On January 26, 2017, I testified in Federal court as an expert witness for the defense in a case.
The testimony was regarding The Onion Router (TOR), Dark Net, and Playpen. The case involved Network Investigative Technique (NIT); the FBI had engaged in their Operation Pacifier, wherein, a Search and Seizure Warranted allowed FBI to seize and operate the server that hosted Playpen. The FBI had then employed NIT to place Malware on the computer of visitors to the server that hosted Playpen.
I’ve testified in other cases before, but this was an interesting one because it brought up a lot of questions that are paramount for the current era. Namely: when a computer user uses TOR, do they have an expectation of privacy? Is that legally relevant? And should the general public look at TOR and assume an expectation of privacy?
Ultimately, the judge in this case (and others) said that users don’t have a reasonable expectation of privacy on TOR. VICE explained this in a recent article too. The judge’s ruling was, in part, predicated on the idea that users give their IP address to connect to TOR; thus, the judge said, the IP address is “public information that … eventually would have been discovered.”
Now, the law is one of the slower-moving entities in terms of reacting to, and understanding, technology. I’ve seen this for years. In true form, then, they missed the boat on the TOR ruling. Users do reveal their IP address via a guard node when they log on, yes. But then TOR bounces data around the globe via different nodes, so no ISP can correlate which IP address is visiting which site.
You can technically identify a specific TOR user with advanced traffic correlation protocols, but to do so you’d have to control a massive number of nodes. It’s virtually impossible. The judge’s ruling seems to indicate that the government would have found another way to get IP addresses from TOR users, but then doesn’t talk about how that could have possibly happened. In fact, in this case the only reason the FBI was using NIT to begin with was because it couldn’t find another way to determine the true users of hidden sites.
I’m not going to come out and say that I’m a huge fan of TOR — some legitimately bad stuff happens on there hourly. But TOR users should have a legitimate expectation of privacy, and the general public should assume that expectation as well. Part of this is because people don’t understand how TOR works, and part is because of hyper-sensitivity these days around privacy issues as mobile and digital continue to scale globally. But there absolutely should be a legitimate expectation of privacy on TOR networks.