The FBI took -- and mysteriously returned -- their server. Here's their story
Ever wonder what it's like to have FBI agents knock on your door? Or to have them walk into your business unannounced and walk away with your computer? Jamie McClelland and Alfredo Lopez can tell you.
Their recent run-in with the men in black – the result of a spate of email bomb threats to the University of Pittsburgh -- offers a rare glimpse into the collision between free speech rights and the benefits of anonymity on one side with the needs of law enforcement to act quickly in the face of real threats on the other.
Their tale ends with an odd twist: FBI agents, caught on video, returning the server only four days after it was seized from a co-location facility in New York City. At the moment, no one knows why the FBI would take that unusual step. FBI Special Agent Bill Crowley said the agency wouldn't comment on either the seizure or the return of the server.
Federal investigators and local officials in Pittsburgh were scrambling last month as bomb threats targeting the University of Pittsburgh piled up. Within days, 46 such threats were logged, causing massive disruption as students and teachers were continually evacuated from building after building. Parents and school officials pressured law enforcement to solve the case. For some reason, the FBI thought a server in a small facility in New York City might contain a crucial clue.McClelland and Lopez run a progressive Internet organization called MayFirst/PeopleLink, which helps democracy-seeking groups around the world use the Web to organize. Together with sister organization RiseUp, MayFirst/PeopleLink offers email services, mailing list support and other Web tools. But their services make a promise that's critical to people fighting oppressive regimes: All data is encrypted, guaranteeing total anonymity to those who need it.
McClelland was on a conference call in MayFirst/PeopleLink's Brooklyn office -- which is in the same building where Lopez and his wife live -- on April 11 when he saw two men in suits standing at the door.
"I thought they were Jehovah’s Witnesses, but I joked with people on the call that it was the FBI," he said. Moments later, it was no joke.
The agents flashed their badges and asked if they could come in; McClelland refused. They asked if they could step into the vestibule. He refused again.
"I had had some rudimentary training,” he said. “It certainly had occurred to us that we might some day get a visit from the FBI given the nature of what we do. But this wasn't what I expected. I was surprised at how easy it was to say ‘no’ to them...There was no intimidation, none of that. The agent appeared more nervous than me, and I was pretty nervous."
Standing outside, the agents then showed printouts of a few emails with full headers to him, saying they were related to the Pittsburgh bomb threats. At that point, McClelland hadn’t heard about the threats, so he said he didn't know anything about them. They asked if he knew anything about ECN.org, a server which appeared in the e-mail headers. Again, he said “no,” truthfully.
"I asked if I could have copies of the emails. The agents said “no.” But I then asked if I could get pen and paper and write down details of what we were looking at. They let me do that," McClelland said. "I then asked them if they thought our server was compromised. But they couldn’t tell me anything. So I asked for their business card and told them we would research it."
The agents left, but McClelland’s day had only just begun. What was ECN.org? Why did the agents show up unannounced? And most important, what would happen next? He was sure that wasn't the end of it.
"When you are visited by the FBI, even when it goes relatively easy like it did, your entire life gets put on hold as you deal with all the implications," he said. McClelland called Lopez and other leadership team members, and then called the Electronic Frontier Foundation for legal help.
“There were three hours of calls to run through things and make sure we had everything covered," he said.Initially, Lopez and McClelland assumed that one of their members had been hacked, and the account used for illegal purposes. Simply patching whatever security hole existed could end the problem. But a visit to ECN.org indicated there was a much more complex issue.
ECN stands for the European Counter Network, an independent Internet service provider in Europe. It shares much the same mission as MayFirst/PeopleLink. On ECN.org, the provider offers anonymous email services through a service called "Mixmaster." Using Mixmaster, email users can achieve nearly undefeatable anonymity -- multiple servers pass messages from one to the other, each time stripping out header information and replacing it with false data, making it nearly impossible for investigators to "trace" the message to the original sender.
ECN had subcontracted space on RiseUp's New York City server; RiseUp had in turn subcontracted that space from MayFirst/PeopleLink. It now appeared that the FBI believed someone connected to the Pittsburgh bomb threats had used ECN's anonymous email capabilities, which led to FBI agents knocking on the door at Alfredo Lopez's home office.
"If you had asked me before this happened if one of our members ran an anonymous remailer, I would have said, 'probably,' " said McClelland. "That's exactly the kind of thing we want to support and we want to protect."
When correctly configured, anonymous remailers leave no trace at all. There are no log files to check, no other server "fingerprints." After making sure the server was running properly, McClelland called the FBI agent on the business card and told him all he knew about ECN, which essentially was nothing.
"We told him we suspected there was an anonymous remailer, there's nothing else we can tell you," he said. "We decided that was our best strategy ... to minimize disruption to our members. We didn't want to risk going to the next level of escalation."
The strategy failed. The next day, MayFirst/People Link received a subpoena demanding that the organization answer a series of questions about its server. With help from the EFF lawyer, they sent the responses on Monday, April 16.
"At that point, we thought everything was OK, that we were done, and ready to move on," he said.
Then on Wednesday, April 18, at around 6 p.m., things took a turn for the worse.
"I got a call from a tech who said, 'Jamie, the server isn't responding.' So he went to look for it in the rack and found that it was gone," McClelland said.
Later, Lopez and McClelland would learn that the FBI had produced a search warrant when it showed up at the XO Communications Manhattan server farm, where the MayFirst/PeopleLink server was housed, which gave agents the right to take the box. But at the time, they could only guess what happened.
"We filled out a help ticket that said, 'Our server is missing.' We've never done that before," McClelland said. "I can't emphasize enough that we received no communication from the FBI. From a human point of view, that is atrocious. But from a legal point of view, they don't have to do any more."
The impact was immediate, and devastating, for both MayFirst/PeopleLink and RiseUp. Hundreds of mailing lists, websites and email accounts were immediately knocked offline.
“The FBI is using a sledgehammer approach, shutting down service to hundreds of users due to the actions of one anonymous person,” Devin Theriot-Orr, a spokesperson for RiseUp, said in a statement at the time. “This is particularly misguided because there is unlikely to be any information on the server regarding the source of the threatening emails.”
While Lopez was scrambling to find a way to get the organizations back online, a camera with motion detection capabilities was installed at the server facility by an assistant.
"We thought it was a little like shutting the barn door after the horse ran out, but we did it anyway," he said McClelland said.
Generally, when FBI agents seize computers as part of an investigation, they're not returned for months, or even years. But within a week, a worker in the server room noticed that the motion detector camera had been activated on April 23. When he looked at the video, the tale took an even more unusual turn.
The video shows two men in suits -- apparently FBI agents -- placing the server back in its rack. But the box isn't merely dropped off. The two appear to be plugging it in, and then watching the machine for a few minutes, perhaps looking to see if it is operating correctly.
Why would they do that? The FBI refused to answer a question about that.
But Lopez has a theory. There's only one way to defeat most anonymous email services: to compromise the computer that processes the emails with special software -- a virus -- that could defeat the anonymizing software.
"There was not even a scintilla of expectation that this server would return to our rack. It's the most amazing thing," Lopez said. "It's possible they put device on it or a virus or Trojan of some kind."
MayFirst/PeopleLink later posted the FBI agent video online. The agency hasn't commented on it.
The server has not been returned to service; the organization is currently auditing the machine to see if it has been tampered with.
"I can tell you that's the burning question in my mind. We are planning on doing a full diagnostic on server to see if we detect anything on server," McClelland said.
But even if it hasn't been tampered with, Lopez said he's outraged that U.S. federal agents would compromise Internet access for global groups fighting for democratic rights while hunting for evidence that doesn’t exist.
"Look at the atrocity of them going in and taking a computer ... and disrupting all this information, and potentially getting all this information from hundreds of people not even accused of a crime," Lopez said. "This is serious … for people all over the world who depend on this stuff for their day to day work. To have it taken away by some other government, it's really unfair to them in every conceivable way."
The MixMaster service was uninterrupted by the server seizure; anonymous messages were simply routed through other servers.
MayFirst/PeopleLink and RiseUp both told their members that no identities were compromised during the FBI seizure -- all data on the server is encrypted and there's no reason to believe the encryption was compromised. Still, U.S. government action against anonymous Web services could have a dangerous chilling effect, fretted Lopez.
"In some parts of the world, privacy and anonymity are a matter of life or death," he said. "These services are used for important work, and in many countries, they are the only way to communicate without putting yourself in serious danger."
The Electronic Frontier Foundation issued a statement last week accusing the FBI of "overreaching."
"The fact that the FBI's investigation led them to an anonymous remailer should have been the end of the story. It should have been obvious that digging deeper wouldn't lead to helpful information because anonymous remailers don't always leave paper trails," wrote Hanni Fakhoury. "So enough is enough. The government's ability to search a person and their property -- and in this case, shut down speech -- is an extraordinary power that can easily be abused. Law enforcement needs to do its research before resorting to an extremely intrusive search warrant that intrudes on innocent people's privacy, causes significant disruption to harmless activity, and silences speech. And as we've argued before, search warrants for electronic devices shouldn't be limitless."
Lopez, who has two children in their 30s, said he understands why parents in Pittsburgh were concerned for their children's safety during the repeated bomb scares. But he warned that repression often begins with "people who mean well."
"These people making the threats, these are jerks, nobody wants to protect them," he said. "But what do you give up when you give up freedom in exchange for the illusory feeling of security? You can't trample people's rights because when you do, the terrorists have won."
The Pittsburgh bomb threats stopped on April 21. No bombs were found. There have been arrests in connection with the incidents, but authorities are still investigating.