For two years beginning in 2011, Ross William Ulbricht (using the pseudonym Dread Pirate Roberts) ran the Silk Road, an illicit web-based marketplace which specialized in selling illegal drugs. The FBI eventually caught up with Ulbricht and arrested him, and he is now on trial in the Southern District of New York. Ulbricht’s defense attorneys have been arguing that the government violated Ulbricht’s Fourth Amendment rights during their investigation. Specifically, the defense argues that the government hacked into a Silk Road server in Iceland, and from there obtained information which lead to various pen-trap orders and warrants to seize servers in the United States, as well as Ulbricht’s laptop and Facebook accounts. But without the initial access to the Iceland server, the government would not have been able to proceed with its investigation. In other words, the defense alleges, all of the evidence against Ulbricht is fruit of a poisonous tree.
The government responded with an affidavit from an FBI agent which held that the government investigators found the Iceland server through perfectly lawful means. The affidavit states that “the Internet protocol (“IP”) address of the [Iceland] Server was ‘leaking’ from the site due to an apparent misconfiguration of the user login interface by the site administrator”–that is, a bug in the login interface led the police to the server’s IP address. The government also argued in its brief that the search of the server was carried out by Icelandic authorities, so the Fourth Amendment does not apply, and that even if the Fourth Amendment did apply, a search of an American citizen’s property overseas need only be “reasonable”–which this was. Thus, the trial court had a number of interesting factual and legal questions to resolve.
But alas, Ulbricht was unwilling to take the procedural step that is necessary to allow the court to resolve these questions. Throughout the case, he has refused to acknowledge any personal privacy interest in the Iceland server–that is, he has denied any connection to the Iceland server (and to the Dread Pirate Roberts and the Silk Road). Thus, he did not have standing to challenge the government’s conduct–whatever it might have been–when it gained access to the server. In other words, the entire issue ended up being nothing more than a hi-tech version of a defendant’s catch-22–either deny ownership of the contraband and lose your right to challenge the search and/or seizure of the contraband, or admit to owning contraband which establishes your guilt. The Supreme Court has held that the prosecution cannot use that admission against you (except for impeachment, which is a significant exception)–but especially in a high-profile case like this, a defendant may still not be willing to make that admission.
Ulbricht’s unwillingness to take this step is unfortunate (though understandable), since a full analysis of the case could have led to discussions of a number of important issues. For example, if the government did indeed hack into the Silk Road login page (as alleged by the defendant), the government had no idea that the server was located outside the United States when it committed that hacking, and so the lower “international” standard should arguably not have applied to the governments actions.
And what type of “hacking” constitutes a search under the Fourth Amendment? If the government was able to gain access to the server (as it claims) by merely entering random characters into the login until the IP address appeared, wouldn’t this still be a search? Does a website’s server have to be protected by a certain level of security before its owner can claim a reasonable expectation of privacy in it? One the one hand, the defendant could argue that a server is like a home or an office, so the government would be conducting a Fourth Amendment search simply by entering the server without permission, even if there was no security preventing them from doing so. On the other hand, the government could argue that if any Internet user in the world can reach obtain the server’s IP address simply by playing around with the login page for a few minutes, then the owner of the server has revealed the location of the server to the world, and has relinquished all reasonable expectation of privacy in the server. In other words, when does an individual have a reasonable expectation of privacy in his server?
Professor Orin Kerr has argued that the government might have violated the Computer Fraud and Abuse Act (“CFAA”) when it obtained the IP address of the Iceland server. In an earlier prosecution under the CFAA, the Department of Justice argued that a defendant violated the CFAA when he obtained information from an AT&T website that “AT&T had not intended for the public to see” and which was “in a place where an ordinary computer user would likely not find it.” Based on this standard, the FBI in the Silk Road case did violate the CFAA even if we accept the government’s version of how they obtained the IP address. Professor Kerr acknowledges that the CFAA has an exception for lawful government investigations, but notes that there is still a tension between the government’s position in the Silk Road case and its position in the CFAA prosecution.