Sunday, 01 May 2016 In hacking tags: fbi

Obligatory Disclaimer: Personal or political views presented within this post absolutely do not reflect those of my employer(s), client(s), and/or legal counsel.

In the final week of November 2015, a Special Agent from the Federal Bureau of Investigation, Mr. Mark Burnett, knocked on the door of my family’s home and left his card, with an additional phone number penciled in. All my family members residing in America had planned a week-long vacation and were all on a remote island. When the FBI receives DHS flight records as if they’re the morning paper, I must admit that whatever reasons for why the Bureau didn’t know that I or my family were absent escape me entirely.

My mom found the above card of Agent Burnett, face down on the marble entryway of the house, some days after returning home from vacation. As credit to her and my dad, and, the sheer chaos of every member of our family (including my sibling) being hackers/programmers, at first they didn’t assume the card had anything to do with me. After all, I don’t live in America anymore, and also anyone who knows me in the slightest is well aware that I’m so horribly busy with work… such that for several years I’ve often ignored, stood up, and let down my closest friends. My mother assumed that, if it were really important, the agent would call her. He did, while she was at work a couple days later. (As an aside: that any random FBI agent has the ability to learn someone’s personal cell phone number and use it — uninvited — is, in my opinion, extremely threatening and unacceptable.) He didn’t say what he wanted, only that he wanted to know how to contact her daughter. I was travelling (as always), and my mother didn’t have a phone number for me.

I had already been in the process of moving, permanently, to Germany, and had retained a German immigrations lawyer several months prior to these events. In late November, not knowing this had already been taking place, I returned to the US for two weeks to visit family and friends for the holidays, collect my remaining belongings, and make any needed long-term arrangements.

Word got to my lawyer in the US, who decided to call FBI Special Agent Mark Burnett, on that Friday, saying that he represented me and my family. Burnett said the FBI simply wanted to ask me some questions. My lawyer responded by stating that, as my invoked representation, all questions should be directed to him rather than to me or my family. The agent agreed, paused while some muffled male voices were heard in the background, and asked to call back in five minutes.

Five minutes later, Burnett called back and said, “I don’t believe you actually represent her.”¹ Burnett stated additionally that a phone call from me might suffice, but that the FBI preferred to meet with me in person. After a pause he said, “But… if we happen to run into her on the street, we’re gonna be asking her some questions without you present.”

My lawyer and I discussed what the FBI could possibly want. Theories ranged from attempted entrapment, to the recent and completely unethical Carnegie Mellon University (CMU) attacks on the live Tor network, to a Grand Jury subpoena for someone else, to some shady request for a backdoor in some software I contribute to. We honestly could not come up with any coherent rationale for why the FBI would suddenly decide to come after me, as, to my knowledge, I have done nothing which should warrant any interest besides my contributions to open source encryption tools.

In the case that they might have asked for a backdoor, I tried to distract myself from the overwhelming (I don’t think I’ve actually fully understood the word “overwhelming” before these events) stress.

I still planned to continue moving, of course, but now things would need to go to different places, and by different means. I didn’t know if I’d be stopped at the US border, or even prevented entirely from leaving. I started having panic attacks, thinking that I’d need to get myself and literally every object, including electronics, that I cared about accross the border, knowing they’d have the ability to detain me and mess with my belongings for as long as they liked. Every device I owned could be compromised, I’d lose all my data, my pictures of family and loved ones, fiction I’d wrote as a teenager, and Lisp I’d wrote as a child. I’ll admit I actually cried, not knowing when I’d hug my mom again. I prepared myself mentally, trying to model every possible tactic the FBI could play and my planned response.

If they ask for information on anyone else, or think I witnessed or committed some crime: I solemnly invoke my Miranda rights. No joking. No snark. No fucking around. Everyone knows you don’t talk to the police.

If they want a backdoor, or some other extralegal information about users or systems, likewise: I’d ask for my lawyers and shut up.

I didn’t talk to anyone who wasn’t already in regular contact with me, fearing I might endanger them — some thug might show up at their mom’s door or make some threats to their lawyers — and I didn’t want to risk harming people I care about. It hurt to not tell my friends what was happening. I felt gagged and frightened. I wanted to play chess in the park. I wanted to learn duets on the piano. I wanted to ride bicycles through the ancient groves in the park in the endless Californian sunshine. I wanted to bring homemade vegan gluten-free brownies and stickers from collectives in France to my friends at the EFF. To be selfish, I wanted to read the number theory papers I’d just downloaded and play with a new pairing-based cryptography library I’d just been given the source to, but I couldn’t do those things either, simply because I was too stressed out to think straight.

I got absolutely no work done.²

If you’re going to get arrested, you might as well look good and smile your brightest while doing so. In a blur of anxiety and self-consciousness, I bought a pair of blue-green aviators and matching blue-green lipstick. This will totally build rapport with my interlocutors, I told myself. They will have no alternative but to understand that I fight for the good guys, that they should immediately drop their badges and guns — but keep the aviators! — to join me to fight for the true cause and freedom!

