217 comments

[ 4.5 ms ] story [ 231 ms ] thread
Doesn't this show that yes you can do police work in the post crypto age?
This is not that trivial to answer. In this case, the FBI went against the law by operating these servers - a typical case of "the ends justify the means". Should we allow police work not to play by the rules? That usually doesn't end well.
I am not sure about the letter of the law, but I think the spirit is clear that the intent matters.

And they didn't operate the servers because they wanted to give platform to child porn users, but because they wanted to catch the users.

I understand this, but if you let them do it in this case, nothing will stop them from doing the same in other cases. The law applies to anyone: if this content is banned, you aren't allowed to use it as bait either.
That's called entrapment and is generally illegal, no?
No, entrapment is when law enforcement induces you to commit an offense you wouldn't otherwise do.

If you use a cp site of your own free will without encouragement from law enforcement, then it's not entrapment just because the site was operated by law enforcement.

But if the law enforcement weren't running it then there's at least a chance you would have been thwarted and there would be no actus rea, tempting people to commit crimes that without your positive action could have been impossible seems morally wrong to me.

Like leaving open bottles of spirits in alcoholic's rooms if there were prohibition.

Entrapment is when the police make you do something you wouldn't normally do. For example, if they showed you a popup you didn't want to see and then arrested you for it, that would be entrapment.
I think for it to be entrapment, you would have to convince the users to use the site against their normal judgement - rather than them using it of their own free will.
Sure, but as we saw in the Silk Road investigation, this is something that can be co-opted by a less than scrupulous agent.

When you exempt certain agencies from the law, they will inevitably abuse that power. In these conditions it was acceptable. However, setting up a CP server as a honeypot crosses the line and blurs the line between stopping and supporting it.

They arrested the stupid users. Pedophiles are not known for being among the brightest. Those people downloaded the Tor browser and blindly started browsing on it.

It wouldn't have been so easy to get information on 200 real cyber criminals.

That sounds a bit like strawman.

Do you have a citation that a pedo has less IQ than the average member of society?

I think by using Tor that puts them in the top 1% of internet user knowledge, which is against your statement.

Are you getting straw man and ad hominum mixed up? Not that either of those fallacies were used here...
Just because they are using Tor (either by searching how to hide their tracks, or just because the community for this kind of content in general will gravitate to something like Tor), doesn't really mean they would be in the top 1% - they followed instructions that someone in the top 1% created.

Whether that means they have a lower IQ than the average member of society though, that is a whole other thing.

> I think by using Tor that puts them in the top 1% of internet user knowledge, which is against your statement.

There used to be an image on 4chan that was posted quite often. On the image you would see a link to download the Tor browser and then onion urls to the main child porn websites.

Those people are not crypto experts. They are idiots that followed an "how to child porn" infographic.

What if you wrote a spider that hit 4chan and then went off to one of those CP sites? Could the script be prosecuted? The writer or runner of the script didn't explicitly say to go there and the probably primitive script has no way of telling what is on the other end.
There is some research that suggests pedophilia is linked to lower IQ, such as http://sax.sagepub.com/content/19/3/285. But as with most research on people with this condition, subjects are picked from the prison population and/or from psychiatric patients.
The FBI certainly didn't catch the creators and distributors of the original content because those people operate as professional criminals. The sting may affect their revenue stream by scaring off consumers who were under the illusion that they could make themselves safely anonymous.
The FBI used a Tor Browser Exploit instead of disclosing it responsibly. If this is police work in the post crypto are, then we are all going to be a lot less secure.
When I have debates about encryption and surveillance, CP & terrorism are arguments that are difficult to address. I think this solves a part of the problem.
When you gaze long into the abyss, the abyss gazes also into you.
> FBI opreated 23 Tor-hidden child porn sites Uh, what? I don't think the end justifies the means here
You might want to read beyond the clickbait headline.
"“I would refer you to public documents on the Playpen investigation, in which we seized and operated a darkweb child pornography site for a period of less than two weeks,”

That reads to me like yes, they were running the fully operational CP sites and allowing it to continue to serve up CP.

The ends do not justify the means.

ANd nobody has raised the question of how this can actually be done legally - under current law is there a way to make the serving up of CP content a sufficiently grey area that it's permissible to do with only judicial approval?

If not, seems to me the individuals managing the site for the window of federal operations have the potential to be in a whole mess of trouble.

If so, that seems a thing that should be fixed.

Out of context this sounds much worse than it is - the FBI forcefully took control of a hosting network that included 23 child-porn service sites. They then used it as a platform to serve malware to the visitors of the sites. Within a month, they shut down the websites.
If the FBI seized a store that sold illegal drugs, and kept operating the stores and selling illegal drugs for a month afterwards, would that be considered OK? I'm not getting hugely up in arms about this, but it doesn't seem right.
What if it were controlling a kingpin for a month in order to identify multiple lower levels of distributors and dealers? I believe that consumers of child pornography are considered likely participants in the further trade of material and creators of more content than the typical drug user is.
It seems to me that allowing a criminal to continue committing crimes is different from taking ownership of a server and continuing to operate it. The criminal has agency, while the server does not. But it's not entirely clear cut, for sure.
Correct me if I am wrong but isn't that basically what they did with Sabu?
I mean, they do this - it's not uncommon to bust a drug dealer, and then allow them to continue operating as an informant so they can monitor their activities.
Yeah, this shit happens all the time. How do you people think law enforcement operates against criminal networks? Infiltrate, quietly gather evidence, then prosecute. The "gather evidence" portion often involves allowing people to do incriminating things, especially since, you know, being about to do an illegal thing isn't illegal (usually).
The question is whether this is how we want law enforcement to operate in our society.

And in the process of answering that question we should probably ask, "is it working?"

Mmmm yep. I want our law enforcement to have the ability to find and prosecute people at levels of criminality higher than selling loose cigarettes on the street.

Like seriously? Do you really think the absolute lowest hanging fruit is valuable, fair, or effective for justice to focus on?

No, I don't think that. Maybe I was ambiguous. My question was whether we want law enforcement to become purveyors of illegal material in order to prosecute people seeking that material. That seems a little circular to me.

And since the analogy was dealing with illegal drugs I was wondering whether these tactics are in fact more effective than just prosecuting at the level of "selling loose cigarettes".

