The Silk Road takedown shows how the Feds can get around crypto

The Silk Road takedown shows how the Feds can get around crypto

Program Date: 
July 23, 2016

In recent years, the FBI and other federal law enforcement have complained about the “Going Dark” problem. That’s the idea that because of so-called warrant-proof, unbreakable encryption, criminals have a new advantage.

This issue came to a head earlier this year in the San Bernardino terrorism case, which pitted the Department of Justice against Apple. Prosecutors claimed that the government absolutely needed to get into a dead terror suspect’s iPhone, and that investigators couldn’t do it without Apple’s help.

While the Justice Department ultimately was able to get into the phone by paying a mysterious company, the case raised new questions about how the government can, should and does circumvent encryption.

However, within the last few years, the government was able to beat Silk Road, the world’s biggest and most technically-advanced underground drug website, mainly by using old-fashioned police work. Its playbook may provide a template as to how federal authorities target the country’s most sophisticated criminals.

Ross Ulbricht ran Silk Road from his laptop, primarily from a San Francisco café for about two years, until he was arrested at a library in 2013. Authorities claimed that the site facilitated about $1.2 billion worth of illegal drug transactions.

“It was eBay for drugs, with a couple of innovations,” said Nicholas Weaver, a senior researcher at the International Computer Science Institute in Berkeley. “It had a payment system the feds couldn’t stop. The system was pseudonymous so you could gain a positive reputation. And it acted as an escrow service and dispute resolution provider so it basically arbitraged trust. You had to trust Silk Road and Silk Road would ensure that the dealer would provide the product.” 

Weaver has followed the case closely which ended with Ulbricht getting a double life sentence after being convicted of drug crimes. Buyers and sellers all used fake names and Silk Road itself took a cut of every deal. Ulbricht ran his empire using the latest encryption and anonymity tools.

First off, the site was only accessible via Tor, an anonymous way to browse the Web. Drugs and other wares were priced in Bitcoin, a difficult-to-trace digital currency. Many people communicated using encrypted e-mail, and Ulbricht himself encrypted his laptop.

When federal law enforcement first tried to approach Silk Road, they didn’t really know how. It was unlike any other digital case anyone had ever seen. And so for two years they tried everything.  

“You had dealers that were flipped,” Weaver added. “You had law enforcement infiltrate as admins. You had law enforcement take over admin accounts. You had law enforcement get corrupt and try to steal a lot of money. But in the end what broke the case was a combination of diligent police work and a bit of hacking.”

Eventually the site was infiltrated by at least three federal agents, and once they started establishing patterns of behavior, they started physically surveilling him, too. In the end, the bust came when agents had followed Ulbricht to a library.

As Wired reported in 2015, a man and a woman, working undercover, staged an argument right behind Ulbricht—he turned around to see what was going on.

“And they tackled him to the floor with the computer open,” Weaver added. “And this broke the case wide open.”

The cops found a treasure trove of information about Silk Road. The best part? They found an extensive diary going back years of how Ulbricht started and operated Silk Road.

“Because he forgot the rule number one of a criminal conspiracy—you don’t make notes on criminal bleeping conspiracy!” Weaver huffed.

Seizing the computer while it was open and running was crucial. By doing that, all of Ulbricht’s fancy encryption was worthless.

Going Dark

While the Ulbricht case represents a major victory for law enforcement, increasingly the FBI and other agencies are concerned that encryption is giving criminals the upper hand and so they argue companies should be compelled to have a means for law enforcement to access encrypted data.

“Unfortunately, the law has not kept pace with technology, and this disconnect has created a significant public safety problem we have long described as ‘Going Dark,’ and what it means is this: Those charged with protecting our people aren’t always able to access the evidence we need to prosecute crime and prevent terrorism even with lawful authority,” FBI Director James Comey said in a speech at the Brookings Institution in October 2014.

The issue gained new importance after the mass shooting in San Bernardino last year. The government tried to force Apple to create an entirely new operating system to open up the locked iPhone used by a dead terrorist.

But Catherine Crump, a law professor at the University of California, Berkeley, doesn’t believe warrant proof encryption is making us less safe. She points to all the other information readily available to law enforcement.

“In reality the government has access to far more information than what each of us says and does than it ever had before,” she said. “That isn’t to say there are some things that the government can’t access. But far from going dark, this is a golden age for law enforcement.

For example, in the San Bernardino case, Crump notes the government had all kinds of access to the shooter’s phone records, and information backed up to Apple’s iCloud.

Yet that service, which many people use to store messages, photos and more, is a prime example of why the FBI and other agencies think Apple is being disingenuous when it says it can’t build a secure encryption system with a so-called backdoor access for warrants.  

The logic: If Apple can build secure access for itself into the cloud, can't it find a way to do that for its iPhone?

Privacy vs. security

David Bitkower, a deputy assistant attorney general at the Department of Justice, notes that Apple has designed iCloud in such a way that they can handover data to the government if needed. Similarly, the way that Google makes money is by running ads against your private email and your searches. For Bitkower, the bottom line is simple.

“The question is that at the end of the day when we think about the value of law enforcement or the value of public safety—do we think the value of public safety is on the par with advertising or searchability?” Bitkower said. “Because the problem has already been solved in that context.”

However, many civil libertarian advocates, like Crump, think that the encryption debate is practically moot. Strong warrant proof encryption is getting easier to use and is becoming more widespread, as lawmakers are struggling to come up with their own answer.

In the Silk Road case, law enforcement was able to legally access the server’s hidden IP address overseas. It’s a technique that will soon likely be expanded to allow magistrate judges to authorize searches anywhere in the country. Currently, those judges can only sign off on searches within their own districts. In turn, that makes it easier for law enforcement to eliminate the anonymity of suspected criminals and terrorists online.

In the end, Silk Road may be the template for how law enforcement defeats strong encryption. Rather than targeting what is being said, they are looking to find out who is saying it and where.