UPDATE: Late last week, the FBI returned the seized server to the colocation facility that May First/People Link and Riseup shared. Yesterday, May First released video footage of the server's return. As we learn more details about the situation, we'll keep you posted.
The FBI is at it again -- executing broad search warrants, disrupting legitimate Internet traffic, and getting nothing in return.
Since the end of March, a number of anonymous bomb threats have been emailed to the University of Pittsburgh. Through its investigation, the FBI discovered the threats were being relayed through a server hosted by the progressive cooperative Internet Service Provider (ISP) May First/People Link (May First). The server was used by the European Counter Network (ECN), an Italian based activist group, and stored in a colocation facility in New York shared by May First and Riseup, an organization that provides secure communication tools for activists around the world. When the FBI paid May First a visit at their offices in New York, May First reached out to EFF, and we agreed to help. The next day the FBI returned to May First's offices, this time with a subpoena, requesting information about the server. We helped them respond to the subpoena and May First turned over what minimal information it had; namely that the server was running the anonymous remailer program Mixmaster, which removes header information and, similar to Tor, reroutes email in order to maintain a sender's anonymity.
The fact that the FBI's investigation led them to an anonymous remailer should have been the end of the story. It should have been obvious that digging deeper wouldn't lead to helpful information because anonymous remailers don't always leave paper trails. They're specifically designed with the capability to turn logging off in order to maintain anonymity.1 And if logging was turned off -- as it was here -- there would be nothing useful to be gained by examining the servers.
Nonetheless, on April 18, the FBI seized the server from the colocation facility shared by May First and Riseup with a search warrant (PDF). The actual investigative effect of the seizure was zero. Even after the server was seized, the bomb threats continued. No arrests have been made. And while one group came forward and claimed responsibility, so far nothing suggests any connection to the seized server.
More troubling, however, is the collateral damage. The search warrant authorized the seizure of emails, communications, and files contained on the server, as well as records of IP addresses connected to the server and the dates and time of those connections. And the server was used by a wide range of people who had nothing to do with the bomb threats. As May First and Riseup explained in their joint press release:
Disrupted in this seizure were academics, artists, historians, feminist groups, gay rights groups, community centers, documentation and software archives and free speech groups. The server included the mailing list “cyber rights” (the oldest discussion list in Italy to discuss this topic), a Mexican migrant solidarity group, and other groups working to support indigenous groups and workers in Latin America, the Caribbean and Africa. In total, over 300 email accounts, between 50-80 email lists, and several other websites have been taken off the Internet by this action. None are alleged to be involved in the anonymous bomb threats. The seized machine did not contain any riseup email accounts, lists, or user data. Rather, the data belonged to ECN.
Yet the expansive search warrant contained no limitations to curb law enforcement's ability to rummage through the server, and look at anything it wanted. Sadly, it's not the first time the government's heavy hand went too far and resulted in an expansive -- and expensive -- seizure of digital devices.
EFF's clients the Long Haul Infoshop and East Bay Prisoner Support (EBPS), recently settled a lawsuit over an improper FBI and police raid of its offices. The Long Haul case started back in 2008, when the FBI and the University of California, Berkeley Police Department (UCBPD) were working together to investigate a series of threats emailed to animal researchers at UC Berkeley. Law enforcement determined the emails were sent from an Internet Protocol (IP) address assigned to the Long Haul Infoshop in Berkeley, California, a collective and community meeting place that provided internet access to the public. If law enforcement had been more diligent and thoughtful, they would have taken the time to figure out what, if any, useful information it could obtain by looking at the public access computers, since they had no information connecting the Long Haul organization itself with the emails. Yet, the police instead applied for -- and were granted -- a search warrant that authorized the search of all computers and storage drives in the building. The FBI and UCBPD cut the locks and entered into the Long Haul and seized not only the public access computers, but also computers from locked offices used in publishing Long Haul's newspaper, Slingshot, as well as from EBPS, that had its own office at Long Haul's Infoshop. Unsurprisingly, like the FBI's investigation in Pittsburgh, they found nothing to help in their investigation of the threats, and no one was arrested. The only thing to come out of this search was a bill. Together with the ACLU of Northern California, we sued the FBI and UCBPD in 2009 on behalf of Long Haul and EBPS and after three years of litigation, the lawsuit was settled in March 2012 when the UCBPD and FBI agreed to pay $100,000 in damages and attorneys fees, with UCBPD acknowledging Long Haul was not involved in the threats.
These incidents aren't just limited to the FBI. In another example of government overreach, last year Immigration and Customs Enforcement (ICE) agents traced an IP address to the home of Nolan King and seized six hard drives in connection with a criminal investigation. As we've explained, search warrants executed solely on the basis of an IP address are likely to waste law enforcement's time and resources, rather than actually produce real evidence, because IP addresses are typically not personally identifiable. That's exactly what happened to King. Turns out he was running a Tor exit node from his home, and thus the agents wouldn't (and didn't) find any of the evidence they were looking for. The government's overreach caused Mr. King to suffer the stress and embarrassment of having officers swarm his house and take his property, when he had done nothing wrong, and the police gained no evidence or leads into their investigation.
Returning to the seizure of the server from May First and Riseup's colocation facility, the fact that the server was used to facilitate anonymous speech -- particularly by whistleblowers and democracy activists in oppressive countries -- adds another layer of concern. While bomb threats are certainly not the type of speech protected by the First Amendment, there's no way for an anonymous remailer to distinguish between good and bad speech. And any attempt by the government to deal with bad speech by turning off all speech raises serious constitutional concerns.
So enough is enough. The government's ability to search a person and their property -- and in this case, shut down speech -- is an extraordinary power that can easily be abused. Law enforcement needs to do its research before resorting to an extremely intrusive search warrant that intrudes on innocent people's privacy, causes significant disruption to harmless activity, and silences speech. And as we've argued before, search warrants for electronic devices shouldn't be limitless, but narrowly drawn by a judge to limit law enforcement's ability to rummage through reams of data having nothing to do with the investigation at hand.
As events continue to unfold, know that EFF is actively involved in this situation, working hard to ensure the government's search warrant power won't be used to take more than what it should, or to stifle free speech and anonymity on the Internet.
- 1. A previous version of this post mistakenly stated anonymous remailers are "specifically designed to leave no logs." That mistake has now been corrected.