That's actually reasonably close to what happened in the ATF's Operation Fast & Furious. They identified gun shops that they believed would sell to gun runners without asking questions, watched the criminals buy guns, and then allowed the guns to be dispersed amongst criminals on both sides of the border without making any meaningful attempts to keep track of the guns.
>FBI Special Agent Jeff Tarpinian admitted in court that the agency “relocated two servers to an FBI facility here in Omaha and we continued to let those child pornography run"

http://disinfo.com/2016/01/why-did-the-fbi-operate-a-child-p...

In context, it sounds even harder to justify.

This article is about Freedom Hosting, that link is talking about Operation Pacifier. Those are two completely different operations that took places years apart, by different agents.
It seems that was a very slippery slope then.
It seems like this was related to their seizure of Freedom Hosting, and that they only hosted them for 30 days or less, reading the linked affidavit.

So they seized an onion hosting provider that had 23 cp sites, they ran those sites for a few weeks, then shut them down.

I understand the ban on child porn is justified via the interstate commerce clause:

Federal jurisdiction is implicated if the child pornography offense occurred in interstate or foreign commerce. This includes, for example, using the U.S. Mails or common carriers to transport child pornography across state or international borders. Additionally, federal jurisdiction almost always applies when the Internet is used to commit a child pornography violation. Even if the child pornography image itself did not traveled across state or international borders, federal law may be implicated if the materials, such as the computer used to download the image or the CD Rom used to store the image, originated or previously traveled in interstate or foreign commerce.

https://www.justice.gov/criminal-ceos/citizens-guide-us-fede...

Theoretically, would a general citizen be exempt from the ban if he manufactured his own CD-ROMs, and his own CPUs in-state?

It might be illegal for them to operate the sites for extended periods of time. It doesn't seem illegal for them to deploy malware as part of an investigation. I'm looking at (f) here:

https://www.law.cornell.edu/uscode/text/18/1030

So the worst that could happen is that the evidence gets thrown out. If they weren't going to otherwise be able to nab the person, the worst that could happen is they lose the case.

I would say the worst that could happen is the FBI is knowingly distributing child pornography, providing access to illegal materials and re-victimizing minors.
(comment deleted)
Good idea, but that defense has already been rejected by the Supreme Court twice. Their reason? I kid you not... "the butterfly effect". The Supreme Court considers any activity that doesn't leave the state to possibly affect interstate commerce so they can regulate everything with that clause. See Wickard v. Filburn and most recently Gonzales v. Raich. Prepare to be enraged.
Enraging indeed.

"Where necessary to make a regulation of interstate commerce effective, Congress may regulate even those intrastate activities that do not themselves substantially affect interstate commerce" [emphasis mine]

-- Justice Antonin Scalia, in the majority opinion for Gonzales v. Raich, using his vaunted legal genius to find a reason, any reason at all, to stop people from doing things that he didn't like.

One of the most influential hypocrites of the new millenium, if not the whole history of the republic.

> Theoretically, would a general citizen be exempt from the ban if he manufactured his own CD-ROMs, and his own CPUs in-state?

I would be seriously impressed if you could manufacture your own computer capable of accessing the Internet and displaying an image from a single US state. Semiconductor manufacturing, networking software, electronics manufacturing, and so on are thoroughly global industries.

But even if you could, in the end, they're using this clause from the constitution:

> To regulate Commerce with foreign Nations, and among the several States, and with the Indian Tribes.

to give them jurisdiction in cases of Internet child pornography.

The entity determining whether or not this jurisdiction is valid is not like a computer program that will look at a homebrew computer, check where all the parts came from, look at the text of the law, and say "Whoops, nothing in this case crossed state lines, we don't have jurisdiction, you're free to go."

I see this attitude on HN way too often.

Instead, remember that it's a bunch of humans who considered the problem of child pornography, chose to fight it, and only then looked for a source of jurisdiction. That source does not actually need to be valid (not that I actually dispute that the FBI should have jurisdiction when US citizens commit crimes using the Internet), but it's important to realize that it only needs to be strong enough to stand up to the political will to oppose it. And there are no prosecutors with a will or the political power to oppose the FBI for going after sexual predators.

This state of affairs probably results in some overreach. But even considering the potential problems with this approach taken to the extreme, I find it extremely hard to align myself against the FBI. What if the FBI operated honeypot sites with zero-day exploits inserted for them by Microsoft, Apple, and Google, hacking modems and demanding ISPs snoop on their users, opposing HTTPS rollout, and generally causing great harm to law-abiding users of the internet? But these actions protected kids? How much harm would it take to shift my allegiance into opposing the FBI? Scary stuff.

>Instead, remember that it's a bunch of humans who considered the problem of child pornography, chose to fight it, and only then looked for a source of jurisdiction. //

It's not my country but this is the thing that grates most with me, the "act first and try and find legal justification afterwards". Officers of the law should really be seeking to act legally in the first place.

What you propose, companies creating a system of open reporting is fine by me, but doing it covertly is not. Enact laws allowing it and tell the public it's happening. That's the democratic way.

> What you propose, companies creating a system of open reporting

Sorry if I was unclear, I wasn't actually proposing that. I am saying that I think they'd be likely to get away with it if they did.

The wheat you grow for your family affects the market which is in another state - your family no longer buys wheat, reducing demand.
This is the same as cops offering to sell drugs or sex and then busting the buyers.
(comment deleted)
Except that when the cops run drug or prostitution stings, they don't actually provide drugs or sex, do they? I thought they offered without actually having the product, then nail the buyer based on their intent to buy.

Actually providing the sting targets with illegal material seems a lot shadier.

Pandering, or "offering or promoting prostitution" is still a crime.
But it's effectively a secondary crime, like selling drugs. If no one ever used heroin, we wouldn't criminalize it (as indeed we don't criminalize selling other random chemicals).

The general pattern for drug and prostitution stings is that the police will commit those secondary crimes, but intervene before allowing the primary crime to happen. In this case, they pretty much committed the primary crime at length before acting.

> If no one ever used heroin, we wouldn't criminalize it (as indeed we don't criminalize selling other random chemicals).

In a way [0], the US does preemptively ban chemicals, regardless of whether that chemical has even been synthesized or used recreationally yet.

[0] https://en.wikipedia.org/wiki/Federal_Analogue_Act

Fair enough, but I think the logic of the point stands.

We don't criminalize baking soda, we're just trying a Minority Report sort of approach to things that are likely to be used rather than playing catch-up with known-psychoactive analogues. Certainly the metaphor bit still applies - selling and importing these things are only banned because of their abuse potential, not because the chemical is seen as intrinsically bad.

