US says it can hack into foreign-based servers without warrants

US says it can hack into foreign-based servers without warrants
Feds say it would have been “reasonable” for FBI to hack into Silk Road servers.
By David Kravets
Oct 7 2014

The US government may hack into servers outside the country without a warrant, the Justice Department said in a new legal filling in the ongoing prosecution of Ross Ulbricht. The government believes that Ulbricht is the operator of the Silk Road illicit drug website.

Monday’s filing in New York federal court centers on the legal brouhaha of how the government found the Silk Road servers in Iceland. Ulbricht said last week that the government’s position—that a leaky CAPTCHA on the site’s login led them to the IP address—was “implausible” and that the government (perhaps the National Security Agency) may have unlawfully hacked into the site to discover its whereabouts.

Assistant US Attorney Serrin Turner countered (PDF).

“In any event, even if the FBI had somehow ‘hacked’ into the SR Server in order to identify its IP address, such an investigative measure would not have run afoul of the Fourth Amendment,” Turner wrote. “Because the SR Server was located outside the United States, the Fourth Amendment would not have required a warrant to search the server, whether for its IP address or otherwise.”

Turner added, “Given that the SR Server was hosting a blatantly criminal website, it would have been reasonable for the FBI to ‘hack’ into it in order to search it, as any such ‘hack’ would simply have constituted a search of foreign property known to contain criminal evidence, for which a warrant was not necessary.”

The prosecution’s papers were in response to Ulbricht’s defense team crying foul on the government’s explanation of how they discovered the servers. Experts suggested that the FBI didn’t see leakage from the site’s login page but contacted the site’s IP directly and got the PHPMyAdmin configuration page. That raises the question of how the authorities obtained the IP address and located the servers.

“Thus, the leaky CAPTCHA story is full of holes,” said Nicholas Weaver, a University of California, Berkeley computer scientist who analyzed traffic logs the government submitted as part of the case.