Wednesday, March 16, 2016

The Tor Network, the Fourth Amendment and the IP Address

This post examines a recent opinion from a U.S. District Court Judge who sits in the United StatesDistrict Court for the Western District of Washington:  U.S. v. Farrell, 2016 WL 705197 (2016).  The judge begins the opinion by explaining that
This matter comes before the Court on defendant's Motion to Compel Discovery. (Docket #48). For the reasons set forth below, the Court DENIES the defendant's Motion to Compel Discovery.
U.S. v. Farrell, supra (emphasis in the original).
He went on to explain that
[t]he defendant is charged with conspiracy to distribute cocaine, heroin, and methamphetamine by virtue of his alleged operation as an administrator with the online `Silk Road 2.0’ website. According to the government, the site operated on the Tor network with the ostensible purpose of its operation being to mask Internet Protocol (`IP’) addresses of users of the network.

The record demonstrates that the defendant's IP address was identified by the Software Engineering Institute (`SEI’) of Carnegie Mellon University (“CMU”) when SEI was conducting research on the Tor network which was funded by the Department of Defense (`DOD’). The government previously produced information to the defense that Farrell's IP address was observed when SEI was operating its computers on the Tor network. This information was obtained by law enforcement pursuant to a subpoena served on SEI-CMU.

Based upon the submissions of the parties, it is clear to the court the government has provided to the defendant basic information about the technique used by SEI to obtain IP addresses of Tor users, including the defendant. Among other items, the government's disclosures included information regarding the funding and structure relationship between SEI and DOD, as well as directing the defendant to publicly available materials regarding the Tor network.

The defendant seeks to compel disclosure of additional material pertaining to the relationship between SEI and federal law enforcement and the methods used by SEI to identify the defendant's IP address. The detailed specifics of the request are reflected in Exhibit A to the defendant's motion.
U.S. v. Farrell, supra.
The Judge then outlined his analysis of the arguments Farrell made in his motion to compel discovery:
The record before the Court suggests that the only information associated with the defendant and collected by SEI subject to a suppression motion is his IP address. Yet, the defendant seeks additional technical details as to how SEI operated and captured the information. From the record, it appears the only information passed on to law enforcement about the defendant was his IP address. There is nothing presented by the defense, other than rank speculation, that anything more was obtained by SEI and provided to law enforcement to identify the defendant.

The Court agrees with the government that applicable Ninth Circuit authority precludes the defendant's success on his motion. SEI's identification of the defendant's IP address because of his use of the Tor network did not constitute a search subject to Fourth Amendment scrutiny.

The Court reaches this conclusion primarily upon reliance on United States v. Forrester, 512 F.2d 500 (U.S. Court of Appeals for the 9th Circuit 2007). In Forrester, the court clearly enunciated that: `Internet users have no expectation of privacy in . . . the IP address of the websites they visit because they should know that this information is provided to and used by Internet service providers for the specific purpose of directing the routing of information.’ Id. at 510.

In the instant case, it is the Court's understanding that in order for a prospective user to use the Tor network they must disclose information, including their IP addresses, to unknown individuals running Tor nodes, so that their communications can be directed toward their destinations. Under such a system, an individual would necessarily be disclosing his identifying information to complete strangers.

Again, according to the parties' submissions, such a submission is made despite the understanding communicated by the Tor Project that the Tor network has vulnerabilities and that users might not remain anonymous. Under these circumstances Tor users clearly lack a reasonable expectation of privacy in their IP addresses while using the Tor network. In other words, they are taking a significant gamble on any real expectation of privacy under these circumstances.

Equally supportive of this determination, which this Court agrees with, is Judge Robert Bryan's ruling in United States v. Michaud, W.D. Wa. No. 15-cr-05351, Dkt. #140, p. 14, where the court held that the IP address was public information.

The evidence before this Court indicates that SEI obtained the defendant's IP address while he was using the Tor network and SEI was operating nodes on that network, and not by any access to his computer. For these reasons, any other discovery about the methodology or technique used to identify the defendant's IP address is not material to his defense.
U.S. v. Farrell, supra.
The judge went on to explain that,
[i]n addition, the defendant seeks disclosures regarding contacts between SEI, the Department of Justice, and federal law enforcement. This request includes the period before and after SEI performed the subject research, with the thrust of the request premised upon the substance of meetings between DOJ and SEI. The Court is satisfied that the government has met its discovery obligations on this request. The government provided the extent of the relationship between DOJ and SEI, and the substance of meetings in which representatives from DOJ and SEI were present. Nothing further is required.

As to the remaining discovery requests, they are denied. Request No. 1 is moot in light of the government's observation that it is irrelevant to the defendant's case. Request No. 2 is overbroad and certainly not narrowly tailored, as it calls for documents related to the entire federal government and SEI during a two-year period.

Moreover, the government (according to the attachments to the government's response) has provided the relevant contracts at issue between SEI, DOJ, and DOD. As to Request Nos. 3 and 4, nothing further is required to be produced. Request Nos. 5 through 9 are the subject of this Order and require no further explanation.
U.S. v. Farrell, supra.
He therefore ended the opinion with this comment: 
For the foregoing reasons, the Court DENIES the defendant's Motion to Compel Discovery.
U.S. v. Farrell, supra (emphasis in the original).
If you are not familiar with the events that led to Farrell’s being charged with the crimes listed above, you can read more about the investigation and the prosecution in the news stories you can find here, here and here.

No comments: