Researcher: FBI was likely enabled to run half of all child porn sites on the servers.

As Ars has reported, federal investigators temporarily seized a Tor-hidden site known as Playpen in 2015 and operated it for 13 days before shutting it down. The agency then used a “network investigative technique” (NIT) as a way to ensnare site users.
However, according to a newly-unsealed documents recently obtained by the American Civil Liberties Union, the FBI not only temporarily took over one Tor-hidden child pornography website in order to investigate it, the organization was in fact authorized to run a total of 23 other such websites.

According to an FBI affidavit among the unsealed documents:

In the normal course of the operation of a web site, a user sends "request data" to the web site in order to access that site. While Websites 1-23 operate at a government facility, such request data associated with a user's actions on Websites 1-23 will be collected. That data collection is not a function of the NIT. Such request data can be paired with data collected by the NIT, however, in order to attempt to identify a particular user and to determine that particular user's actions on Websites 1-23.
“That paragraph alone doesn't quite say the FBI is operating them,” Fred Jennings, a cybercrime lawyer, told Ars. “But definitely no other way to read that than websites 1-23 were hosted at a government facility, with the FBI's knowledge and to the FBI's informational benefit. It's clever phrasing on their part.”

Security researcher Sarah Jamie Lewis told Ars that “it’s a pretty reasonable assumption” that at one point the FBI was running roughly half of the known child porn sites hosted on Tor-hidden servers. Lewis runs OnionScan, an ongoing bot-driven analysis of the Tor-hidden darknet. Her research began in April 2016, and it shows that as of August 2016, there were 29 unique child porn related sites on Tor-hidden servers.

“Doing the math, it’s not zero sites, it’s probably not all the sites, but we know that they’re getting authorization for some of them," she said. "I think it’s a reasonable assumption—I don’t think the FBI would be doing their job if they weren’t.”

That NIT, which many security experts have dubbed as malware, used a Tor exploit of some kind to force the browser to return the user’s actual IP address, operating system, MAC address, and other data. As part of the operation that took down Playpen, the FBI was then able to identify and arrest the nearly 200 child porn suspects. (However, nearly 1,000 IP addresses were revealed as a result of the NIT’s deployment, which could suggest that even more charges may be filed.)

Rule 41's arrival

In the Playpen case, the NIT’s deployment was signed off by one magistrate judge in Virginia, and it was used to target child porn users both in the United States and abroad. "Websites 1-23" were signed off by a different judge in Maryland.
Under one part of the current rules of federal jurisprudence, known as Rule 41, only more senior federal judges, known as district judges, have the authority to issue out-of-district warrants. However, a change in this rule set to take effect on December 1, 2016 will expand this power to magistrate judges later this year, absent Congressional action.

Of the over 100 Playpen-related child pornography cases that have been prosecuted, federal judges in Iowa, Massachusetts, and Oklahoma have ruled that such a search violated current laws of federal procedure and was in fact so egregious, that the evidence collected as a result should be tossed. Other judges have rebuked prosecutors for unlawful searches, but they have not gone so far as to suppress evidence.

Ars asked FBI spokesman Christopher Allen if at one point the FBI was running half of all child porn sites on the Tor-hidden Web, and if so, was this still true.
“I would refer you to public documents on the Playpen investigation, in which we seized and operated a darkweb child pornography site for a period of less than two weeks,” he e-mailed. “That was an extraordinary investigation, and to my knowledge may be the only time that has occurred. So to suggest this is a common thing is patently not true.”

Lewis is herself a former computer scientist at the Government Communications Headquarters (GCHQ, the British-equivalent of the NSA). She could imagine reasons for the agency to keep the child porn sites online.

“I have no direct evidence to the contrary, but based on what I know about past investigations, not just CP but drugs market investigations, and the trends we have seen in security, hacking investigations—and the direction of other nations authorities—I expect that we will see more busts where taking over the site plays a role,” she added.