The leaky CAPTCHA should serve as a reminder that, despite all the freakouts and concerns from law enforcement about how the internet and things like Tor will make it impossible to catch criminals, people will almost always mess up somehow and reveal breadcrumbs back to who they are.
By Mike Massnick @ Tech Dirt
The lawyers for Ross Ulbricht have been tossing an awful lot of speculative legal theories at the legal wall in his defense in the past few months, and none of them seem to be sticking. The most recent attempt was to argue that the process by which the DOJ/FBI got access to Silk Road’s servers must have violated the 4th Amendment, mainly because it was “hidden” via Tor, and Ulbricht couldn’t figure out how else the FBI tracked down the servers. In response, the DOJ has revealed the details of how it tracked down the servers via a very readable court filing where you can almost feel the snark dripping from the US Attorneys’ Office, as they mock both the speculative and hyperbolic nature of the claims, and reveal that Ulbricht basically misconfigured his CAPTCHA login feature to leak the IP address.
Contrary to Ulbricht’s conjecture that the server hosting the Silk Road website (the “SR Server”) was located by the NSA, the server was in fact located by the FBI New York Field Office in or about June 2013…. The Internet protocol (“IP”) address of the SR Server (the “Subject IP Address”) was “leaking” from the site due to an apparent misconfiguration of the user login interface by the site administrator – i.e., Ulbricht…. FBI agents noticed the leak upon reviewing the data sent back by the Silk Road website when they logged on or attempted to log on as users of the site…. A close examination of the headers in this data revealed a certain IP address not associated with the Tor network (the “Subject IP Address”) as the source of some of the data…. FBI personnel entered the Subject IP Address directly into an ordinary (non-Tor) web browser, and it brought up a screen associated with the Silk Road login interface, confirming that the IP address belonged to the SR Server….
Based on publicly available information, the Subject IP Address was associated with a server housed at a data center operated by a foreign server-hosting company in Iceland…. Accordingly, on June 12, 2013, the United States issued a request to Iceland for Icelandic authorities to take certain investigative measures with respect to the server, including collecting routing information for communications sent to and from the server, and covertly imaging the contents of the server…. The Reykjavik Metropolitan Police (“RMP”) provided routing information for the server soon thereafter, which showed a high volume of Tor traffic flowing to the server – further confirming that it was hosting a large website on Tor…. Subsequently, after obtaining the legal process required under Icelandic law to search the server, and after consulting with U.S. authorities concerning the timing of the search, the RMP covertly imaged the server and shared the results with the FBI on or about July 29, 2013…. Forensic examination of the image by the FBI immediately and fully confirmed that the server was in fact hosting the Silk Road website, i.e., that it was in fact the SR Server…. The server contained what were clearly the contents of the Silk Road website – including databases of vendor postings, transaction records, private messages between users, and other data reflecting user activity – as well as the computer code used to operate the website.
Later, the filing points out:
It does not matter that Ulbricht intended to conceal the IP address of the SR Server from public view. He failed to do so competently, and as a result the IP address was transmitted to another party – which turned out to be the FBI – who could lawfully take notice of it.
While the DOJ’s story is compelling (and while I’m sure some will still insist “parallel construction,” it seems like there would need to be a lot more evidence of that happening), there are some other interesting tidbits in the filing. Ulbricht had argued that the search of the server was unconsitutional because his property was searched without a warrant. However, the DOJ points out that since the server was in Iceland, the 4th Amendment doesn’t apply. But in defending the lack of a warrant, it’s interesting that the DOJ admits that under the Stored Communications Act, a “warrant was not even an option… given that the SR Server was controlled by a foreign data center.”
That seems to contradict the DOJ’s claims in its ongoing fight with Microsoft over accessing emails stored in Ireland. There, the DOJ insists that a warrant under the SCA is not only very much an option, but that it requires Microsoft to hand over the data. The DOJ says the cases are different since Microsoft is a US entity, and thus the SCA compels the US entity to reveal data no matter where it is, but that doesn’t apply since the Silk Road server was controlled by an Icelandic company.
There remain some interesting legal questions raised by the prosecution against Ulbricht, but so far, the extremely speculative nature of his defense doesn’t seem particularly likely to get anywhere. Also, the leaky CAPTCHA should serve as a reminder that, despite all the freakouts and concerns from law enforcement about how the internet and things like Tor will make it impossible to catch criminals, people will almost always mess up somehow and reveal breadcrumbs back to who they are.