Volokh Conspiracy: Does obtaining leaked data from a misconfigured website violate the CFAA?

The U.S. Department of Justice is current prosecuting Ross Ulbricht for being the apparent mastermind of the illegal narcotics website Silk Road, which was run for years on a hidden website. In defending the prosecution, the U.S. Attorneys Office recently filed a very interesting brief explaining how investigators found the computer server that was hosting the Silk Road (SR) server. Although the brief is about the Fourth Amendment, it has very interesting implications for the Computer Fraud and Abuse Act, the federal computer hacking statute.

The brief explains how the FBI found the SR server:

The Internet protocol (IP) address of the SR Server (the Subject IP Address) was leaking from the site due to an apparent misconfiguration of the user login interface by the site administrator i.e., Ulbricht. FBI agents noticed the leak upon reviewing the data sent back by the Silk Road website when they logged on or attempted to log on as users of the site. A close examination of the headers in this data revealed a certain IP address not associated with the Tor network (the Subject IP Address as the source of some of the data). FBI personnel entered the Subject IP Address directly into an ordinary (non-Tor) web browser, and it brought up a screen associated with the Silk Road login interface, confirming that the IP address belonged to the SR Server.

The FBIs declaration explains that the investigating agent entered miscellaneous information into the login prompt of the Silk Road server and received an error message. A forensic analysis of the error message found that it contained an IP address not associated with Tor. That IP address was the address of the Silk Road server.

The DOJ brief argues that there was nothing unconstitutional or otherwise unlawful about obtaining the inadvertently leaked IP address from the Silk Road server:

There was nothing unconstitutional or otherwise unlawful in the FBIs detection of that leak. The Silk Road website, including its user login interface, was fully accessible to the public, and the FBI was entitled to access it as well. See United States v. Meregildo, 883 F. Supp. 2d 523, 525 (S.D.N.Y. 2012) (noting that web content accessible to the public is not protected by the Fourth Amendment and can be viewed by law enforcement agents without a warrant). The FBI was equally entitled to review the headers of the communications the Silk Road website sent back when the FBI interacted with the user login interface, which is how the Subject IP Address was found.

It does not matter that Ulbricht intended to conceal the IP address of the SR Server from public view. He failed to do so competently, and as a result the IP address was transmitted to another party which turned out to be the FBI who could lawfully take notice of it. See United States v. Borowy, 595 F.3d 1045, 1048 (9th Cir. 2010) (finding that defendant had no legitimate privacy interest in child pornography files posted on peer-sharing website, notwithstanding that defendant had made ineffectual effort to use site feature that would have prevented his files from being shared); United States v. Post , __ F. Supp. 2d __, 2014 WL 345992, at *2-*3 (S.D. Tex. Jan. 30, 2014) (finding that defendant had no legitimate privacy interest in metadata used to identify him that was embedded in file he had posted on Tor website, notwithstanding that he did not realize he was releasing that information and he intended to remain anonymous).

In short, the FBIs location of the SR Server was lawful, and nothing about the way it was accomplished taints any evidence subsequently recovered in the Governments investigation.

I wonder: Does DOJs position that there is nothing . . . unlawful about this procedure mean that DOJ concedes that it would not violate the Computer Fraud and Abuse Act, 18 U.S.C. 1030, the federal computer hacking statute?

The FBIs location of the SR server brings to mind the prosecution of my former client Andrew Auernheimer, aka weev, who readers may recall was criminally prosecuted for his role in visiting website addresses on an AT&T server that AT&T had thought and hoped would not be found by the public. Auernheimers co-conspirator found that AT&T had posted e-mail addresses on its server at IP addresses that the public was not expected to find.

Here is the original post:

Volokh Conspiracy: Does obtaining leaked data from a misconfigured website violate the CFAA?

Related Posts

Comments are closed.