During the largest known law enforcement hacking campaign, the FBI reportedly hacked into thousands of computers around the world and implanted malware that allowed them to gather personal data, according to court documents.
The FBI’s international hacking efforts stem from an investigation called “Operation Pacifier.”
Launched in 2014, the FBI conducted an investigation into a child pornography website called Playpen after they obtained the IP address associated with the site. The site operated on the onion router (Tor) network, which masks IP addresses and other identifying information.
According to court documents, the FBI obtained a warrant from a magistrate judge in the Eastern District of Virginia to search and seize “property located in the Eastern District of Virginia.” The warrant also authorized the FBI to send malware from the Playpen server to computers that logged on to the site with a username and password.
After the FBI seized Playpen’s servers, they decided not to shut the site down, but moved it to a government facility, where they operated the site for 15 days from February 19 to March 5, 2015.
During this time, the FBI operated Playpen as an undercover website and targeted thousands of computers that tried to access the site with a type of malware called a “network investigative technique” (NIT).
The FBI used an “exploit” that took advantage of a vulnerability in the Tor browser, which allowed them to breach a computer’s operating system. The NIT also had a “payload” component that allowed the FBI to search a computer’s files and operating system and allowed them to send the data back to the FBI, where it was stored on their servers.
The application for the warrant stated that the malware “may cause an activating computer – wherever located – to send to a computer controlled by or known to the government, network level messages containing information that may assist in identifying the computer.”
However, Robert Goldsmith, who is representing several other defendants in affected cases, argued in a hearing last year that “nowhere in any of the warrant documents, the application, the warrant face itself, do they use that word ‘international.’”
The FBI seized 8,713 IP addresses and other data from computers located in the US and 120 other countries around the world, including Russia, China and Iran, as well as data from an entity the Government described as “a satellite provider.” According to an evidentiary hearing in the case last year, 7,281 of those IP addresses were obtained from foreign computers.
According to the appeal, the way the FBI implanted the malware meant they would not have known the country of origin of a computer before they had collected the user’s data.
"We have never, in our nation's history as far as I can tell, seen a warrant so utterly sweeping," federal public defender Colin Fieman, who is representing defendants said at a hearing last year.
In April 2016, a judge ruled that the warrant was “issued without jurisdiction.” It marked the first time that a judge threw out evidence obtained by a hacking operation.
“It follows that the resulting search was conducted as though there were no warrant at all,” Judge William Young of the District of Massachusetts wrote. "Since warrantless searches are presumptively unreasonable, and the good-faith exception is inapplicable, the evidence must be excluded.”
The court documents come from an appeal filed by David Tippens, the site's original administrator, who asked the court to dismiss his case and reverse his conviction. His attorneys argue that “the Government committed outrageous misconduct during the undercover operation” in violation of his Fourth Amendment rights.
Legal experts have also questioned the legality of the case. The American Civil Liberties Union and the Electronic Frontier Foundation, as well as Privacy International, have all filed briefs in the case.
“Without the articulation of specific norms on when, how, and who law-enforcement actors should be permitted to hack, cross-border cyber operations that are attributed to US, law enforcement may send unintended signals to other states,” Ahmed Ghappour, an associate professor at Boston University School of Law who has researched law-enforcement agencies’ use of malware on the dark web, told The Daily Beast.
While they were operating Playpen, the FBI kept at least 67,000 images, videos and links on the site with no restrictions on user’s ability to copy the material or post new images.
The FBI also allegedly distributed more than a million images and videos of child pornography during that time and “facilitated the posting of thousands of images of child abuse.”
The court documents go on to say that the FBI boosted membership of the site by more than 56,000 new users in 15 days after making improvements to the speed, accessibility and “file hosting” features on the site that allowed users to post, download, and redistribute images.
“During this time, the FBI was one of the world’s largest distributors of child pornography on the Internet, ultimately acquiring 214,898 Playpen ‘members’ and approximately 100,000 active visitors while the site was under government control,” the appeal reads.