FBI ran 23 Dark Web child porn sites to gather visitor info

© Ina Fassbender
The FBI was authorized to operate 23 child-porn websites on the Tor network in order to collect data on users via malware, according to unsealed court documents. In January, it was revealed that the FBI had similarly ran a top child porn site for 13 days.

Court documents obtained by the American Civil Liberties Union show that the FBI was authorized by a Maryland judge to target child porn users of "Websites 1-23." The sites operated in areas of the "Dark Web" on the browser Tor, where IP addresses are hidden.

In January, the FBI said that for 13 days in February last year it had taken over operations of Tor-hidden Playpen, which the agency called "the largest remaining known child pornography hidden service in the world." In the process, the FBI used malware — or "network investigative technique" (NIT) — to infect users' computers until May 4, 2015. More than 4,000 computers worldwide were hacked in this fashion, and 186 people were charged.

"In the normal course of the operation of a web site, a user sends 'request data' to the web site in order to access that site. While Websites 1-23 operate at a government facility, such request data associated with a user's actions on Websites 1-23 will be collected," said an FBI affidavit within the recently unsealed documents. "That data collection is not a function of the NIT. Such request data can be paired with data collected by the NIT, however, in order to attempt to identify a particular user and to determine that particular user's actions on Websites 1-23."

A cybercrime legal expert said the unsealed documents suggest that while the FBI doesn't admit to full operation of these sites, they certainly benefitted from the operation.

"That paragraph alone doesn't quite say the FBI is operating them," Fred Jennings told Ars Technica. "But definitely no other way to read that than websites 1-23 were hosted at a government facility, with the FBI's knowledge and to the FBI's informational benefit. It's clever phrasing on their part."

Another cyber expert told Ars Technica that the FBI is running at least some Tor-hidden child porn sites on the Dark Web. 

"Doing the math, it’s not zero sites, it’s probably not all the sites, but we know that they’re getting authorization for some of them," said Sarah Jamie Lewis, operator of OnionScan, a Dark Web analysis project. "I think it’s a reasonable assumption—I don’t think the FBI would be doing their job if they weren’t."

Membership on Playpen rose by a third and it ran “much better” while it was operated secretly by the FBI, defense lawyer for Steven Chase, the original administrator of Playpen, argued in court in August in attempts to have Chase's charges dismissed due to “outrageous government conduct."

“The FBI distributed child pornography to viewers and downloaders worldwide for nearly two weeks, until at least March 4, 2015, even working to improve the performance of the website beyond its original capability,” wrote Peter Adolf, an assistant federal defender in the Western District of North Carolina, adding that the FBI's management resulted in an increase in visitors and a growth in membership.

The Bureau denied making improvements to the site. In September, Chase was found guilty of of engaging in a child exploitation enterprise, advertising child pornography, possession of child pornography, and three counts of transportation of child pornography.