Jul 18

District Court: No Warrant Needed to Deploy Malware on Computers

In a controversial decision, the Eastern District of Virginia ruled last month that the government does not need a warrant to deploy malware that gathers identifying information about computers visiting a specific host site. In United States v. Matish, the host site provided child pornography, which clearly influenced the court’s decision. Nonetheless, this decision raises important questions about digital privacy in the modern world.

The website at issue operated on the Tor network, which attempts to keep users’ Internet Protocol (IP) address hidden. This anonymity can be essential for human rights activists, journalists, and workers who do not want to be fired for expressing their views online. Judge Morgan noted, however, that “the Tor network is also replete with illegal activities, particularly the online sexual exploitation of children.”

After the Federal Bureau of Investigation (FBI) located the operator of the child pornography website, it searched his home and seized control of the website. The FBI did not immediately shut the site down, however; instead, it operated the site for nearly two weeks. During this time the FBI deployed, pursuant to a warrant, what it euphemistically called a “network investigative technique” (NIT). In actuality, the NIT is a set of computer code that was installed on users’ machines upon accessing the site and sent certain information back to the FBI. Industry experts such as the Electronic Frontier Foundation have characterized this process as hacking or installing malware. In this case, the information sent back to the FBI included the activating computer’s Internet Protocol (IP) address and the activating computer’s host name. Without the NIT, the FBI could not have identified the locations of the computers using this website. Once the FBI had the IP addresses, however, it subpoenaed the Internet service providers to identify the computers that possessed those IP addresses at the specified dates and times. The FBI identified and charged defendant Edward Joseph Matish using this process.

Matish moved to suppress all evidence seized from his home computer by the FBI through the use of the NIT, as well as all fruits of that search. The court first rejected all of the challenges to the warrant authorizing the NIT. Significantly, the court then held that the government did not need a warrant to deploy the NIT because the defendant had no reasonable expectation of privacy in his IP address or in his computer.

First, the court held that no one, even a Tor user, has a reasonable expectation of privacy in an IP address when using the Internet because users should know that this information is provided to Internet service providers in order to direct and route the information. This is known as the third party doctrine, which stems from a 1979 Supreme Court case. In Smith v. Maryland, the Supreme Court held that the installation of a pen register to capture dialed phone numbers did not constitute a search under the Fourth Amendment because individuals have no expectation of privacy in the phone numbers they dial since they must convey such numbers to the telephone company. Courts typically distinguish, however, between content and address information. For example, the content of a phone conversation is protected by the Fourth Amendment under United States v. Katz, even if the number dialed is not.

Second, and more importantly, the Matish court held that the government’s use of the NIT to search the defendant’s computer did not constitute a search under the Fourth Amendment because the defendant did not possess a reasonable expectation of privacy in his computer. “Like the pen register in Smith that captured only the numbers dialed, the NIT only obtained identifying information; it did not cross the line between collecting addressing information and gathering the contents of any suspect’s computer,” the court noted. In this case, the government had obtained a traditional residential search warrant before searching the computer’s contents. The court also spent a significant portion of its analysis chronicling recent high-profile hacks, suggesting that FBI agents who exploit vulnerabilities in an online network to deploy malware are like police officers who peer through broken blinds. Finally, the court noted the “especially pernicious nature of child pornography” in holding that the government’s interest in prosecuting this crime outweighed any privacy interests of the Tor users.

While few would fault the FBI for using any means possible to identify users of a child pornography site, the court’s analysis of computer security is troubling. The court’s holding that a warrant is not needed to deploy malware was not explicitly limited to visitors of child pornography sites – an important distinction, since accessing a child pornography site is strong evidence of likely intent to commit the crime of receiving child pornography. Under the court’s reasoning, however, the government could take over a legal website and deploy malware without a warrant onto every computer that accessed the website, as long as that malware accessed only the computers’ IP addresses and similar identifying information but not the computers’ contents. Further, the court’s reasoning that IP addresses are not protected due to their transmission through third parties could conceivably be extended to find that a user’s browsing history is not protected because such information is transmitted to the host websites. One could imagine a scenario where the government took over a legal website containing extremist ideology, deployed malware onto the computers of the website’s visitors, and then tracked the browsing history on each computer. Such tracking would essentially allow the government to analyze, without a warrant, what an individual was reading on the Internet. Indeed, Senator John McCain recently introduced legislation to allow the FBI to access an individual’s web search history without a warrant in terrorism and spy cases.

As Justice William Douglas warned in 1953:

“Once the government can demand of a publisher the names of purchasers of his publications, the free press as we know it disappears. Then the spectre of a government agent will look over the shoulder of everyone who reads. The purchase of a book or pamphlet today may result in a subpoena tomorrow. Fear of criticism goes with every person into the bookstall. The subtle, imponderable pressures of the orthodox lay hold. Some will fear to read what is unpopular, what the powers-that-be dislike. When the light of publicity may reach any student, any teacher, inquiry will be discouraged.…If the lady from Toledo can be required to disclose what she read yesterday and what she will read tomorrow, fear will take the place of freedom in the libraries, bookstores, and homes of the land.” United States v. Rumely, 73 S.C. 543, 551-52 (1953) (Douglas, J., concurring).

While it is often difficult to balance security and privacy in an increasingly interconnected world, the Matish court went farther than necessary in holding that a warrant was not necessary to deploy malware on computers. Additionally, as we transmit increasing amounts of our communications through cell phones and as electronic resources become our primary reading materials, it is worth reconsidering whether we do in fact hold privacy interests in transmissions through third parties.

Leave a Reply