Anonymity is dead and other lessons from the Silk Road trial
It's a story that belongs in a major motion picture. Hidden identities, narcotics, money laundering, computer hacking, blackmail and even attempted murder are all parts of this dramatic tale. But the story behind Silk Road, the online black market for drugs and other illegal goods, is not fiction. It was a very real phenomenon, and its creator, Ross Ulbricht, is a very real person (despite his "Dread Pirate Roberts" nom de plume). Tucked away as part of the Dark Web, Silk Road used the Tor network for anonymity and dealt in bitcoin so that transactions stayed anonymous. But as the recent Silk Road trial and Ulbricht's eventual guilty verdict showed, even when you try really hard to mask your activities on the internet, it doesn't necessarily work.
Little is known about how exactly the feds pulled it off, but their story is that they were able to uncover the Silk Road servers via a software flaw on the site's login page that revealed an IP address. That IP address then led them to a location in Iceland where the Silk Road server was hosted. There are several members of the security community who don't necessarily buy the explanation -- some experts say the FBI probably hacked the login page repeatedly to force the IP address instead, which is quite illegal to do and could set a problematic legal precedent.
Regardless of how the feds did it -- whether it was through legitimate or questionable means -- it seems that they were still able to find the server despite the masking provided by Tor. Also known as The Onion Router, Tor is a US Navy-designed privacy network that has long been under scrutiny by governments the world over for its promise of anonymity. While it's still notoriously difficult to break through, Silk Road and other cases show that Tor is not entirely bulletproof, especially from the occasional router exploit or FBI-seeded malware.
As for how the FBI tracked down Ulbricht, the so-called kingpin and mastermind of the Silk Road? They did so by simply uncovering his Gmail address. The feds had found what they suspected to be one of the first mentions of "Silk Road" on the internet and tracked it to a user by the name of "Altoid." From there, they discovered that the same person had posted to a forum asking for IT experts on bitcoin to email him at "rossulbricht at gmail dot com." That address was tied to accounts on Google+, YouTube and LinkedIn, all of which point to libertarian leanings that the Dread Pirate Roberts has also been known to champion. Then it was simply a matter of obtaining his records from Google and tracking him down. Ulbricht did use a VPN to hide his location, but the FBI subpoenaed the provider of the VPN too. It all led them to an internet cafe in San Francisco and, eventually, to Ulbricht himself, who was arrested in a library in the city's Glen Park neighborhood.
As for how the FBI tracked down Ulbricht, the so-called kingpin and mastermind of the Silk Road? They did so by simply uncovering his Gmail address.
The other sticking point here is the use of bitcoin. The cryptocurrency has long been the darling of the underground web because it's seen as difficult to track due to its anonymous and digital nature. But in the Silk Road case against Ulbricht, the feds managed to follow more than 700,000 bitcoins from the Silk Road marketplace directly to Ulbricht's personal account. According to the FBI, they were able to do so because they seized his laptop before he was able to encrypt it, thus giving the feds access to his bitcoin address. Once they compared it to the blockchain -- a master database of all bitcoin transactions -- they discovered that Ulbricht's digital millions came from the aforementioned Silk Road servers. Oops.
If the Silk Road case taught us anything, it's that it's nigh impossible to be truly anonymous on the internet. If even those on the Dark Web aren't safe from the prying eyes of the powers that be, what hope does that give to civilians like you and me? After all, the Edward Snowden leaks already showed the extent to which government surveillance has already taken place. Of course, this isn't to say the government is watching everything you do or that internet privacy is dead. But the next time you feel like sending incriminating information over email (or starting an international drug bazaar), think twice.
[Image credit: Getty Images (Lead photo); Associated Press (Courtroom sketch)]