Welcome back. In Part 3 of our Dark Web series, we’ll take an in-depth look at a controversial Dark Web case arising out of law enforcement’s Operation Pacifier. Part 1 and Part 2 of our series provide some background information on the Dark Web and why it’s important.
Operation Pacifier was law enforcement’s effort to shut down one of the largest child pornography organizations operating on the Dark Web. Playpen worked as a hidden service via a Tor network. Ter services are designed around anonymous communication, which allows a user to host a service and publish content anonymously (See Part 1 of our series for more background information on the Dark Web). Playpen acted as a virtual bulletin board and allowed users to upload and download whatever content they chose.
The Initial Investigation
Playpen was launched in 2014 and quickly became one of the most prominent child pornography sites in the world. The popularity of the site piqued the attention of law enforcement agencies from around the world. In late 2014, a foreign law enforcement agency passed a tip to the FBI that Playpen had been misconfigured, and the server’s actual IP address was visible; it indicated the site was being hosted from inside the United States.
The FBI tracked the server’s IP address to a hosting company in North Carolina and determined that a Florida resident named Steven Chase was operating the server as the creator and primary administrator of the site. The FBI obtained a search warrant for Chase’s Naples, Florida, residence in February 2015. Mr. Chase was arrested and charged with several crimes related to the operation of Playpen.
The FBI Operation of Playpen
Following the arrest of Chase, the FBI took control of Playpen and operated the site from its own servers. For two weeks following Chase’s arrest, the FBI physically operated the largest child pornography website in the world, facilitating the viewing, uploading, and downloading of all pictures and videos on the site. Several contributors to the New York Times discussed the ethical issues inherent in this type of activity.
The FBI purported to operate the site so that it could continue its investigation to identify users of Playpen. To do so, the FBI deployed malware (referred to as NITs, Network Investigative Techniques) onto Playpen users’ computers. The malware exploited a vulnerability in the Tor software the Playpen users used to browse the website. Once installed, the malware sent information identifying the users’ computer locations. With this information in hand, the FBI could apply for a search warrant relative to that particular user.
The NIT Warrant
From the initial investigation that lead to the arrest of Steven Chase, a federal magistrate judge in the Eastern District of Virginia issued a warrant that authorized the FBI to deploy the NIT malware to any computer from which a user logged in by entering his or her username and password (referred to as “activating computers” in the warrant).
The Fourth Amendment protects people from warrantless searches (there are a few, narrowly-tailored exceptions not at issue here), and it requires a search warrant to state with particularity the place to be searched and the persons or things to be seized.
The warrant allowed government agents to search every activating computer regardless of the location. The Electronic Frontier Foundation (“EFF”) filed Amicus briefs in a number of cases arising out of this particular search warrant. A major contention of the EFF is that this warrant fails the Fourth Amendment’s particularity requirement because it does not state with particularity the location of the computers to be searched nor the identity of the persons to be seized.
It was argued the NIT warrant ran afoul of Fed. R. Crim. P. 41. The warrant was issued by a judge in the Eastern District of Virginia. At the time, Rule 41 allowed a federal magistrate judge to issue warrants for searches within that magistrate’s district (Rule 41 has since been amended to permit warrants like the NIT warrant). The NIT warrant authorized searches of computers located anywhere, including several states outside of the magistrate judge’s district. At the time the FBI agent applied for the warrant, the agent had no idea where the users would be physically located, and therefore, had no idea where the actual search and seizure would take place. The EFF argues this is the exact type of warrant the Fourth Amendment is designed to prevent. A single warrant was used to search thousands of computers across 120 countries. More than 100 cases were initiated based on data collected from the NIT malware. Judges have taken note of the defective warrant, and several have granted motions to suppress the resulting evidence. The district courts of District of Massachusetts, the Northern District of Oklahoma, and the Southern District of Iowa all suppressed evidence obtained through the NIT warrant. The government appealed the ruling suppressing evidence in the District of Massachusetts. In United States v. Levin, 874 F.3d 316 (1st Cir. 2017), the First Circuit Court of Appeals overturned the District Court’s ruling and held that the evidence should not have been suppressed. The case was remanded back to the District Court for further action.
The FBI Refuses to Disclose NIT Software
While the NIT warrant presented important Fourth Amendment issues, the discoverability of the NIT source code itself became an important issue. Some courts have ordered the prosecution to make the code available to defendants, while other courts have not.
In United States v. Darby, the defendant sought access to the source code of the NIT for inspection by an expert. In its Order, the District Court denied the defendant’s Motion to Compel discovery of the NIT source code. In Darby, the Court found the defendant failed to show the source code was material to his ability to prepare a defense to the charges. Darby was before the District Court of the Eastern District of Virginia.
In another Playpen case, United States v. Michaud, from the Western District of Washington, the Court found the defendant had a right to the NIT source code. Rather than turn over the NIT code, however, the prosecution dismissed its case against Mr. Michaud.
Because the government remains unwilling to disclose certain discovery related to the FBI’s deployment of a ‘Network Investigative Technique’ (‘NIT’) as part of its investigation into the Playpen child pornography site, the government has no choice but to seek dismissal of the indictment…
Michaud was dismissed without prejudice, which means the government has time to refile the case should it choose to do so.
What the Future Holds
More than 100 cases were filed based on information gained by the federal government through Operation Pacifier. These cases showcase the Fourth Amendment and discovery challenges defendants face. The data suggests the Dark Web is an increasingly popular target of law enforcement efforts, so we expect to see more cases like those arising from the Playpen site. The multijurisdictional nature of the Dark Web and the government’s perceived need to keep secret the NIT source code will likely continue to present challenges for both law enforcement and defendants alike.
In Part 3 of our Dark Web series, we’ll take an in-depth look at another controversial law enforcement investigation, Operation Pacifier.