Judge Orders FBI To Turn Over Information On How Many People Around The World It Snagged With Its Playpen NIT

from the malware-whereabouts dept

This might be big, depending on how much of this information is passed on to the general public, rather than delivered ex parte or under seal. Joseph Cox of Vice/Motherboard was the first to snag this ruling [PDF] by a Washington district court judge ordering the FBI to turn over tons of info about the NIT it deployed in the Playpen child porn investigation.

As we're already aware, the NIT was deployed by the FBI in Virginia but obtained identifying information about Tor-cloaked site visitors not just all over this country, but all over the world. The motion to compel discovery asked for several details about the NIT and its deployment and most of them have been granted.

Here's the full list (with additional commentary):

1. All records related to the Government’s review and approval of Operation Pacifier. The Court has taken this discovery request under advisement. An order is soon forthcoming. 2. Copies of any reports made to the National Center for Missing and Exploited Children (NCMEC) regarding child pornography posted on the Playpen web site. Defendants’ motions are granted. 3. Copies of any notifications that were sent to victims by the Government for obtaining restitution related to images that were posted on, or distributed from, the Playpen web site. Defendants’ motions are granted. 4. The number of new images and videos (i.e. content not previously identified by NCMEC) that was posted on the site between February 20, 2015 and March 5, 2015. Defendants’ motions are granted.

(This information -- whether or not actually useful in suppression motions -- should at least provide some insight into how much additional child porn made its way to site visitors as a result of the FBI's decision to seize [and act as administrators of] the server, rather than shut it down. Information obtained in other court cases suggests the FBI not only acted as hosts during the NIT deployment, but actually made the site faster and more responsive.)

5. The names of all agents, contractors or other personnel who assisted with relocating, maintaining and operating Playpen while it was under Government control. Defendants’ motions are granted. 6. Copies of all notes, emails, reports, postings, etc. related to the maintenance, administration and operation of Playpen between February 20, 2015 and March 5, 2015. Defendants’ motions are granted.

(Again, this info could confirm whether or not the FBI improved the child porn site's performance during its two-week turn as administrators, as well as provide additional insight into how much child porn distribution was aided and abetted by the agency.)

7. Copies of all legal memoranda, emails and other documents related to the legality of the FBI’s operation of Playpen (and the distribution of child pornography by the Government), including requests for agency/departmental approvals of the undercover operation of Playpen and any communications with Main Justice or the Office of General Counsel at the FBI. The Court has taken this discovery request under advisement. An order is soon forthcoming.

(This would be the government's legal rationale for running a child porn site rather than shutting it down. Chances are this will remain under seal and is probably FOIA-proof, as most legal guidance documents are.)

8. Copies of all correspondence, referrals and other records indicating whether the exploit used in the Playpen operation has been submitted by the FBI or any other agency to the White House’s Vulnerability Equities Process (VEP) and what, if any, decision was made by the VEP. The Court has taken this discovery request under advisement. An order is soon forthcoming.

(Little is known about the government's actual handling of the VEP. On one hand, we have public statements which pay lip service to not screwing US companies by hoarding vulnerabilities. On the other hand, we have the exact opposite in practice.)

9. Copies of invoices and other documents for the hosting facility/facilities where the Government operated the Playpen server, the server from which the Government delivered the NIT malware and the server that NIT targets sent their identifying information back to, including documents revealing whether the Government informed the hosting provider(s) that child pornography would be stored in their facility or transmitted over their networks. Defendants’ motions are granted. To the extent that the Playpen hosting provider was the Government, not a private party, it appears there may not be much discovery responsive to this request.

(There may be nothing here. Or there could be third party hosts involved who were never informed about their participation in the FBI's sting operation. If so, fun times ahead for the US government.)

10. The number of Playpen-related investigations that have been initiated but did not result in criminal charges, beyond the approximately 200 cases now pending across the country. Defendants’ motions are granted.

(Another can of worms the FBI would probably like to remain closed. According to the government's own arguments in these cases, users would have connected to the site for a single purpose: to engage in criminal activity. A lack of charges would be a surprise and somewhat undermine the government's assertions about the criminal intent of visitors to the site.)

11. The total number of IP addresses and MAC IDs that were seized during the time the FBI was operating Playpen, over and above those related to these approximately 200 pending cases. Defendants’ motions are granted. 12. The number of IP addresses and MAC IDs obtained during the investigation from foreign computers and the countries in which this data was obtained. Defendants’ motions are granted.

(These are the potential goldmine. This will show how far-flung the FBI's net actually was, as well as provide more ammo for suppression motions predicated on Rule 41 jurisdictional limitations. The FBI is well aware it can't perform searches outside the jurisdiction covered by the warrant, but it chose to do so anyway. So far, its evidence has mostly held up, thanks to courts deciding suppression isn't the correct remedy, or crediting the FBI for unearned "good faith." The FBI and DOJ are pushing for changes to Rule 41 that eliminate the jurisdictional limits, so it's disingenuous for the agency to claim its agents acted in good faith when securing the warrant.)

This now becomes the Playpen case to watch, even if most of this information is likely to remain in the hands of defense lawyers only. Dismissal and suppression motions will contain references to the content of these documents, however, which will shed more light on the FBI's NIT deployment and its child porn site administration.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: doj, eavesdropping, fbi, malware, nit, playpen, rule 41, warrants