No, with drugs the more serious crimes are distribution and possession, it is not illegal to consume illicit drugs. It seems like the usual pattern for drug busts goes the opposite way as you'd expect—bust a user and use them to get the dealer.
(comment deleted)
In terms of sentencing and bust structure, yes. Pursuing dealers is more effective (and cheaper) than pursuing users.

But I stand by the point of the metaphor, which is that we criminalize distribution because of use. If you couldn't use it, it wouldn't be illegal. So even when flipping users, the intent is to run stings without letting the primary 'event' of drug use happen. That seems like the key difference between drug stings and this sting.

How are you suppose to do a pornography bust on the internet without actually providing some product?
I don't know, but "you can't bust people if you don't do X" is not a good argument for X being OK. Not all criminals must be caught, and we generally value the integrity of law enforcement over catching every single bad guy.
How are you supposed to get rid of 6,000,000 jews without killing them?

you're all idiots.

If the police took over a site they've got evidence from crimes already committed. They need to identify the perps though, they could do something with drive-by malware downloads that paired the usernames from the site with people subsequently trying to gain access. The police/authorities should be able do that whilst respecting the victims by not themselves peddling underage porn.

That seems like the police would have enough to arrest people and do a full investigation of their computer storage. Then should corroborating evidence be found they could charge the people; publishing details of convictions later.

It seems that by continuing to run the site that police enabled crimes which otherwise might not have been possible.

That's up to law enforcement to figure out. It's none of our business.

We live in a society with rules, and laws. We can't have law enforcement, or anyone breaking laws to catch a criminal. We were suspose to be following the constitution, or at least using it as a guide.

That's what makes law enforcement challenging. I would rather have law enforcement make arrests without breaking laws themselfs. I don't even like RICO statues. I think they took the easy way out.

Law enforcement is paid by taxpayers to catch criminals without taking shortcuts. It should even be a grey area. It should be black and white.

For as long as I can remember, sadly they have taken the easy way, and stomped on the constitution. Every state has differnt statues.

I never liked it. Every time I get pulled over for driving past 11:59 p.m. on a Friday; I'm reminded how inefficient, or law breaking---law enforcement is, or just lazy. Yes--just lazy.

In some states the cops are legally allowed to rape people. C.f.:

http://time.com/38444/hawaii-police-prostitutes-sex/

> hawaii police prostitutes sex

Now that's a headline I can get behind

My reading is that they are legally allowed to have sex, not rape. Whether that has led to abuses is a serious issue, but saying "legally allowed to rape" is misleading.
They're allowed to have sex with sex trafficking victims who have been kidnapped and are being held hostage. I don't see how calling that legal rape is misleading.
The article doesn't mention that, but you are right.
Perhaps a distinction without a difference, but they weren't 'legally' allowed to do this (iow it was still a crime), they were just immune from prosecution.
... and at the end of the day -- what's the difference??

edit: second thought: I don't think it matters if something is done illegally, unless there is some penalty attached to it, no?

I said the difference may be academic, the note pedantic note is that rape was and is still illegal.

You can be found guilty of crime and not punished via a number of mechanisms ... that doesn't negate the existence of the crime.

That just proves my point since most people commiting crime and getting away with it via "number of mechanisms", usually do the crime again, since there is no punishment, or so they think.

The problem is that if government is not punished, then why on earth to think they will stop committing crime?

I was under the impression, at least in the case of drugs, that they do actually provide them. Although maybe that's only in cases of deep cover infiltration, rather than the eventual sting per se.
It's a little bit like that in certain ways, but it's certainly not the same. They simply didn't turn off the servers immediately after gaining control of them.
That depends: do they typically bust the buyers after they've bought real drugs and already used them? It's all fake bags of white powder that never get used, yeah?

For me this sort of hinges on whether actual child pornography was distributed (and then, i imagine, consumed and re-distributed by pedophiles) in the name of making a bust.

I mean, I think some real drugs get sold, but usually its selling stuff from the evidence locker and busting buyers before they can use it. There's no real equivalent to "after the sale, before the harm is done" in a case like this.
There's also a difference between compromising pictures of real people and non-identifiable non-human bags of powder. Bags of cocaine don't have dignity that the law should be striving to protect.
My example of an analogy would be like taking over a drug house and putting GPS in each shipment, but still allowing the drugs to get sold and consumed.

I'm not sure whether this is OK or not.

Here's mine...

The FBI discovers a child prostitution ring and infiltrates it, but keeps running it and forces the children to have sex for a month to ensnare more customers.

If one accepts the idea of re-victimization, then I'm not sure how what the FBI did here can be considered acceptable, or any different than the analogy above.

I think the idea in this case is that there isn't re-victimization. The point of these sting operations is to lead to less victims overall.
Sorry, I should have been clearer. If you accept the idea that a child is re-victimized by the viewing of child pornography (which, as I understand it, is one of the justifications for the criminalization of viewing child pornography), then I don't see how what the FBI did can be considered acceptable.
I agree with your logic except the last clause. The FBI are presumably trying to minimise the overall perceived harm caused by the viewing of child pornography, and have judged that enabling some viewing initially will help prevent a greater amount of future viewing.
(comment deleted)
True, but 1) I question heavily whether this operation will actually prevent a greater amount of future viewing, and 2) would anybody accept that sort of means-justify-ends approach in the context of my initial analogy of continuing to operate a child prostitution ring?
1) Seems like a fair question, but 2) just seems like a completely unfair analogy. Perhaps it's own lack of imagination, but I can't see how someone viewing an image is equivalent to someone having sex with a child prostitute. Is this really the argument? To answer your question, no, I don't think anyone would accept that.
Re-victimization is the (IMO fairly reasonable) ideology that the government uses to criminalize CP. Therefore it's hypocritical for the FBI to operate by a different standard. If re-victimization is valid, the FBI is as bad as any CP distributor. If it's not valid, the FBI has no business serving up malware like this.
Makes sense. Somehow the FBI being philosophically inconsistent doesn't surprise me.
Does it lead to less victims?

From all I have heard and read on the subject of sex crimes, the research and the government policy has nothing to do with each other. Worse, some feminist movements have successfully lobbied to prevent research on criminal sexual behavior, on the principle that deeming such behavior as abnormal will result in lower jail sentence for criminals.

