When trying to bring down the Playpen child pornography ring hidden on the Dark Web, the FBI used malware to track paedophiles, but it also illegally hacked other innocent users of an encrypted web mail service.
Between February and March 2015, the FBI ran an operation to try to bring down the Playpen child pornography bulletin board website and its users. The users were all using the Tor anonymity network to anonymise their IP addresses, so the FBI seized control of the website and ran it on their own servers.
Anyone who accessed the website had "network investigative technique" malware secretly downloaded onto their computers, which enabled the FBI to bypass Tor and uncover 1,300 IP addresses, which it used to catch and charge more than 1,500 suspects.
Although the investigation has undoubtedly brought down paedophiles, the American Civil Liberties Union (ACLU) has concerns over the way the FBI was able to use its malware, and pushed to get the warrant applications unsealed.
What it discovered is that the FBI didn't just use its malware on the Playpen users – the agency also used it to monitor 23 websites hosted by a web host provider called Freedom Hosting that specialises in hosting Dark Web sites, including multiple child pornography websites, as well as an encrypted email service called TorMail.
Freedom Hosting was seized by the FBI in 2013 and the FBI kept the service running while deploying the malware, allegedly with the blessing of the judge who signed off the warrants. Unfortunately for the FBI, TorMail users soon realised malware was being downloaded onto their machines and security researchers got involved.
The FBI's malware hacked innocent TorMail users
However the problem is that although the FBI was granted a warrant to hack 300 specific TorMail users, it illegally went beyond the warrant and hacked the email accounts of many other users too even though the affidavits specifically said that the FBI was only allowed to "investigate any user who logs into any of the TARGET ACCOUNTS by entering a username and password".
"The warrant that the FBI returned to the court makes no mention of the fact that the FBI ended their operation early because they were discovered by the security community, nor does it acknowledge that the government delivered their malware to innocent TorMail users. This strongly suggests that the FBI kept the court in the dark about the extent to which they botched the TorMail operation," ACLU's principal technologist Christopher Soghoian told Motherboard Vice.
"What remains unclear is if the court was ever told that the FBI had exceeded the scope of the warrant, or whether the FBI agents who hacked innocent users were ever punished."
The other issue with this, pointed out by TechDirt, is that in order to catch the paedophiles, the FBI essentially had to maintain all these child porn websites, so does this make the FBI a distributor of child porn during the period that it kept the websites running, rather than shutting them down?
IBTimes UK contacted ACLU to ask if the organisation plans to take any further legal action in light of the facts uncovered.
An ACLU spokesperson told us: "The ACLU welcomes the government's release of most of the information in the malware warrants in response to our motion in court. But the government should be releasing this kind of information as a matter of course whenever the need for secrecy expires, not simply later on in response to lawsuits.
"The discrepancy between what the warrant appears to authorize and the public reports of the malware implementation in this case highlight the importance of judicial transparency, and full disclosure to judges, when it comes to novel surveillance techniques."
The FBI told Motherboard Vice that it tailors warrant applications narrowly and does not exceed the scope of the warrants granted.