Pedophiles have the same right to privacy as everyone else.
That is almost surely a losing political argument. But privacy advocates contend that if it is not a winning legal argument, then everybody’s privacy will be in jeopardy.
It is an argument that is especially intense now, regarding the so-called Playpen cases. The US Department of Justice (DoJ) is prosecuting a reported 137 people who they allege visited a now-defunct child porn website called Playpen in 2015, while it was under the control of the FBI.
And while privacy advocates hasten to say they are not defending the sexual abuse of children, and don't oppose lawful investigations of such crimes, they contend that the government surveillance of Playpen visitors violated the defendants’ Fourth Amendment privacy rights.
They note that the principle is similar to that of the First Amendment: It exists to protect unpopular speech, since popular speech needs no protection. The Fourth Amendment exists to protect everyone from unreasonable search and seizure, and that, they say, has to include those considered reprehensible.
Even visitors to a child porn site.
They cite H.L. Mencken, the iconic journalist and cultural critic, who famously said, “the trouble with fighting for human freedom is that one spends most of one’s time defending scoundrels. For it is against scoundrels that oppressive laws are first aimed, and oppression must be stopped at the beginning if it is to be stopped at all.”
Or, as Christopher Soghoian, then chief technologist at the American Civil Liberties Union (ACLU) put it in a talk last December titled “Stopping Law Enforcement Hacking” at the Chaos Communication Congress (CCC), “many of the court cases that define our basic privacy rights come from cases involving drug dealers, people smuggling alcohol, and pedophiles. So it can be very unpleasant for people to engage in these cases.
“But if you wait until the government is using its powers against journalists and freedom fighters, by that point the case law is settled,” he said.
That, he and other privacy advocates say, is what is at stake here. While a number of those charged with downloading child porn from Playpen have already pleaded guilty and there have been some laudable results of what the FBI called Operation Pacifier – identification of a reported 35 ‘hands on’ child sexual offenders and at least 17 producers of child pornography, plus the recovery from abuse of at least 26 child victims – critics contend that the government violated the Fourth Amendment when, after taking control of the site, it hacked into the computers of visitors to discover their IP addresses and eventually their identities.
Operation Pacifier began in December 2014, when the FBI got a tip from a foreign law enforcement agency about Playpen, a “hidden service” site accessible only through the Tor network.
After getting a search warrant, the agency seized the server, then operating in North Carolina. But, instead of shutting it down, it moved it to Virginia and operated it as a sting operation for another 13 days, during which time thousands of child porn images were downloaded by thousands of visitors.
During that time, it obtained a so-called “general warrant” to install what it called a “Network Investigation Technique” (NIT) – malware – onto the computers of those visitors. Through that, it was able to defeat the anonymity generally provided by the Tor network, get the IP addresses of the computers, and then their locations.
Finally, it obtained warrants to search the premises and computers of those who had visited Playpen for evidence of child porn.
It is that general warrant that critics say is the problem. Mark Rumold, senior staff attorney at the Electronic Freedom Foundation (EFF), called it “unconstitutional.”
In one of numerous blog posts on the issue – some of them authored by Rumold – EFF argued that among the reasons the general warrant was unconstitutional were that:
- It led to thousands of searches and seizures, in locations around the world, in violation of the “particularity” requirement of the Fourth Amendment, which requires the warrant to, “particularly describ(e) the place to be searched, and the persons or things to be seized.”
Leo Taddeo, CSO at Cryptzone
The Fourth Amendment, EFF contended, “was designed to prevent precisely this type of sweeping authority,” which it called, “astonishingly broad: It allowed the FBI to deploy the malware against any ‘activating computer,’ identified as any computer logging into the site. The warrant and its attachments say nothing about whose computers these are or where they are located.”
- It was granted by a magistrate judge. EFF and defense attorneys argue that the law allows such magistrates to grant warrants only in the district where they are located. This one was in the Eastern District of Virginia, and therefore, “could not authorize searches of computers located outside of that district.”
A second major objection is the DoJ’s refusal to turn over the source code of the NIT to the defense, which defense lawyers say means they cannot effectively represent their clients. The source code, they have contended, may have flaws, or may have been used to search or seize information beyond the scope of the warrant.
Soghoian, who now works for US Sen. Ron Wyden (D-Ore.), said in that capacity he can no longer speak with the media. But in his talk at the CCC last year, he spoke to that issue, saying one of the major problems with government hacking is that, “mistakes will be made. Hacking tools are made by humans and deployed by humans. Humans are not perfect.”
He cited the Tor Mail case from 2013, when the FBI got a warrant to hack 300 users, but ended up hacking many more innocent users – anyone who visited the Tor Mail home page for several days.
In a few cases – United States v. Jay Michaud in Washington state is one of the most high-profile – the court found those arguments persuasive. US District Judge Robert Bryan ordered the government to turn over the source code, and the government chose to drop the charges rather than comply.
But that has not set a precedent.
That code is now classified, which obviously gives it a higher level of protection.
And Judge Bryan, in a later case – United States v. David Tippens et. al, which included Gerald Lesan and Bruce Lorente – made the opposite finding – that the government was not compelled to turn over the source code.
Peter Carr, a spokesman for the DoJ, declined to say whether the classification of the source code made the difference in Tippens, but did say the Michaud decision, “has no effect on other cases. All other courts to look at this issue have ruled that the defendants were not entitled to review the Playpen NIT source code.”
While the FBI will not comment on the cases, Leo Taddeo, CSO at Cryptzone and a former special agent in charge of the FBI’s New York cybercrime office, said if criminals are going to make use of anonymizing services like the Tor network, law enforcement needs to be able to use tools to pierce that cloak of anonymity.
“There needs to be a balancing of the potential harm to privacy interests with the harm to children who are victims of sexual abuse and exploitation,” he said.
“The internet has been a boon to child pornographers. In some ways, it provides virtually complete anonymity to pedophiles. Law enforcement must have new tools to adapt and counter this new reality.”
But privacy advocates counter that the Mencken principle applies – if government is granted more sweeping surveillance powers in the name of catching and punishing child predators – a worthy cause – the danger is that those tools will be used against those who are not nearly as reprehensible.
Amie Stepanovich, US policy manager at Access Now, said the FBI’s refusal to turn over the NIT source code is evidence that the agency is, “choosing to prioritize secrecy and prevention of meaningful oversight over its own mission, ‘to uphold and enforce the criminal laws of the United States.’
“Transparency is a keystone to ensuring that FBI operations stay within the confines of the law and agents don't abuse their authority. However, once again the FBI is shunting any notion of oversight, not to mention justice, in order to keep its ‘toys’ secret,” she said.
Another worry is that the scale of surveillance that is possible on the internet dwarfs capabilities in the physical world, which gives government much more power than before.
As security guru Bruce Schneier, CTO at IBM Resilient, put it several years ago, “Instead of ‘follow that car,’ it’s ‘follow every car. And follow it for six months back.’”
Rumold said EFF and other privacy advocates want child predators investigated and caught. The right to privacy, he said, “is not inviolable.”
The Fourth Amendment, he said, “does not mean that they can't be investigated, or even that law enforcement could never hack into their computers. It only means that law enforcement must go through the protocols and protections enshrined in the Fourth Amendment in order to carry out the investigation.
“In the Playpen investigation, the FBI didn't follow those protocols, and that's why their searches and seizures were illegal.”