ACLU questions how Tor email users got FBI-deployed malware

ACLU questions how Tor email users got FBI-deployed malware
© Getty Images

The ACLU filed a motion in Maryland court for information on why the FBI seemingly indiscriminately infected users of a free email service with malware. 

Lawyers from the civil liberties group are seeking to unseal the docket sheets connected with a warrant to use the malware on users of TorMail, a service that was only accessible on the Tor anonymous web browsing network. 


Docket sheets would explain general procedural information about issuing the warrant, including who the judge was, which is still not public.

TorMail is not affiliated with the Tor Project that runs the Tor browser. 

“We don’t know how a warrant that affected thousands of people – including innocent people, activists and journalists – were caught up in this warrant,” said ACLU Staff Attorney Brett Max Kaufman, one of the attorneys who filed the motion last week to unseal the docket sheets. 

TorMail was one of many sites hosted by the Freedom Hosting Network, a service that housed a variety of websites only visible on the Tor network. Some of the sites hosted by Freedom were intended to distribute child pornography. TorMail, notes the ACLU filing, was not one of those sites.

In July 2013, the FBI seized Freedom’s servers. On July 22, it was issued a warrant to use what law enforcement term a Network Investigative Technique (NIT) on a child pornography site – though the identity of the site is currently secret.  

NITs are programs designed to be surreptitiously installed on computers to help law enforcement investigates crimes. By virtue of NITs being unwanted programs, users have no agency to choose not to install, which generally fits the definition of malware.

The FBI warrant ran from the end of July 2013 to August 5 of that year. 

TorMail users noticed on August 4, 2013, that the website was attempting to install software later found to be similar to the NIT used in a child pornography case. 

“There is reason to believe ... that the malware warrant issued by this Court on July 22, 2013 was the source of authority for the deployment of malware not just against [a child pornography defendant,] but across Freedom Hosting websites and services — which had thousands of users — including against innocent users of TorMail,” reads the ACLU filing. 

There is no definitive way to say whether the warrant for one covered the NIT against the other. That, wrote the ACLU, is a central problem with sealing the original warrant and docket sheets. 

“The sealing of the docket sheet associated with the July 22, 2013 warrant prevents these concerns from being aired and debated publicly. Indeed, it prevents the public from learning or confirming even the most basic facts about the deployment of malware for law-enforcement purposes: the fact of judicial approval is unconfirmed; any reasoning supporting such approval is inaccessible; even the reasons for precluding public access are themselves inaccessible,” reads the ACLU filing.