Due to speak at several cryptographic conferences in Europe, I flew from San Francisco’s internation airport to Brussels on the next Monday evening, on the latest flight I could get. I had been advised by another lawyer that, “For the FBI, ‘quitting time’ means quitting. After 5 o’clock, you’re good; you can do whatever you want, party in the streets naked on LSD, and they won’t notice a thing.” I also booked a return flight (though I had no intention of using it, since I planned to live in Germany) upon the advice of multiple lawyers. With printed out conference and speaking invites, blue-green aviators, and blue-green lipstick, I went to San Francisco International Airport expecting to be detained indefinitely and lose everything I cared about.

Nothing happened.

I don’t understand this. The FBI is handed DHS flight records like they’re the morning edition. They should have known, when they knocked on my parents’ door, that no one would be home. They should have known when I would fly into San Francisco, and they could have easily detained me then. They reasonably could have known, and potentially acted fast enough, to detain me when I left San Francisco for Brussels.

Once in Germany, I proceeded to compile “The Book” of documents necessary for obtaining an Aufenthaltserlaubnis (roughly translated, “residence visa with permission to work certain jobs, e.g. as a contractor/freelancer”). My appointment was in early January. The day before my appointment, I spoke with my lawyer. He had received another call, this time from a FBI Special Agent Kelvin Porter in Atlanta.

Lawyer: Hello? Agent: Hello, this is Special Agent Kelvin Porter at the FBI field offices in Atlanta. I’m calling concerning your client. Lawyer: Yes. Why are you trying to contact her? Agent: Well… as before… we would strongly prefer to meet her in person. We have teams in Los Angeles, San Francisco, Chicago, New York, and Atlanta keeping an eye out for her. Lawyer: Your colleague mentioned last time that you would accept a phone call? Agent: We would strongly prefer to meet her in person. We… uh… have some documents we’d like her opinion on. Lawyer: Umm…? What documents? Agent: Anyway, if she’s available to meet with us, that would be great, thanks.

It didn’t exactly help with the stress of applying for a residence visa to know that there were teams in five cities across America keeping an eye out for me. However, I’m glad to say that, the next day, my residence visa was approved. Eight hours afterwards, my laywer received a voicemail saying:

Agent: Hello this is Special Agent Kelvin Porter, we spoke two days ago regarding your client. Umm… well… so the situation with the documents… it’s umm… it’s all fixed. I mean, we would of course still be happy to meet with your client if she’s willing, but the problem has… uh… yeah… been fixed. And uh… yeah. Just let us know if she wants to set up a meeting.

Admittedly, I can’t even begin to understand what was going on here. Documents? Was this attempted entrapment? Or were they using this as bait to get me interested in meeting them, so that they could ask about something else? I mean, help me, please — I really don’t understand what the FBI’s strategy was here.

Or, are they retracting their previous position in order to entice me to return to the US? Should I be worried about what happens to me when I return? Why is the FBI trying to make a developer of an open source encryption tool feel unwelcome in their country of origin? Should I try to get a different citizenship? Is my family safe in the US? Should I worry about the FBI raiding my parents’ house and shooting our family dog? Should I worry about FBI agents stalking and harrassing my mother? Is this really how the United States has decided to treat American tech workers? Am I just the forerunner in a larger campaign by the FBI to personally go after developers of encryption software which annoys them?

Update: 2016-04-26

The FBI has contacted my lawyer again. This time, they said, “She should meet with one of our agents in San Francisco to talk. Otherwise, are you the point of contact for serving a subpoena? She’s not the target of investigation, but, uh… we uh… need her to clear up her involvement or… uh… potential involvement in a matter.”

In case the FBI is seeking data on Tor users or Tor bridges, and especially in case the subpoena turns out to be sealed or accompanied by an NSL: the original published contents of this post are archived as a PDF here, and the RIPE160(SHA256(PDF)) is equal to 5541405e08048658cf457b3c59bf42a51f84a1a3 and hence Bitcoin address 18mnc4BCud3vjAdLbCc3QhyrjN84VTT1iM, in order to prove in a cryptographically verifiable manner that I published before that point in time.

For over a year, I have maintained a warrant canary which covers the case of law enforcement agencies serving me a subpoena for information about Tor users or Tor bridges.

¹ My lawyer mentioned a legal technicality (which may or may not be actually legal because precedent is unclear): having a prior retainer to a defense lawyer in the United States does not mean that a lawyer can invoke the client’s Miranda Rights (i.e. the right to remain silent) for the client, but that the client may be technically required to personally invoke their own Miranda Rights.

² Dear FBI, for what it’s worth: technically, financially-speaking, we’re funded by the same government. You can view my current contract and pay here and you can subscribe to any of several mailing lists in order to track my development progress. You can also watch my commits in real time. You can literally see everything I do, who I work for, how much money I make, where I go, and probably a whole bunch of other data about me. I have an email address (and legal counsel). Protip: do your homework next time.