Innocent sites caught in a dragnet

A New York Times blog reported last night that entire racks full of web hosting servers were seized by the FBI in an effort, presumably, to get at some evidence living on one of the servers:

The F.B.I. seized Web servers in a raid on a data center early Tuesday, causing several Web sites, including those run by the New York publisher Curbed Network, to go offline.

The raid happened at 1:15 a.m. at a hosting facility in Reston, Va., used by DigitalOne, which is based in Switzerland, the company said. The F.B.I. did not immediately respond to a request for comment on the raid.


DigitalOne provided all necessary information to pinpoint the servers for a specific I.P. address, Mr. Ostroumow said. However, the agents took entire server racks, perhaps because they mistakenly thought that “one enclosure is = to one server,” he said in an e-mail.

Other sites that were using those servers reportedly include popular services Pinboard and Instapaper.

If the reported information is accurate, it appears the FBI really messed up here, harming several legitimate sites that didn't have to be harmed, and potentially damaging the reputation of the web hosting provider (presumably an innocent intermediary).

This also raises questions about how to apply the concept of property seizures to the cyber world. If I'm suspected of a crime, law enforcement can—with a court's permission—seize my computer and search it for evidence. In this case, though, it seems the servers seized didn't belong to the party under investigation. Rather, that party was renting space on a shared server, which in turn was part of a server farm. The FBI's actions seem equivalent to seizing an entire lot full of rental cars because one of the rental agency's customers was suspected to have committed a crime using one specific car on the lot.

Courts and law enforcement organizations are going to have to put some effort into figuring out  a better way to execute seizures against shared digital resources. This might, for example, mean temporarily taking the server in question (and only that server) offline to create a forensically-valid clone of the contents, rather than seizing the physical equipment.

In any case, I hope that we won't see many repeats of this apparent over-reaching.

Bavarian Government Gets Up Close and Personal

Posted on July 7, 2008 - 17:05 by lmallek

The German state of Bavaria has approved laws that "allow the police to plant spyware":http://www.theregister.co.uk/2008/07/07/bavaria_police_spyware_plan/ on the computers of suspected terrorists. While German federal laws restrict the government to infecting computers with email, Bavarian laws allow police to enter a suspect's home to physically infect the machine. According to The Register, Bavarian interior minister Joachim Herrmann "gave short shrift to [privacy] objections, stating that Bavaria is leading the field in 'internal security' in becoming the first German state to approve the plan."

This step taken by the Bavarian government "counters a ruling":http://arstechnica.com/news.ars/post/20080227-german-court-says-policewa... earlier this year by Judge Hans-Juergen Papier in North Rhine-Westphalia. He opined that under regular circumstances spying on individuals was unconstitutional, and that permission of a judge would be required prior to implementing this type of surveillance during extreme situations.

In 2007, the internet was talking, though not over VOIP, about the Bavarian government looking to "monitor and record":http://www.boingboing.net/2008/01/26/german-govt-caught-b.html Skype phone calls. Documents leaked through Wikileaks showed the thrifty Bavarian government haggling to get a better price on the products needed to invade their citizen's computers.

FTC forces pornographic ad pusher to clean up

Posted on December 7, 2007 - 14:55 by egeorge

The FTC this week reached a settlement with the owners of AdultFriendFinder.com over misuse of pornographic pop-up ads. The ads covered users' full screens and showed pornographic content to users of search engines, including many who had never requested an explicit site. According to the FTC's statement, some of the ads were distributed through badware.

As part of the settlement, the company behind AdultFriendFinder.com has committed to require consent before showing ads or sexual content. The company must also weed out any of its affiliates who don't do the same, making it harder for them to pass the buck if there is future abuse.

The FTC's statement says the practice of displaying explicit ads without consent is a violation of the FTC Act, but does not specify whether the core violation is of consent to being shown ads, consent to being shown sexually explicit imagery, or both.