Instead we have this abnormal-but-not-abnormal behavior happening "randomly" by totally "healthy" individuals, and there is very little to explain why it happens or how we can reduce it.

I think there are some pretty strong signs that we don't understand deviant sexuality well, especially with regards to taboo attractions such as hebephilia and pedophilia.

More research I think would go a long way.

As noted elsewhere in the thread - FBI did not continue to serve child porn off of those sites, it swapped it to an error message that served malware targeting the TOR browser.
Source? This Reason article says differently:

"Operation Pacifier is reminiscent of reverse drug stings in which cops pose as dealers to catch retail buyers, except that in this case the FBI actually disseminated contraband. It did not merely pose as a distributor of child pornography; it was a distributor of child pornography. During the two weeks the FBI was running The Playpen, about 100,000 people visited the site, accessing at least 48,000 photos, 200 videos, and 13,000 links. In fact, the FBI seems to have made The Playpen a lot more popular by making it faster and more accessible."

http://reason.com/blog/2016/08/31/the-fbi-distributes-child-...

Operation Pacifier is a completely different case. The operation discussed in the article occurred two years earlier.
(comment deleted)
The Ars article discusses Playpen / Operation Pacifier in the first sentence. But you're saying that these 23 other sites only displayed an error message and distributed malware? Ok, but still, the FBI did in at least one instance distribute child porn, and that was mentioned in the article at hand, so I don't see why my analogy is out of place in this discussion.
> I don't see why my analogy is out of place in this discussion.

It's not out of place at all. I just wanted to add some context to make things clear, that your Reason link doesn't contradict the claim that in the Freedom Hosting case they only displayed an error message.

Thanks, clarification appreciated!
Then how could they press charges against the people visiting the site? I'm no lawyer. Is there a difference between trying to do something illegal and actually doing something illegal in the eyes of the law?
It feels like a pretty typical sting-style operation to me. Undercover ops usually require some degree of temporary cooperation with the illegal activity in order to shut it down permanently.
I'm pro depending on the context, gravity and overall plan. If a gov operates a drug house for some time in order to shut down 50% of the market for 30x that time (one month of bad for 3 years of massive improvement) then I'd accept.
This runs afoul of drug legalization morality. Drug trade may be bad for society, but to lots of people it's not a unambiguous universal evil.

Here's a better one: Fighting sex trafficking by abducting and selling children, but training them to rat on their captors first. I think that better captures the disaster that this is.

Not that it matters at this point. The new administration is going to give these folks a medal.

Isn't the whole issue the exploitation of children? As in the FBI should be going after the creators and distributors not become a distributor.
It's the "War On Drugs" model, where they chase the end-users and end-distributors, but don't stop the problem at the source. Occasionally, they hit a big target and make a big show of it, but most of what they do is police the populace.
If they would stop the problem at the source, they might be out of work... but anyways I think that it is not a good idea to become an outlaw to catch other outlaws...
This is about the Freedom Hosting hack in 2013. In 2013 Wired wrote

> On August 4, all the sites hosted by Freedom Hosting — some with no connection to child porn — began serving an error message with hidden code embedded in the page. Security researchers dissected the code and found it exploited a security hole in Firefox to identify users of the Tor Browser Bundle [https://www.wired.com/2013/09/freedom-hosting-fbi/]

However, as far as we know, unlike the more recent Playpen thing, in the Freedom hosting case the FBI did not actually serve child pornography, they just displayed an error message. I don't see anything in this article that suggests otherwise.

That's correct, the FBI hosted error messages and exploits after taking over, and supposedly did not distribute images of abuse. This point is conspicuously absent from the Ars story.

Motherboard passed on this story but it appears it was too sensationalist for Ars to resist. See thread here for more info: https://twitter.com/josephfcox/status/797070958205038592

> a Tor exploit of some kind to force the browser to return the user’s actual IP address, operating system, MAC address, and other data. As part of the operation that took down Playpen, the FBI was then able to identify and arrest the nearly 200 child porn suspects.

So, is getting someone arrested as easy as spoofing their network information and visiting those sites? I can already imagine trolls using this to have people swatted.

It would be really difficult to spoof the IP address and create valid TCP connections. Plus, your method would only work if you knew in advance that certain sites were currently being used in a sting operation. If you could figure that out, that kind of defeats the purpose of a sting operation.
it would be trivial to hack their wifi or insert a rogue device into their home network
At that point, you might as well hack into their laptop, put a bunch of CP on there, and then call the cops.

Forensic analysis of the hard drive would exonerate you though.

> Forensic analysis of the hard drive would exonerate you though.

No. Anything an analyst could feasibly look at can be spoofed with root access. The only thing that could potentially approximate the actual age of a hard drive write is thermal annealing of the storage medium, but this isn't really true anymore with SSDs (and was never practical even for HDDs).

Yeah, but it's not that simple. You'd have to install the Tor Browser Bundle, make it look like it was installed long before. You'd have to change the MAC times on the CP files to indicate a consistent pattern, and make sure the victim doesn't have an alibi for any of the times you're putting down. But you can't backdate the download time to before the image was produced, so you have to do your research on that. And of course you'd have to get your hands on a bunch of CP without getting caught yourself.

I'm not saying it's impossible, but it sounds pretty difficult to me. Maybe I'm wrong though.

At this time you'd already be under arrest tough, and probably in a tiny cell for a while. That was my point, this is what trolls look for. Then, unlike with other trolling methods, I'm pretty sure you need quite the clever lawyer to get out of this.
> Security researcher Sarah Jamie Lewis told Ars that “it’s a pretty reasonable assumption” that at one point the FBI was running roughly half of the known child porn sites hosted on Tor-hidden servers.

We're talking about a very large sting operation, just browse a few of those, I guess?

50 comments and nobody pointed out that the honeypot sites would attack visitors regardless of their citizenship.

Given that 95% of people in the world are not from US, how many visitors were police officers from other countries, conducting their own investigation?

And how many people were not visiting these sites to obtain child porn?

Quite recently, I ended up on an image board [whose name suggested to me it's got to do with topics such as freedom of speech] I hadn't heard of before, with sections whose short names meant nothing to me. So out of curiosity, I opened the first one.

Well, that board is no more.

