Not surprisingly, the FBI’s filing doesn’t see it that way. Tarbell wrote that Ulbricht’s “various claims are bereft of any support in the law,” and referred to the technical criticisms as a “pointless fishing expedition” and “misguided conjecture.” The FBI claims that the data was gathered lawfully, and that the Silk Road’s Tor-obscured server data was “leaking” an IP address due to an “apparent misconfiguration” in the CAPTCHA server on the login interface. That one mistake was all it took, the FBI claims, to begin piecing together the needed details, collect routing data, bring in “foreign authorities” for warrantless searches of the Silk Road’s Iceland-based servers (outside of U.S. jurisdiction) and otherwise slowly tighten the noose around the Silk Road operation.
According to former Tor project contributor and security investigator Runa Sandvik, however, the FBI’s version of events doesn’t add up. Speaking to Wired, Sandvik said that the CAPTCHA server wasn’t incorrectly configured, as it was hosted on the same server as the rest of the site. If the CAPTCHA was leaking data, the entire site would also be leaking data, indicating that Tor itself had become compromised.
“The way [the FBI] describe how they found the real IP address doesn’t make sense to anyone who knows a lot about Tor and how web application security works,” Sandvik told Wired. “There’s definitely something missing here.”
Another dissenting voice comes from Australian security consultant Nik Cubrilovic, who claims that users — and hackers — would have noticed a leaking IP data long before the FBI. Cubrilovic calls the FBI’s version of events “unreasonable,” and says that the filing’s description “raises more questions than it answers.”
“Anybody with knowledge of Tor and hidden services would not be able to read that description and have a complete understanding of the process that the agents followed to do what they claim to have done,” Cubrilovic said in a blog post. “Were the Silk Road site still live today, and in the same state it was as in back in June 2013 when the agents probed the server, you wouldn’t be able to reproduce or recreate what the agents describe in the affidavit.”
The implications of illegally gathered data by the FBI — what Wired‘s Andy Greenberg describes as sounding “a lot like hacking” — loom large in the case. It remains unclear what an “illegal” search means in this context, as multiple jurisdictions are involved. Even if the FBI used the blackest of black-hat techniques in their investigation, there is little clarity about what is and isn’t allowed under the Constitution.
“If the government did some intrusive injection of code, the issue will be whether Ulbricht can complain about it,” Hanni Fakhoury, an attorney with the Electronic Frontier Foundation, told Wired. “There are some very interesting Fourth Amendment questions, but it will depend on what exactly he did and the terms of his agreement with the web hosting company.”