In 2013, the dark web email service Tormail was seized by the FBI and the contents of their servers taken with them. It was also suspected that the FBI had made use of a network investigative technique (NIT), an FBI term for a hacking tool to compromise some users of the service. A report by the Washington Post on the FBI’s use of NITs confirmed these suspicions but also opened many more questions, such as the scope of the hacking.
Prior to its takedown by the FBI, the Tormail service ran on the dark web, only accessible through the Tor network. Such hidden email services are typically used by those in need to privacy, whether for legitimate reasons, such as journalism, or less than legal activities such as drug dealing, trading on Silk Road and other activities that could draw the attention of the FBI. The agency had supposedly obtained a warrant to hack the accounts of certain people thought to be associated with the distribution of child pornography.Despite this, at the time Freedom Hosting, a web host providing dark web services including Tormail, was seized by the FBI anyone accessing a page hosted by Freedom Hosting was served an error page. This error page was designed to serve malicious code that took advantage of a security flaw in the Firefox browser to transmit the user’s real IP address to a Virginia server.
An ex-user of TorMail told Motherboard that the error page and malicious code “appeared before you even logged in.” This brings into question whether the FBI was acting within its claims of targeting specific users if the real IP address of every single person to access TorMail was reported to them. And while there were certainly criminals making use of the service, many users were not engaging in criminal activity, regardless of their reason for wanting privacy.Christopher Soghoian,
Christopher Soghoian, a technologist for the American Civil Liberties Union, told Motherboard “If the government, in fact, delivered an NIT to every single person who logged into TorMail, then the government went too far.” Not to mention, if the FBI were hacking everyone accessing the service with the only justification being their usage of a privacy service, it could be considered unreasonable and may not respect boundaries for international users. And with NIT orders not being publicly released, even years after the fact, there is no concrete information as to what the judge actually authorized the FBI to do.
Cases like this are worrying to anyone who is concerned about online privacy. With Tor recently suspected to be compromised by the FBI and their director decrying the use of encryption without backdoors, it is unclear where the power of the FBI truly reaches. This lack of public accountability could be a threat to those who desire privacy for innocent reasons and may harm unbiased journalism should the tools it uses put it under threat.