In that case it would certainly be entrapment wouldn't it? How do they intend to prove whether this was entrapment or not?
Hmm, my concern is more that the US government actively peddled CP, rather than some non-American CP users getting owned.
Not to mention that they would attack visitors regardless of the existence of any search warrant.
This is less like a drug or prostitution sting where the mark is arrested before the contraband can be consumed, and more like a hired hitman sting where the victim is actually murdered.

From a moral point of view, Child pornography is de-ontologically wrong. Nothing can justify its existence. Even if such a sting managed to shut down the entire industry, it would be moot to attempt to argue for its moral goodness in consequentialist terms.

The FBI could have used other means to establish criminal intent in the visitors to the websites along with the fact that they had used Tor to search out and visit those websites in the first place. They could have made prospective viewers engage in a series of incriminating acts such as requiring them follow a series of links with the promise of finding the material, or making them refresh the page. There was no need to provide the actual offensive material in order to make a solid case.

> They could have made prospective viewers engage in a series of incriminating acts such as requiring them follow a series of links with the promise of finding the material, or making them refresh the page.

I find this part very interesting: is this well established, that is, is it clear before the law which acts are surely incriminating? Is clicking on a link enough to establish intent?

> Is clicking on a link enough to establish intent?

Legally no it's not, that's a very weak binding and they know it. That's why any type of sting - whether cp or other - will attempt to get the user to sign-up, view content, or otherwise willfully provide personal information (eg a credit card).

I seem to recall that it was enough to get those "catch a predator" TV show guys: the fact that they showed up at a specific location was enough to get them successfully prosecuted.
I wonder how one would establish a calculus of intent in such a situation?

It would have to be established that the accused was fully intent on the end goal and was of the belief that the steps taken would facilitate achieving that end goal. It seems intuitive that each successive deliberate step would compound, and even double the certainty of guilt. More steps, more certainty.

In this context, the first three steps would already have been taken. Firstly to acquire the Tor browser in order to hide one's identity, secondly, to learn how to search the darknet, thirdly, to have searched out and visited such sites. At this stage, the FBI apparently short circuited the process by providing the actual material, the viewing of which is a crime in itself.

Further steps could consist of following clearly labeled links, clicking on thumbnail images whose import was clear, even if they were blurred. This would show knowledge, and to a lesser degree, intent. Intent could be established by sending the perpetrator on a fool's errand of repeatedly following links and thumbnails without ever achieving their goal.

> From a moral point of view, Child pornography is de-ontologically wrong.

From your point of view. You can't make an argument by just rejecting an entire perspective in moral philosophy. Otherwise I'd be equally right in flat out rejecting deontology.

I don't reject the consequentialist perspective. I believe that de-ontological and consequentialist positions can be both validly used, and even that if they clash in their implications, one perspective can take precedence over the other.

For instance, although Kant held that lying is wrong from a de-ontological perspective, telling a lie would certainly be the right thing to do to protect someone from being murdered. Consequentialist reasoning prevails here.

The moral question here is whether the FBI did the right thing in allowing the compromised websites to continue in operation. There has been some interesting discussion on this point. I think that they shouldn't have, and furthermore, that they did not even need to do so in order to achieve a conviction.

How do you determine which position prevails? Is there a moral theory of everything?
I don't know if there is, or can be a general theory of morality, but that does not preclude the possibility that there may exist special cases that offer clear resolution, or that, even though we lack a general theory, there may be enough understood and agreed upon to live by.

For instance, it is clearly moral to lie to a psychopathic killer in order to prevent a murder.

How do you determine which system of morality prevails in this particular case? Your intuition might tell you that deontology is the dominant mode here, but my intuition tells me the opposite.
Somehow in the context of the surveillance state I find myself arguing in favor of the FBI, but here goes:

Child abuse is the least defensible crime that could exist. As such, CP rings tend to be understandably paranoid and risk-averse. If anything appears to give the impression that they are being monitored, you can say goodbye to the arrest of another monster lurking in the shadows. That's why it's necessary to sting as many people at a time when the authorities get their chance, because once the window closes, anyone who gets away can either go off the grid or distribute in another ring, perpetuating their crime and thereby increasing demand for CP.

It's pretty ugly to think about a federal agency knowingly distributing child pornography. I often wonder what kinds of psychological effects it has on the Bureau's agents. But child abuse is a horrible thing, and it is difficult to consider anything but the swift and absolute elimination (arrest and elimination from the network, not execution) of producers, distributors, and the abusers themselves.

I think the clear differential here is that compromising the server and tracking its users while it was in operation by Freedom Hosting would perhaps be "OK" but confiscating the server, moving it to HQ, and then operating the site themselves is decidedly not.

Keep in mind, you can't just pause the site and expect your targets not to notice, they had to actively maintain the site (and consider what that means) to keep their targets coming back. It's disgusting and disturbing. And if it's what we know about it, it's also just the tip of the iceberg.

At least with Fast & Furious I think it was real criminals running the guns and just a failure to intervene. I think a failure to intervene here would be seen as unacceptable as well. But here we have way more than failure to intervene, they effectively provided the guns and helped run them across the border.

That NIT, which many security experts have dubbed as malware, used a Tor exploit of some kind to force the browser to return the user’s actual IP address, operating system, MAC address, and other data.

That's quite the exploit.

I feel like people are getting mad at the FBI for not pulling the trolley car lever in the right way, which is a valid thing to be mad about, but I believe the FBI made the right choice.

First, let's not rely too heavily the analogies with drugs or prostitution. The differences between CP and drugs / prostitution are too large to ignore anyway.

CP consumers are often producers as well. That's a fact—you want CP, so you make some yourself and swap it with others to get more. This isn't universal but it's common enough that you should know about it. So the visitors to the CP web site are not all just consumers of CP but many of them are producers as well. This is relevant because you have to weigh the damage of distributing CP against the benefit of catching people who produce CP. People have stated that distribution revictimizes the children, but I would weigh that against the ability to catch people who were either producing their own or at least supporting other producers of CP.

So the FBI discovers this server, operates it for less than 30 days with a Tor exploit, and catches 200 people using the site. Yes, the FBI was complicit in the distribution of CP, but rephrased as a trolley car problem, this is basically like not pulling the lever, allowing the distribution to continue for a short time, and using that to catch 200 consumers—and how many of them are producers? You can pull the lever now and stop the distribution of CP, or you can let the trolley barrel down the tracks for a short time and save all these people somewhere else.

(People are saying that the exploit may have done damage to other police investigations from other countries—I don't see any evidence that the exploit damaged the computer, merely that it leaked information about the computer.)

