A federal judge said users' IP addresses are “public information” when accessing a site using Tor.
It's no secret that many US courts don't have great track records when it comes to understanding technology. But last week, a federal judge in Washington state issued a truly baffling opinion suggesting that you don't have a reasonable expectation of privacy when using Tor, the widely-used anonymity software literally designed to give its users privacy.
The statement comes from the case of Jay Michaud, a public school administration employee in Vancouver, WA caught by the controversial FBI hacking tool known as a Network Investigative Technique (NIT), which the Bureau deployed en-masse to determine the true IP addresses of 1,300 users accessing images of child abuse on a hidden website called Play Pen.
The FBI was able to distribute the malware after it took over and controversially continued to operate the website for 13 days from a server in Virginia. Once it had control, the Bureau injected malicious scripts onto pages hosting images of child abuse, which downloaded the NIT to the visitors' computers and returned machine information, including their true IP addresses, to the FBI.
Michaud tried to suppress the evidence against him, arguing that because the server was located in Virginia and he was in Washington, the warrant for the NIT had violated Rule 41(b), which prevents judges from authorizing searches and seizures outside of their district.
But US district judge Robert J. Bryan denied the motion, noting that while the warrant technically violated the rule, a higher court's interpretation provides an exception for when the information sought could have been discovered by "other lawful means."
To prove this, the judge bizarrely argued that Tor doesn't give its users complete anonymity because a user has to give their IP address to their Internet Service Provider to connect to the Tor network. Therefore, he concluded, Michaud's IP address was "public information, like an unlisted telephone number" that "eventually could have been discovered."
This makes no sense to anyone with a basic understanding of how Tor works. Just like with any website or service, Tor users do reveal their IP address to an ISP when initially connecting to the Tor network, through an entry point called a guard node. But since Tor bounces data between random nodes located around the world, neither the ISP nor anyone intercepting traffic can correlate which IPs are accessing which sites.
Nevertheless, the judge ruled that Michaud had "no reasonable expectation of privacy" in his IP address because it was technically revealed at some point before entering the Tor network—even though there was no way for the FBI to discover that IP by looking at those connecting to the hidden site.
Chris Soghoian, a top privacy technologist at the ACLU who provided testimony in the case, was equally confused by the argument.
"As far as I can understand, [the judge] is saying that the gov violated Rule 41 by hacking Tor users outside the state of VA, but no harm no foul because it only got IP addresses, and that isn't a big deal, because the government would have found another way to learn those IP addresses. And then he doesn't explain how that would happen," he said in an email to Motherboard.
In the past, researchers have shown it is technically possible to identify Tor users with advanced traffic correlation techniques. But doing so requires an attacker to control both the entry and exit nodes the user is connected to, which is practically impossible unless they control a large number of nodes in the network. Even the NSA has expressed frustration with this method, saying in a leaked document titled "Tor Stinks" that it can only de-anonymize "a very small fraction of Tor users."
That makes it very strange for the judge to suggest there were other ways the FBI could have discovered Michaud's "public" IP address. In fact, the entire reason the FBI deployed the NIT in the first place was because it couldn't find "another way" to determine the hidden site users' true IP addresses.
"While I have complete respect for the judge, it appears that he still does not understand how Tor works, even after I testified in the case," said Soghoian.
Judge Bryan has also struggled to grasp the technical details of how the FBI's NIT works. A court transcript from the hearing authorizing the use of the hacking tool shows several exchanges where he didn't seem to understand that it was a hacking tool at all, at one point even appearing confused by the concept of remotely accessing information on a computer. When asked for comment, the judge's office said he doesn't comment on pending cases.