Poisoned water holes: the legal dangers of dark web policing

This article is part of a series on how law enforcement is fighting crime across digital borders.

Australian police are using “poisoned watering holes” to investigate crime on the dark web. By taking over illegal marketplaces that traffic in child pornography or drugs, law enforcement are collecting information about criminals all over the world.

Of course, crimes that occur on the internet often cross international borders, but this situation is creating troubling new standards in transnational policing.

Research, including our own, indicates that as police operations move into online environments, new rules for digital evidence collection and exchange must be developed to assist prosecutions while preserving due process and human rights.

Read More: Spyware merchants: the risks of outsourcing government hacking

Investigations on the dark web readily transcend geographic demarcations fundamental to the use of search warrants and the admissibility of evidence.

Some enforcement agencies have conducted online investigations and attempted to access or transfer information outside existing domestic and transnational legal frameworks. This is common in cases involving dark web sites that distribute child exploitation material (CEM).

Without proper checks, police could have significantly expanded scope to search homes and computers around the world, even in cases not involving CEM.

Watering holes and network investigative techniques

The techniques used in online investigations can have potentially problematic legal standing.

Playpen was a dark web site used to distribute CEM. The FBI seized the site in 2015, and obtained a warrant to continue its operation on a government server.

The FBI used a Network Investigative Technique (NIT), also known as Computer Network Exploitation, to identify Playpen users. This distributed malware onto any computer used to log into the site.

The NIT enabled the FBI to identify the IP addresses, log-in times, and operating systems of around 150 computers located in the United States and more than 8,000 computers located in 120 countries. Up to 215,000 registered Playpen users globally could be affected.

According to the Electronic Frontier Foundation, Playpen is the largest known US government hacking operation. But it was authorised by a single warrant issued in Eastern Virginia.

Specialist online units in Australia, such as Task Force Argos in the Queensland Police Service, have also used “poisoned watering hole” tactics.

Australian paedophile Shannon Grant McCoole, who administered “The Love Zone” site, was apprehended after a tip from Danish police. Task Force Argos investigators then effectively ran the site “while feeding information to international law enforcement colleagues”.

The investigation identified many users located in other countries, including several who were prosecuted in the United States.

Details of the warrant used in this investigation are unclear, which is common in cases involving CEM that result in guilty pleas.

Darkweb investigations and the law

There are some established methods for law enforcement sharing information across borders.

Mutual Legal Assistance Treaties (MLATs) are similar to extradition treaties. States seeking access to digital evidence located offshore must first issue a formal request.

MLATs aim to protect the legal rights of people suspected of transnational or offshore offending. However, available US cases involving The Love Zone do not appear to mention MLAT procedures.

This has troubling implications for the right to a fair trial.

It’s possible Task Force Argos informally communicated the IP addresses of US-based site users directly to US authorities. Queensland Police declined to comment on the warrant.

The geographic scope of the Playpen NIT warrant, on the other hand, is extremely unclear. Some US courts have declared the NIT warrant to be valid only within Eastern Virginia.

At least one US court has ruled that warrants to search homes and seize computers outside of this district produced evidence viewed as the “fruit of the poisonous tree”.

In other words, because the dark web’s infrastructure could only enable law enforcement to uncover the locations and identities of suspects through the defective NIT warrant, any physical evidence seized from a subsequent warrant to search a home was inadmissible.

However, some US courts seem willing to admit evidence from the Playpen NIT because the FBI is regarded by the courts as acting in good faith in both seeking and executing it.

Legal geographies of online investigations

Law enforcement agencies are keen to maintain secrecy of dark web CEM investigations. But there is concern from legal experts that informal police networks routinely operate outside of established MLAT procedures.

The MLAT process is slow, technical and cumbersome. This may fuel the acceptance of questionable NITs and exchange of data between police to streamline transnational dark web investigations. But it could also undermine complex cyber-prosecutions and the fairness of criminal trials that rely on electronic evidence.

Read More: Inside the fight against malware attacks

The informal exchange of criminal intelligence and use of malware is understandable where child welfare is at stake. But these investigative methods undercut current attempts to preserve due process and digital security standards.

Success in these types of investigations cannot solely be measured by prosecution and conviction rates. It should also be measured by the legality, ethics and transparency of transnational investigative procedures and the rules that underpin them.