(comment deleted)
I think maybe your argument about consumers also being producers made more sense in the pre internet age when distribution of the content was very hard. I would be rather surprised if they was still true today. After all I presume the FBI didn't create their own content...
Look at the affidavit: https://www.documentcloud.org/documents/3216737-Freedom-Host...

I only skimmed, but at least 1 of the Websites required users to upload their own CP, to be approved by the admins, before they could download any.

You don't think they just found it elsewhere on the internet?
Regardless, this is generating demand for child porn.
I have no special insight but admins of a CP server are likely to have access to considerable collections.

They surely would have all the easiest CP to find already.

Uploading != producing
They aren't mutually exclusive though.
But if the upload requires it to be new or at least unique to the site it usually does means production either directly or a contracted one.

If not everyone would upload the same content pretty much.

My assumption is that production is concentrated to a small inner "scene", just like the warez scene. If you have enough connections and perhaps money, you could get the material from the source, and then use that to gain access to other sites that require contributions, which is analogous to how elite private torrent trackers work.

So again, uploading does not imply production capability, at least the way I see it.

The scene is already fairly small, production is more or less adhoc these days, underaged prostitution is still very much alive these days even in western countries, not to mention places like Mexico, Thailand, Vietnam and the Philippines. The difference is that with the warez scene there is no production effectively, since they just copy things which are constantly produced by industry, here there isn't an industry to back it up other than the one within the community.

Additionally with how laws are structured in many places selling CP is a worse offense than possession, hence the trading scene is an easy way to legally cover your ass to get a reduced sentence or no sentence at all. But this also means that there is either direct production or contracting for this material from developing nations since otherwise everyone would be trading the same thing, about 9-10 years ago I've volunteered with the police and we were tracking sharing and downloading back then over P2P.

Once there was sufficient evidence they would flag the person and check their travel history, quite a few of them had traveled back then often (2-3 times a year or more) to either the Balkans/Central Europe and Asia and they were going there to effectively purchase or produce it for self consumption and trade.

Sadly there are way to many places where you can have sex with a child for money, and not for a lot of it, child prostitution in Mexico even in border towns it cheaper than normal street prostitution in the US not to mention higher end call girls.

Get a laptop or a camera and for a few 100$ you can produce quite a bit of content.

Thanks for the insight. I'm absolutely disgusted about the fact that child prostitution is easily accessible. Are you aware of ways a software developer could help in the war against CP, especially if indirectly? (I don't have the heart for the "real" stuff)
Other than developing exploits for the FBI not really, there is a reason why this is centralized now P2P (Kazaa, eDonkey etc.) was hard enough to track especially once cheap VPN's became popular (since even a non no-log VPN would usually prevent the police from doing anything as it would be detected as a foreign IP which is out of their jurisdiction, at best they could forward that to interpol which usually didn't do anything).

Financially you can always donate to international NGOs and local organizations that battle and assist the victims of CP but overall I don't think they have much actual impact other than the feel good factor, I doubt they have the reach for it, maybe Mexico, but Thailand et. al highly unlikely.

These days it seems that anti-CP operations are pretty much centralized on TOR and a few other networks, P2P and Usenet used to be the spot for that but over the past 10 years everything moved to either private internet sites that domain hop frequently or TOR and similar networks.

Encryption, VPN's and other privacy tools make the job of tracking people down en mass without any exploits nearly impossible, even 10 years ago besides the usual rehashed crap that one could find with a few search terms on P2P file sharing apps everything was already encrypted.

CP users were pretty much encrypting everything way before anyone else, on P2P/Usenet they were running PGP rings and they would exchange keys via side channels and share their content encrypted so only people that were in the ring could decrypt it (this was in effect running your own private site over P2P or a specific newsgroup).

Back then the best LEOs could do is try to get into the PGP rings and lure some of their members to meet in person or reveal their identity (no one even thought of using malware to track them down, that tradecraft wasn't there, nor would it have been admissible most likely) via other means.

Today this type of well effectively state level intelligence agency operations is pretty much the only way of combating CP at any reasonable scale, and even this scale is likely quite underwhelming when compared to the amount of content produced and traded each year. But AFIAK probably the only LEO worldwide that does this is the FBI, local police departments don't have the resources, Interpol and Europol are mostly a joke, and most countries have considerable constraints on active network exploitation by law enforcement.

Once again, thanks a bunch for the detailed reply. Do you blog or use Twitter or something? If so, I'd really like to follow you :)
"but I believe the FBI made the right choice."

To further encourage the victimization of children for their own personal gain? FUCK THAT and KILL ALL FBI AGENTS NOW.

Disclaimer: I'm a victim of child rape. 12 years old, forced to suck dick at gunpoint. Police and FBI did NOTHING.

well.

from the op they actually quite likely did do something....

They filmed it and stuck it on their website.

Expect to see much more of this now a child rapist is president of the united states (again).

It makes sense to me that, while some number of people would want to consume CP, only a very small fraction of them would be willing and able to secure a child to photograph. I imagine much less than 1% of the people who are involved with CP do more than consume it online.

Do you have a source for your information regarding the prevalence of production?

Apparently one of the websites required users to submit CP in order to access content.

You can imagine all you like, but this hasn't radically changed just because we have the internet.

Required submission just means they had some content already not that they produced it.
Was it required to be unique? Plenty of private file sharing sites enforce seeding/sharing as well.
In this case there's presumably the added 'advantage' that by uploading CP you're incriminating yourself, which probably gives the site admin more confidence that you're not a police officer or a likely informer (not that that seems to have stopped the FBI). Not unlike like, say, having to assassinate someone for the Mafia before you can be considered for full membership. Other than that, the overall dynamic seems like it could be disturbingly familiar to ordinary, (comparatively-at-least) decent file-sharing scenes all right, with leeches, seeders and so on.
Yes. If you read the foi documents they had tasks that were required to be shown in the new material. It's sick.
Did the FBI lift these requirements or close down new registrations entirely when they ran the sites? If not, it would make them culpable for more than "just" continuing to host existing content.
Your replies give the impression you are a subject matter expert which I find strange based on the topic. I also find strange you are making claims about the CP consuming audience with nothing to support it.
Some people happen to be knowledgeable about all sorts of subjects. I find your vague implication of wrongdoing insulting.
Back in the day many IRC fserves and FTP servers for warez/media operated the same way - you just uploaded what you got somewhere else.
In the west maybe, but they can always travel to South America or Asia and get it there.

