So we have a pretty good guess of how they did it, and while their affidavit doesn't give a lot of important details, ultimately they were just interacting with a web service in the way it is supposed to be interacted with - by sending it http requests - and the buggy site revealed itself to them because the guy who wrote it wasn't a very good web developer.
I can understand why they wouldn't want to give more details than they have to; it makes the prosecution's work harder. But I and many others have been arguing for years that there's nothing illegal about sending messages to a server and looking at the responses, if you aren't trying to damage anything. I can't see any reason why it would be less legal for the FBI to do it.
"...they were just interacting with a web service in the way it is supposed to be interacted with - by sending it http requests"
That line of reasoning sounds a lot like the Andre 'Weev' Auernheimer case [0], where he gathered AT&T customers' email addresses by interacting with a server simply by 'sending it HTTP requests.' The FBI made its position clear on that case, prosecuting Weev for "conspiracy to gain unauthorized access to computers" and ultimately getting the guy sentenced to three years in prison.
The overarching circumstances are clearly different but undeniably parallel. It seems curious to me that the FBI could use these some sort of apparently 'criminal' tactics (by their own precedent) as legal grounds in their case against DPR.
The slight difference is the FBI is investigating the source of the Silk Road (not illegal), vs. trying to obtain private information of folks from ATT (illegal).
There is no difference if they did not have a warrant. The FBI has the ability to break into your house, but if they do that without having a warrant they can't use anything they found against you.
I think you're probably right, but the argument up-thread was that the justice system is hypocritical regarding the permissibility of actions taken by the government compared to individual people.
Yeah, I think the key here is that Silk Road's IP address is public information, especially since they were able to connect to it directly, whereas AT&T users' private information is private.
"Are you also surprised that the FBI can shoot people dead, while most people would get prosecuted for that?"
Hopefully the FBI won't be shooting people dead as a means of preparing a legal case—-that would be a pretty frightening 'ends justify the means' mindset. The crux of the matter is due process [0].
Granted, I'm not a lawyer nor am I well versed in legal processes: from a purely lay perspective, I just am seeing the FBI call tactic A a crime right before employing the same tactic A to indict someone else, and it smells like hypocrisy to me (honestly, more likely mistreatment of Weev than of DPR.)
Congratulations! You have been nominated for worst pun on HN 2014. An awards dinner in Anchorage is scheduled for December and Jon Stewart will be compering!
We agree, but one reason we'd want more details about the FBI going to greater lengths to trigger the bug, is that when the court confirmed that was legal for the FBI to do, it could add precedent that it's legal for others to go to those greater lengths too. (legal or just general consensus, which effects judges decisions even when it's not a legal precedent)
Whatever it is that the FBI did, the agency should be held to exactly the same standard as a private individual interacting with a company's online presence. Have private individuals ever been prosecuted for exploiting security loopholes to extract data from a public site? If so, then government agencies should be held to the same standard, and any data obtained in that way should be deemed inadmissible as evidence.
I do not feel that it is a good idea to further encourage or embed a precedent in this direction. We've had too many cases going in that direction already. I would far rather see cases establish a precedent that, if no harm is otherwise caused, then the act of confirming a security flaw is not unlawful in its own right.
My point is that, for the purposes of justice, the exact same standards should apply to government agents and private individuals in the matter of admissibility of evidence. Meaning that if they want to relax the standard for the government, then security analysts should also benefit.
I can understand why they wouldn't want to give more details than they have to; it makes the prosecution's work harder. But I and many others have been arguing for years that there's nothing illegal about sending messages to a server and looking at the responses, if you aren't trying to damage anything. I can't see any reason why it would be less legal for the FBI to do it.