas judge in a related case recently argued a similar point.

Both these cases revolve around the FBI's investigation into Playpen. In February 2015, the agency took over the site, but instead of shutting it down, briefly ran it and delivered malware in an attempt to identify its users. That malware was activated when a Playpen user visited a child pornography-related thread and grabbed their real IP address, MAC address, and some other technical information.

But judges are divided over whether obtaining the IP addresses in this way constitutes a search, and whether Tor users have a reasonable expectation of privacy around their real IP address.

One argument from US District Court judge Robert J Bryan, in another Playpen case, was that, because Internet Service Providers (ISPs) know their customers' IP addresses, IPs are "public information, like an unlisted telephone number." Henry Coke Morgan, Jr., a senior US District Judge, echoed that idea in June.

But in the Playpen cases, investigators obtained IP addresses from the suspects' private computers. Indeed, the entire reason the FBI deployed malware was because the agency couldn't just discover suspects' IP addresses or go to the ISPs.

"Obtaining information from inside a suspect's computer is a search, no matter what the information is. It doesn't matter whether the information is an IP address, it matters how the information is obtained," Orin Kerr, a law professor from George Washington University, told Motherboard in an email.

"It's no different from the physical world, where what matters is whether the government broke into a private space to get the information," Kerr said.

Get six of our favorite Motherboard stories every day
by signing up for our newsletter.

Fourth Amendment
motherboard show
child porn
IP addresses