Eastern Europe and Russia also used to be a hot spot for these productions but they cracked pretty hard on that.

He is correct that most CP these days is traded, large scale productions are too risky since even 3rd world countries have been stepping up Anti-CP enforcement.

If you are a middle aged men traveling to Thailand a lot for no apparent reason don't be surprised if they flag you at the airport and search you.

Maybe we should start jailing people for watching films with guns in them.

It's hard to acquire guns for abuse in the west maybe, but they can always go to the Middle East and get it there.

If every gun shot in a movie resulted in a casualty then yes we might have to reconsider our stance on guns in movies.

You do realize that every child in a CP movie is being raped right? This isn't regular porn, these aren't consenting adults who are compensated for their participation.

IIRC, a lot of these site require that you share a unique photo or video (something they don't have in their library already) as a condition of membership. This ensures that only the most serious users even get a chance to view the forums.

These communities would have a lot more producers in them than your run-of-the-mill CP imageboards, as they have to fulfill a barrier to entry that only a seasoned CP consumer or producer would be able to meet.

So, once the FBI have control of the site, they can sort out all the lurkers who are consuming but not actively participating (probably uncommon, given that these sites also require you to remain active to keep your membership) and get damning information about people who are mass-distributing/selling and/or producing child pornography.

Would you be OK if they filmed new material of one of the existing victim?

I think the entire debate relies on the re-victimization aspect. If we accept it, and they do, then it's decidely not a trolley car lever conundrum.

Interesting point... it seems to me that they ought to at least find the victims and secure their blessing to be used this way.
Would it be okay, to upload the security camera footage of the beating up of a minor in a sweat shop that produces cheap shoes or phones? Would buying those shoes, then make you a co-producer?
> and how many of them are producers?

Your argument really hinges on this point. So, what's the answer? Out of the 200, how many are proven producers?

How much of this is backed up by evidence? (Being a little facetious, I suspect very little.)

EDIT: Not to mention; the logic behind possession of CP being illegal is completely defeated by this enforcement strategy. (That's not to say I'll actually defend possession of CP, but I think it's very troubling that law enforcement and the judiciary are this out of sync.)

Facetious? Being flippant about a serious subject?
No one seems to remember rule 41 in this thread. Did it get tossed out already?

We can all look at this and assume the FBI made a good choice here, even if they broke the law in the process.

But.. what about those of us who use Tor to browse perfectly legal content in order to simply attain added privacy from the prying eyes of our local ISPs? Or to host SSH via a hidden service? Etc.

You may not know it yet, but you need tor or you will need it sooner or later. Or you will need something else like it.

Let me add to that: the FBI themselves and various Police forces will also need Tor, or something like it, as well.
I think that this is the morale hairs that have to be split. I would disagree, and that they are being in violation of the law to uphold the law. Which I think is much more dangerous for everyone. This isnt to say that CP isnt dangerous, or take away its magnitude. I am saying that there should never be a situation where those that uphold the law should be allowed to break the law.
Forget the Firefox Tor browser, use Whonix

Two Virtual Machines, the one you actually use for browsing and stuff only connects through the gateway virtual machine.

If an exploit breaks out the firefox skin, it is just in the host VM, if it somehow breaks out of the host VM it is in the gateway VM.

We could keep going down possibilities, but we are far removed from attack vectors that actually exist.

Shit, if they keep going at this rate pretty soon they're gonna need to start worrying about ant-trust laws.
I once experimented with a Tor router on a VM that isolated another VM's internet connectivity.

The idea was |Stealth VM| --> |Tor router VM| --> |Virtual Box NAT|

The Tor router VM was running redsocks[0] to route all TCP traffic through tor's socks proxy interface. The stealth VM also used tor's DNS service.

That way, even if the stealth VM is compromised, it can't access the internet directly.

[0] http://darkk.net.ru/redsocks/

Why is this being downvoted? The topic might as well be tor user exposure with malware. I'm not trying to encourage CP consumption.
IOW the FBI is directly responsible for the spread and proliferation of child pornography. They've hurt more people than they've rescued.

Time to charge the FBI with aiding and abetting. Period. Equal treatment under the law. Period.

> They've hurt more people than they've rescued

source?

I think there's a rather extreme hierarchy of wrongs here.

1. The crime that utterly dwarfs all others is involving children in the making of child porn.

2. After that, the crimes that dwarf all the rest are those that provide financial or practical support to child porn makers. Consuming child porn is generally regarded as one of those, and I'm fine with that categorization.

3. I'm sorry, but violating a victim's theoretical privacy by distributing the images a little further doesn't seem to be nearly as big a deal as helping to prevent the next live video of child porn from being made.

I'm usually regarded as being pro-privacy, but privacy is not something to be a rabid extremist about. Preventing physical sexual abuse of children, on the other hand, is a fine area for extremism.

People who question what the FBI is doing are not "rabid extremist". That combines an ad-hominem and a straw man fallacy in the same line.

You then claim that preventing child abuse is a fine area for extremism. That's an appeal to emotion and also a fallacy.

Perhaps we could debate whether extremism is justified but let's do it without all the nonsense you wrap around your argument to cloud the real question. You say that extremism is justified but all of the reasons your posit as justification are fallacies.

Screw chilling effects, I'm going to ask this anyway because being afraid of having these discussions is detrimental to making real progress as a society.

Making the assumption* that some decent fraction of those who consume such media would be sated if they could get it and not move on to actually hurting children. Then couldn't a preventative measure be to take all the existing child porn and make it available to them?

Though I guess that risks normalizing the condition and could lead to it being more commonplace (certainly it would appear so as those who successfully suppress it would hide it less) and if it's more commonplace than the fraction that does still act harmfully upon the impulse could, in absolute numbers, exceed those that do today. Figuring out how things fall would first require a good understanding of the numbers.

*I don't know if this is true or false and would be interested to know if there is existing general consensus on the evolution of seeking out fantasy fulfillment over time in general and how it's affected by free access v. restricted access to related material.

Arguably we are at a point where good (here meaning effective) CG or Art should be able to replace such a thing without any real child being abused or having their privacy invaded, which would be preferable.

Of course, in some countries, that too is illegal, for some reason.

This is very much in line with my thinking.

Making of child porn with real children is one of the most horrific crimes in the world. Fighting that by criminalizing other steps in the creation/consumption chain makes sense.

