Unsealed Documents Provide More Details On Federal Investigators’ YouTube Dragnet
Earlier this week, reporting by Thomas Brewster for Forbes uncovered yet another way law enforcement is expecting companies like Google to perform their investigative work for them.
For a few years now, we've covered the use of geofence warrants capable of turning multiple people into criminal suspects, as well as the even more dubious keyword" warrants, which turns anyone Googling certain words into a possible suspect.
The feds are now targeting any viewers of certain YouTube videos, serving up some pretty general-looking warrants that demand Google turn over a wealth of information on anyone who accessed certain YouTube URLs during a certain time period. Technically, they're not warrants," but 2703(d) court orders for customer information, but that hardly makes it any more comforting.
Unfortunately, the reporting at Forbes did not include any of the underlying documents. Fortunately for us, there are plenty of amazing people out there on the internet, including Virgil Abt (who was the subject of broad DOJ subpoena back in 2017, along with crowd favorites like Popehat and Dissent Doe). Virgil hunted down the relevant documents and posted them to BlueSky.
The first thing you'll notice is that the only reason anyone's seeing these is because the gag order finally expired. Federal investigators seeking to unmask someone allegedly involved in trading Bitcoin for cash, possibly in violation of money laundering laws, had online conversations with the subject, including one where YouTube URLs were exchanged (in violation of no known laws). The government asked for - and obtained - a one-year sealing of the affidavit, along with a one-year gag order targeting Google.
Here's what the order [PDF] sought:
The Order applies to certain records and information associated with any Google account(s) or IP addresses accessing the following URLs between 01/01/2023 and 01/08/2023:
https://youtu.be/lRQu71VPl2s
https://www.youtube.com/watch?v=nI2Y9pQIqIA
https://www.youtube.com/watch?v=G2OE7l4vQqs
As Virgil points out in the BlueSky thread, the videos appear to be completely innocuous recordings dealing with mapping software. All the videos were at least one year old and not exactly popular. Virgil estimates the total amount of views of the URLs to be in the area of 200 per week.
But that's still a whole lot of people affected. That's potentially 200 unique users being swept up in the dragnet that pretends it's just a completely normal to demand all this customer info. And it's not as though the government was just asking for anonymized data in hopes of narrowing down the haystack into a usable set of suspects.
The order demands any identifying information Google might have obtained on viewers of these videos, including names, addresses, phone records, device information, IP addresses, online payment records, user activity records, and recovery email addresses. It's a pretty heavy ask, especially when the government had nothing more to work with than the one URL shared by the subject with undercover investigators (the first URL in the request) and the two sent in response by government agents.
The basis for this extremely broad demand for personally identifiable information is based on a single exchange between the suspect and investigators, as detailed in the affidavit [PDF]:
The United States has conducted multiple, undercover transactions with the ELM
moniker, in which the United States provided bitcoin (BTC) to an address specified by ELM, and cash was mailed to a name and address specified by the United States. While arranging one such transaction, the United States told ELM that the BTC originated from the proceeds of drug sales.
While communicating about this transaction, ELM sent a link to a YouTube video, https://youtu.be/lRQu71VPl2s, on January 3, 2023, at approximately 3:22 PM UTC. In response, the United States sent links to two additional YouTube videos, https://www.youtube.com/watch?v=nI2Y9pQIqIA and https://www.youtube.com/watch v=G2OE7l4vQqs, on January 4, 2023, at approximately 2:52 PM UTC and 3:12 PM UTC, respectively.
After providing some more information about YouTube and Google and how people access YouTube URLs to watch YouTube videos, the government sums up its proposed demand for a massive data dump possibly affecting 200 different YouTube users with this conclusory sentence:
There is reason to believe that these records would be relevant and material to an ongoing criminal investigation, including by providing identification information about the perpetrators.
That was apparently enough for the magistrate, who not only signed off on the order but the one-year gag order as well.
And sure, it's very possible this led to investigators obtaining identifying information on the subject of their investigation. But there were much better ways to achieve the same thing, like uploading a relevant video, setting it to private, and sending out that link to ensure the only viewer would be the target of the investigation. Or the feds could have limited the request to the URL sent by the suspect, which would have at least minimized the number of people affected. Using publicly accessible content as a honeypot is an extremely careless move, and this request should have been challenged by the magistrate, rather than given judicial blessing and one-year gag order to boot.
As Brewster's reporting for Forbes notes, there are more cases like this out there. And it's inevitable more will surface in the future as gag orders expire. But this particular investigative tactic looks like general rummaging in hopes of finding something useful - the very sort of the thing the Fourth Amendment is supposed to protect against. Just because there's a third party involved doesn't make it any more acceptable.