parallel construction is retroactively finding an alternate, legal/unclassified explanation for an evidence trail, but one which is inherently incorrect; if the ssl cert scanning or other repeatable method was the route taken, nsa probably wouldn't want to tip their hand. it's probably worth noting that the only examples of parallel construction that we have confirmation of were drug cases
Yes I know what it is, but what I'm curious about is would that tactic fit the definition. Scanning IP addresses for publicly served SSL certs and comparing them with one served over TOR isn't obviously an unwarranted search is it?
If the original TOR cert was discovered in an unlawful search, and then they did a scan of the public internet to find it again in a legal search, that's parallel construction.
And let's not forget: NSA already have an almost-irresistibly useful database designed for exactly this purpose (selecting and correlating on attributes of SIGINT-captured SSL/TLS sessions, such as certificates - and they could easily just put a selector on the CommonName or the certificate fingerprint).
You don't have to be the NSA to make a database like that, but it helps. I could build a database broadly like that for certificates/ciphersuites/other metadata myself with active scanning and zmap (and it might make a good weekend project, to examine and contrast RC4 proliferation amongst TLS-encrypted web and mail servers) - but they have a near-realtime-updating passively-constructed one. If the FBI asked them for help, they'd definitely use that.
