FBI Seizes Anonymizing Email Service Server

Privacy activists criticize the FBI's anonymous remailer server takedown that resulted from a bomb threat investigation.

Mathew J. Schwartz, Contributor

April 20, 2012

4 Min Read

Did an FBI server seizure go too far? FBI agents investigating a University of Pittsburgh bomb threat Thursday seized a server, apparently because it was being used to host an anonymous remailer service that had been used to send bomb threats. But the takedown, which was backed by a search warrant, has drawn condemnation from activist groups, who have characterized the seizure as an "attack on anonymous speech."

Service provider May First/People Link said the FBI seized the server--used by European Counter Network (ECN), an Italian service provider--because it hosts an anonymous remailer service called MixMaster, which was allegedly used to send the bomb threats. The server was also used by ECN to host numerous newsletters and several websites, all of which were knocked offline after the takedown.

Members of May First/People Link, which bills itself as a cooperative, progressively run Internet service provider that counts many organizers and activists as members, told the FBI that they believed an outsider had hacked into the ECN service and used it to send the messages, the Pittsburgh Post-Gazette first reported.

But May First/People Link director Jamie McClelland told Forbes that the server, which it co-hosts with Riseup Networks, hadn't been hijacked or hacked. Rather, someone had simply used the remailer.

[ Proposed Cyber Intelligence Sharing and Protection Act is under attack from privacy groups. Is CISPA Worth Saving? ]

McClelland said that his company, as well as Riseup and ECN, have been cooperating with the bureau on the bomb threat probe since early in the week. But Wednesday, FBI agents then seized the server used by ECN from a New York City colocation facility shared by May First/People Link and Riseup.

What might be recovered from the anonymous remailer service? According to McClelland, the service involves chains of anonymizing servers, each of which removes the header information from emails to keep the sender's identity private. In addition, the underlying software maintains no logs, meaning that--by design--there was simply no relevant data to be shared with the FBI.

Riseup, which says that it "provides online communication tools for people and groups working on liberatory social change," said that no data relating to its users, keys, or certificates, were on the seized server, and that the root file system was encrypted. It strongly condemned the seizure, which it said knocked offline more than 300 email accounts, roughly 50 to 80 email lists, and several websites.

"The FBI is using a sledgehammer approach, shutting down service to hundreds of users due to the actions of one anonymous person," said Riseup spokesman Devin Theriot-Orr in a statement. "This is particularly misguided because there is unlikely to be any information on the server regarding the source of the threatening emails."

While the bomb threats have been "horribly disruptive," Theriot-Orr further emphasized to Forbes that many people have a legitimate need to communicate anonymously. "I'd much rather live in a country with anonymous speech and a small number of bomb threats than one that has no bomb threats and no anonymity," he said, characterizing the FBI's server seizure as "an attack on all forms of anonymous communications."

The FBI Wednesday also seized a personal computer, laptop, router, cellphone, and CDs from the apartment of two people in Jackson, Penn., who are under scrutiny in the investigation, reported the Pittsburgh Post-Gazette. Seamus Johnston, 22, who shares the apartment with Katherine Anne McCloskey, 56, told the newspaper that he'd been unable to see a copy of the affidavit linking them to the crime under investigation, as the court papers remain sealed.

"Until I can look at the affidavit of probable cause and see for myself what evidence they have against us, I consider what happened simply an armed break-in," he said. "I have no idea when we'll get the stuff back and no idea why they took it."

An FBI spokesman didn't immediately respond to a request for comment about the server takedown or broader investigation.

This isn't the first time that an FBI server takedown created some collateral damage, or at least inconvenience. Last year, in an apparent scareware-related investigation, the bureau seized 62 servers from a data center in Virginia, which was apparently 59 more than they were due to seize. While extra servers were returned within 24 hours, in that case, about 160 sites were temporarily knocked offline.

Put an end to insider theft and accidental data disclosure with network and host controls--and don't forget to keep employees on their toes. Also in the new, all-digital Stop Data Leaks issue of Dark Reading: Why security must be everyone's concern, and lessons learned from the Global Payments breach. (Free registration required.)

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights