FBI's Hacking Tool Found To Have Compromised Dozens Of Computers In Austria

The FBI is already having problems here at home with the hacking tool it deployed during its dark web child porn investigation. A few judges have ruled that the warrant used to deploy the Network Investigative Technique (NIT) was invalid because the FBI's "search" of computers around the United States violated Rule 41(b)'s jurisdictional limits.

Now, we'll get to see how this stacks up against international law. It's already common knowledge that the FBI obtained user information from computers around the world during its two weeks operating as the site administrator for the seized Playpen server. More information is now coming to light, thanks (inadvertently) to a foreign government's inquiries into domestic anti-child porn efforts. Joseph Cox of Motherboard has the details:

Earlier this year, Austrian MPs sent a letter to the country's parliament, asking for more information on child pornography and sex tourism cases. In response, politician Johanna Mikl-Leitner wrote that Austrian authorities cooperated in Operation Pacifier, showing for the first time that the FBI hacked computers in the country.

According to her letter, a list of 50 Austrian IP addresses were evaluated by a federal intelligence unit and used to pursue suspects of possession and distribution of child pornography. The IP addresses led investigators to "countless child pornography files," according to a translation of the letter, which is dated March 2016. "Extensive investigations are still underway," it continues.

Local law enforcement appears to be unconcerned that the FBI has exceeded its Rule 41(b) grasp. It took the tips delivered to it by the FBI's NIT and has carried out investigations of its own, collaborating with Europol. Apparently, the FBI's lack of explicit permission -- either from the local US magistrate judge or from foreign governments -- isn't considered problematic when used to scoop up offenders few are willing to defend. Europol and the FBI have refused to comment on how far the Playpen/NIT net was cast, but it apparently includes Greece, Chile, Denmark, and Colombia -- along with possible (but unconfirmed) Playpen users located in Turkey and the UK.

Obviously, the Virginia magistrate who signed the FBI's warrant application had no idea how far its NIT would reach. To be fair, the FBI likely had no idea either, as it was dealing exclusively with users whose originating locations had been obscured by the Tor browser. That being said, the FBI gave no indication in its affidavit that it would possibly be carrying out extraterritorial searches, traveling far beyond the magistrate's jurisdiction and into computers located in multiple foreign countries.

To "fix" this limitation, the FBI is firmly behind the current, mostly-downhill push to strip jurisdictional limits from Rule 41, leaving it free to perform this hacking without being second-guessed by federal judges during prosecutions. That other countries are more than happy to partake in the results of possibly illegal actions doesn't say much about their willingness to protect their own citizens from US law enforcement overreach. Or, at least, it shows there are certain suspects they're not interested in protecting -- even if it means creating a slippery slope they may regret later, when the FBI starts coming after alleged criminals not so universally reviled.