Anyone who uses a computer or smartphone on a regular basis is concerned about the threat of hackers using viruses or malware to access your personal information. Through cleverly crafted codes, hackers can get into our webcams, steal files from our computers, or find out where we live and work, using this information for identity theft, or to threaten or harass. However, in some cases, the hackers looking into our computers are working for our own government.
A recent case highlights the extent to which government agencies are using malware to invade internet users' privacy in the name of law enforcement. After the FBI came took over a website called Playpen, which allegedly contained child pornography, they inserted code to identify anyone who accessed the site. The malware would identify the user's ISP, even if they were attempting to obscure their identity through using Tor encryption. As a result of their online stakeout, a 62-year-old man in Vancouver, Washington was arrested and charged with possession of child pornography, along with more than 130 others charged.
The Tor browser allows users to anonymously browse internet sites, including websites which may not be accessible through a Google internet search. Standard internet activity can be more easily traced back to the individual's internet service provider address, identity and location. With a Tor browser, traffic is encrypted across a network of servers, allowing users to keep their identity more private. While some people may be utilizing the Tor browser for illegal activity, others may use it to evade government censorship or avoid tech companies collecting and selling their personal information.
Not all attempts to remain anonymous online have anything to do with breaking the law. There are plenty of reasons someone might not want their identity to be linked to their internet activity. In some cases people may share the same computer, and want to keep their search history private. In other cases, dissidents and journalists may want to communicate with the public and the outside world without the threat of the government shutting down their free speech.
However, when government agencies are defending their activities they cite terrorism and child pornography as their primary targets, ignoring the fact that thousands of law-abiding people can be caught up in the broad internet sweeps. In addition, the FBI's actions in taking over the site appear troubling to many. After seizing the site, prior to shutting down Playpen, the FBI continued to operate the website for weeks, allowing others to access the alleged child-porn website and view its contents before it was finally shut down.
The Department of Justice has said that their searches were obtained with a warrant; however the public, and even the judges approving the warrants, may not understand just how far these internet probes can reach. The Playpen malware search alone obtained location information of 1,300 computers, resulting in 137 arrests. According to the attorney for one of the men charged, “there has never been any warrant I've seen that allows searches on that scale. It is unprecedented.”
Prosecutors in the Playpen case argue they had probable cause under the warrant to search the computers of anyone who visited the site. Since it doesn't come up on a standard Google search, and requires connection to the Tor network, the government argues that anyone who navigated to Playpen probably did so with the intent to view child pornography.
Thomas Brown, a former federal prosecutor in New York said the case represented, “another instance where you've got technology outstripping the law.”
While many are slow to defend who they see as possible terrorists or pornographers, the real concern comes from broad sweeps of internet traffic that scoop up not only possible criminals, but also invade the computers, files and pictures of innocent people who are completely unaware that the government has hacked their computers.
Ahmed Ghappour, a professor at UC Hastings College of Law, says the issue is “whether hacking warrants are written narrowly enough to guarantee that only those culpable set the trigger, and consequently get hacked.” He continued, “Given the scale of these operations, the smallest mistake could result in hundreds, if not thousands of privacy violations.”