Feds ‘Hacked’ Silk Road Without A Warrant? Perfectly Legal, Prosecutors Argue


Ross Ulbricht.

Ross Ulbricht. Courtesy Ulbricht family



With only a month until the scheduled trial of Ross Ulbricht, the alleged creator of the Silk Road drug site, Ulbricht’s defense lawyers have zeroed in on the argument that the U.S. government illegally hacked the billion-dollar black market site to expose the location of its hidden server. The prosecution’s latest rebuttal to that argument takes an unexpected tack: they claim that even if the FBI did hack the Silk Road without a warrant—and prosecutors are careful not to admit they did—that intrusion would be a perfectly law-abiding act of criminal investigation.


On Monday evening the prosecutors submitted the latest in a series of combative court filings from the two sides of the Silk Road case that have clashed over Ulbricht’s Fourth Amendment right to privacy. The government’s new argument responds to an affidavit from an expert witness, tech lawyer Joshua Horowitz, brought in by Ulbricht’s defense to poke holes in the FBI’s story of how it located the Silk Road server. In a letter filed last week, Horowitz called out inconsistencies in the FBI’s account of stumbling across the Silk Road’s IP address while innocently entering “miscellaneous data” into its login page. He testified that the FBI’s actions instead sounded more like common hacker intrusion techniques. Ulbricht’s defense has called for an evidentiary hearing to cross examine the FBI about the operation.


In the government’s rebuttal, however, Ulbricht’s prosecutors don’t directly contest Horowitz’ description of the FBI’s investigation, though they do criticize his testimony in passing as “factually and analytically flawed in a number of respects.” Instead, they obliquely argue that the foreign location of the site’s server and its reputation as a criminal haven mean that Ulbricht’s Fourth Amendment protections against unreasonable searches don’t apply, even if the FBI did use hacking techniques to penetrate the Silk Road, and did so without a warrant.


“Even if the FBI had somehow ‘hacked’ into the [Silk Road] Server in order to identify its IP address, such an investigative measure would not have run afoul of the Fourth Amendment,” the prosecutors’ new memo reads. “Given that the SR Server was hosting a blatantly criminal website, it would have been reasonable for the FBI to ‘hack’ into it in order to search it, as any such ‘hack’ would simply have constituted a search of foreign property known to contain criminal evidence, for which a warrant was not necessary.”


The Silk Road server in question, after all, was located not in the United States but in a data center near Reykjavik, Iceland. And though Ulbricht is an American citizen, the prosecutors argue that the server’s location abroad made it fair game for remote intrusion. “Because the SR Server was located outside the United States, the Fourth Amendment would not have required a warrant to search the server, whether for its IP address or otherwise,” the prosecution’s filing reads.


In a footnote, the memo adds another strike against Ulbricht’s Fourth Amendment protections: The Silk Road was not only hosted in a foreign data center, but also rented from a third-party web hosting service. And because Ulbricht allegedly violated the company’s terms of service by using its computers to deal in narcotics and other contraband, that company was exempted from any obligation to protect his privacy.


Finally, prosecutors argue that for the 30-year-old Texan to claim privacy protections for Silk Road’s server, he would have to declare that it belonged to him. That’s a tricky Catch-22: Ulbricht hasn’t claimed personal possession of that computer’s data, as doing so would almost certainly incriminate him. But because he hasn’t he can’t claim that his privacy was violated when it was searched, according to the prosecutor’s reasoning. “Because Ulbricht has not submitted any affidavit alleging that he had any possessory interest in the SR Server—let alone one that would give him a reasonable expectation of privacy—his motion should be denied,” reads the prosecutors’ filing.


Early Tuesday, Judge Katherine Forrest ordered Ulbricht’s defense to decide within the day whether it will argue that Ulbricht did have an expectation of privacy for the Silk Road server, as well as all his other seized computers and online accounts. She’s given him until the end of the day Wednesday to make that argument Ulbricht’s defense didn’t immediately respond to a request for comment.


The pre-trial motion over which Ulbricht’s defense lawyers and the prosecution have been sparring for the last two months doesn’t directly seek to have the central narcotics conspiracy and money laundering charges against Ulbricht dismissed. Instead, his lawyers have sought to prove that the evidence gathered by law enforcement is tainted. If the initial pinpointing of Silk Road’s server was illegal, they argue, practically all the evidence from the resulting investigation could be rendered inadmissible.


Early last month, the government responded to that motion with an affidavit from former FBI agent Christopher Tarbell describing how the Silk Road server was first found. As he described it, a misconfiguration of the anonymity software Tor allowed the site’s login page to leak its IP address.


But the technical experts in the security and privacy community immediately expressed deep skepticism of that account. And last week Ulbricht’s defense responded with a list of inconsistencies in Tarbell’s affidavit, as well as new accusations that the FBI had violated the hacking law known as the Computer Fraud and Abuse Act. (CFAA) Ulbricht’s attorneys compared the FBI’s actions to those of Andrew “Weev” Auernheimer, who was convicted in 2012 of conspiracy to violate the CFAA when he and a friend collected more than a hundred thousand iPad users’ email addresses from an insecure AT&T website.


While the prosecution’s latest filing doesn’t dwell on the facts of Tarbell’s story, it does point out that the CFAA hacking law has an exemption for law enforcement. It also takes issue with the defense’s definition of “hacking.” In the defense’s Auernheimer example, the government argues, the hacker in question “impersonated” AT&T users to gain access to “non-public” information. (Nevermind that the email addresses in Auernheimer’s case were visible to anyone who typed a specific URL into his or her browser.) The FBI’s Tarbell, by contrast, only accessed “public” data on the Silk Road, the prosecution contends.


“The Tarbell Declaration does not describe any such impersonation of Silk Road users to gain access to their information on the SR Server,” reads the prosecution’s letter. “It describes former Agent Tarbell’s close examination of traffic data received from the Silk Road website when he used a part of it that was fully accessible to the public at large—the login interface—and received error messages that were accessible to any user who entered erroneous login information.


Regardless of whether the government calls it “hacking” or a mere warrantless “search,” however, prosecutors’ arguments against Ulbricht’s Fourth Amendment protections aren’t particularly convincing, says Jennifer Granick, director of civil liberties at Stanford Law School’s Center for Internet and Society. In the case of the prosecution’s argument that Ulbricht would need to declare his ownership of the Silk Road server to claim any right to the privacy of its data, she points out that Ulbricht could also claim a right to privacy as a mere user of the site.


“He doesn’t have to own the server,” she says. “Even if he’s just communicating on that server, he already has a reasonable expectation of privacy.”


As for the government’s argument that any foreign server containing an American’s data can be searched without a warrant, Granick says that notion remains legally unproven at best. “This is not an obvious or open-shut argument at all…Overseas searches that target Americans still have to be reasonable,” she argues. “If the target is a US person and it’s a US agent looking for information, the Fourth Amendment still applies.”


Whether Judge Forrest, who’s presiding over Ulbricht’s case, takes a similar view will only become clear in the coming weeks. But Granick contends that the defense has at least shown that it deserves the evidentiary hearing it’s requested, with an opportunity to cross-examine the FBI about its methods. “I don’t think this is a strong legal argument,” she says of the prosecution’s filing. “I do think that the defendant has alleged sufficiently that his communications flowing over this system are protected by the Fourth Amendment, such that the government should have to explain why their investigation didn’t cross that line.”


Read the full filing from the prosecutors below.


Prosecution Response to Horowitz Declaration



No comments:

Post a Comment