On the other hard, child porn in which no real children were involved is a free speech issue, and I'm on the side that favors permitting it.

There's also a third group of issues -- child porn is used as an excuse for general internet surveillance, which then is used to also benefit anti-terrorism, law enforcement, and anti-piracy. That's why copyright lobbyists refer to (concern about) child porn as being a godsend for their industry.

> Then couldn't a preventative measure be to take all the existing child porn and make it available to them?

What about the victims' right not to have their privacy and dignity violated by the continuing consumption of the material?

Yes, what about that. The only way the FBI is justified is if we ignore that. And if we are choosing to ignore it to justify the FBI's actions then why not do it here for the greater good? Personally I'm with you that we shouldn't ignore it in either case.
I read a post where someone actually set up a honey pot without actually hosting CP. There was an application system where the pedos thought they were going to get cp via an application process or were a big enough part of the "community." I feel like the FBI could have implemented something similar without actually hosting the images. I feel like there is no excuse for distributing cp, even if it is to catch pedos. You shouldn't become a pedo to catch pedos.
Yeah, such a better system. Even set up a bit coin address where they have to pay about $25 to get in to prove intent (along with visiting the site and then logging in).
I was responding to a comment that made the case that prevention of future physical child harm is more important than prevention of revictimization, so I'm just continuing along that line of reasoning. You'll have to ask him if you want an answer for why he felt that trade-off was valid.
There seems to be some evidence to support your assumption. I saw something somewhere that claimed that the frequency of rape has actually fallen over the last 15 years and noted that that correlated with the expanding availability of Internet porn.

That's weak evidence, but at least it doesn't contradict the hypothesis.

Someone should try giving some pedophiles access to a generous supply of computer-generated CP and seeing what happens.

Regarding your assumption: I have a family member who's a child psychologist specializing in abuse cases, and according to her the vast majority of those who consume CP have abused children. Hard numbers are hard to come by because of the illicit nature of pedophilia, but studies involving anonymous surveys (in which the individual's name is withheld and their answers can't be used against them by law enforcement) supports that.
According to her? Her!? And what would a woman have to lose, if there was a whole caste of psychologically outcasts to disappear? No social justice warriors and priests to be pressured into services with loaded husbands? Your expert is not neutral, this whole machinery that spawned her, heavily depends on all gears turning as they turn now. Which doesn't make the machinery bad, quite contrary. I support the upholding of pressure on pedophiles - it guarantees a sort of basic contract security, even if society would be near-collapses. In a era of total surveillance, their crime-rate is bound to drop to zero- but the continued exploit of thought-criminals is a necessary stabilizer. Viv la Leviathancybernetics!
That sounds extremely vulnerable to selection bias. If she specializes in child abuse cases, obviously she's going to see more child abusers. People who own CP but don't abuse children would be unlikely to interact with her.
She didn't perform the study, she just told me what the literature says.
Now that those "literature" correlates with my feelings, suddenly i can appreciate its self-evident scientific value. I wish there was a way to take back all those comments on psychology/sociology papers i posted on hacker news.
I don't buy it for a second. Instead, I think that those who use but don't physically touch an actual child are so unlikely to get caught, the numbers are horribly biased.

To give some example numbers, say that 5% of those who view the material ever directly harm a child. And say that 100% of those who harm a child view the material. Now, say that 50% of those who harm a child get busted, but only 1% of those who don't get busted for viewing the material. The end result would be that of those caught about 5 of every 7 who viewed material harmed a child directly.

Now, the numbers are made up, but there are many values that lead to a false conclusion if people only look at those caught.

Those surveys were of people convicted of possession of CP only.
Yes but how do those convictions happen? If it comes from an interweb honeytrap, then it will give somewhat unbiased data. But I suspect a lot of people caught for possession are people at the fringes of a abuse case where the cops couldn't prove this individual actually abused someone, but could get them on the lesser crime.
And how many charged with child molestation will have the police raid their homes and check their computers? How many will end up only being charged with child porn to spare the actual child the trauma of going through a case and how many times is there not enough evidence to convict for child molestation but there is plenty to convict for child porn?
Admittedly, I don't have the study on me, so I can't confirm this. But I imagine the study would screen out anyone like that, that seems like a pretty obvious thing to do.
Even if there's some truth in that -- and I agree with the others here who have pointed out the likelihood of selection bias -- it doesn't actually bear on the question of whether greater availability of CP makes the consumers more, or less, likely to abuse children. Supplying these people with computer-generated CP -- maybe even giving them some ability to generate scenarios to their liking -- might give them a way to release their urges in fantasy, reducing their desire to act them out.

I know, it sounds disgusting. But if it turns out to actually work, I think we have to set our disgust aside. If not, well, back to the drawing board.

I like to tell this to people when they start gushing about Japan because of their cleanliness or law and order or whatever, but they didn't make private possession illegal until a couple years ago. Before then it was just production or possession with commercial intent that was illegal. And the new law still doesn't apply to manga/anime. Is Japan a hell-hole? Are Japan's children all psychologically ruined or at a much higher threat of abuse because of the prevalence of anime/manga porn? (Some quick googling on opened investigations suggests a mere 0.0075% of Japan's children are affected per year.) To me Japan seems fine. (Another odd behavior is that daughters bathe with their fathers, sometimes (like 6-10%) all the way up to high school age.)
> daughters bathe with their fathers

Isn't it that the whole family bathes together? The way you put it makes it sound like it's just the two of them, which doesn't fit the impression I have, though I don't really know.

The notion that pornographic content does not produce desire for the acts depicted is on its face ludicrous and should be clearly false to anyone who has ever consumed pornography.
Not quite. Perhaps a consumer of pornography consumes only what they already like. Personally, watching, say, bondage out of curiosity didn’t make me like the stuff.
The thing is that it's not really about what's right or best, it's about what's lawful.

It is definitely good that this happened and that the people using the sites for CP were identified and caught.

It is scary for the FBI, an agency that upholds the law, to break the law, even if it is for good reason.

I have no love for those who visit child porn on Tor, but in general I am now very wary of the FBI. I can't help but feel it's a powerful organization that's slowly turning into a dark oppressive one. The power grab from the CIA for the Petraeus affair. Using the sensitive nerve of terrorism to demand Apple unlock a phone. Throwing a last-minute wrench in the Clinton campaign. This is not going to end, especially under Trump.