Posted By: Jordan Brunner
On Friday, December 11, 2015, FBI agents arrested Mohamed Yousef Elshinawy at his home in Edgewood Maryland. Elshinawy was charged the following Monday with attempting to provide material support to ISIL and lying to the FBI. Specifically, Elshinawy communicated with representatives of ISIL, who wired him approximately $9,000 over the course of a few months in 2015 for “operational purposes” in the United States.
Elshinawy plead guilty to the charges in August of last year. The search warrants in the case were recently unsealed, prompting a summary of the case by Seamus Hughes for Lawfare here. The case has been described as novel because it is the “only [publicly] known case in which the Islamic State sent thousands of dollars to an individual in the United States to fund an attack.” But one aspect of Elshinawy’s behavior is concerning not for its novelty, but for its ordinariness. As part of a planned operation within the United States, Elshinawy purchased a virtual private network (VPN) to facilitate the transfer of money over PayPal and use other services.
It is not clear from the search warrants whether the FBI requested that corporation providing the VPN service unmask Elshinawy’s identity. The warrants merely state that the investigation uncovered “the use of a VPN . . . service” by Elshinawy and that it was used for money transfers. But the factual scenario presented by Elshinawy’s lends itself to an interesting hypothetical. What if a VPN provider wouldn’t (or couldn’t) unmask a user’s identity on the request of law enforcement, either through a subpoena or a court-issued warrant? What if, in an effort to mimic Apple’s behavior when it was ordered to unlock the San Bernadino attacker’s encrypted iPhone, the VPN insisted that it would be contrary to its business model to try to unmask the identity of one of its users?
In examining these questions, below I describe what a VPN is, how it relates to other web browsing services on the Internet, and the problems it presents when used by malicious actors. I then examine the legal and policy implications of the issue of whether law enforcement should be able to unmask someone’s identity as part of a criminal or national security investigation when they use a VPN.
What is a VPN?
There is no uniform definition for a VPN. Like with the Internet of Things (IoT), Wired indicates that when it comes to the VPN, “its myriad definitions give every [stakeholder] a chance to claim that its existing product is actually a VPN.” Also like the IoT, the myriad definitions have made the term almost meaningless. However, in the interests of establishing a baseline, a quite straightforward definition developed by Paul Ferguson of CISCO and Geoff Huston of APNIC reads: “A VPN is private network constructed within a public network infrastructure, such as the global Internet.”
More specifically, the FBI search warrant quotes from a VPN provider, who states that a VPN is “like having a PO box on the internet – an address that no one can trace back to you,” which means that people “can’t trace your activity back to your real address and find out who or where you are.” As one ASU law professor puts it, “VPNs of any sort create an encrypted ‘tunnel’ between the computer of the user of the VPN and the VPN server. . . . Once an [I]nternet call is made[,] the call goes to the VPN server and then enters the public internet from the VPN server making it appear to come from that source, which, of course, is the function that anonymizes the communication.” In short, a VPN is a private network that allows an individual to remain anonymous as they browse the public network of the Internet.
But beyond definition, there is also the history of VPNs to consider. VPNs can arguably trace their origins back to the creation of secure telephone lines. However, their modern incarnation largely emerged in 1996, when Microsoft’s Gurdeep Singh-Pall (now a corporate vice president but at the time a software engineer) developed what Microsoft called peer-to-peer tunneling protocol, or PPTP. The idea behind PPTP, in Singh-Pall’s words, was to allow people to “work effectively and securely from home” by setting up a secure connection a remote server.
Since then, VPNs have taken off. According to data gathered by a market research firm named GlobalWebIndex, approximately 1 of 4 people across the globe now use a VPN to surf the Web anonymously, and most often use it to access entertainment services (read: Netflix and Amazon), or to protect their traffic when using unprotected public Wi-Fi networks at places like McDonalds, Starbucks, Barnes & Noble, or Arizona State University. Much of VPN use centers on east Asian and Middle Eastern countries like Vietnam and Saudi Arabia, while the least amount of use centers on European countries like France and the Netherlands. It is likely no accident that those countries with the least privacy protections and extreme censorship see more VPN use, while those countries with extremely robust privacy protections and only some censorship see less.
VPN v. TOR
But VPNs are not the only means of anonymization. Another, more known means of keeping identity’s secret on the Internet is The Onion Router, or TOR. Kyle Swan of Georgetown Law School explains, TOR was developed by the Naval Research Laboratory in the mid-1990s to “protect online communications in the U.S. intelligence community.” In 2004, TOR was released to the public as open-source software to “provide an efficient and secure method for users to protect their identity online.” TOR works much like its name suggests―like an onion. It is a network of decentralized servers hosted by volunteers across the globe. When a user logs into TOR, their data is encrypted, and then their traffic is bounced around from node to node, creating layer after layer of nodes until the location of the user is completely anonymized.
But while VPNs have a lot in common with TOR, there are distinct differences. For instance, while using a VPN, the user’s IP address and web server “hops” (bounces from a node) only once; by contrast, TOR uses three “hops.” On the other hand, VPNs are more popular than TOR because they are “free and are often faster than browsing via the Tor network, as well as being easier to use.” Also, VPNs allow a user to, say, “access Netflix, a US-based company, while living in Italy and using an Italian ISP. VPNs allow customers to choose IPs in multiple nations throughout the world enabling access to online resources anonymously.”
The Problematic Aspects of VPN Use
It is easy to understand why people use VPNs―they provide anonymity, and thus protect the privacy of their users. Such desire for anonymity is as old as our Republic. During the debates over the recently-drafted Constitution, the authors of the Federalist Papers (Alexander Hamilton, James Madison, and John Jay) wrote under a pseudonym (“Publius”). So did their opponents, the so-called Anti-Federalists. The First Amendment has always been thought to encompass anonymous speech.
However, VPNs, by anonymizing all activity of their users, does so for both good and bad actors, as mentioned above. The cloaking capabilities of TOR (and by extension VPNs) have “attracted a large following of users, criminal and legitimate, who could benefit from the cloak of anonymity. Journalists, whistleblowers, and political activists can use TOR to circumvent national firewalls and hide their identities, often from authoritarian regimes.” The same goes for “[c]riminals, such as hackers, child pornographers, and black marketers” who use the service. That secret PO box means that dissidents in Syria can protest government oppression and avoid being locked up. But it also means that someone committing copyright infringement and facilitating human trafficking on the “Darkweb”, with the same protection from the pain of jail as the dissident.
This has led to some countries tightening restrictions on the use of VPNs, with arguably nefarious goals in mind. Just this past month, China, through its new cybersecurity law, has curtailed use of VPNs by businesses to only those by the government, which business groups view as an effort by Chinese authorities to “tighten their chokehold over Chinese cyberspace.” These efforts echo those of Russia, which has cracked down on uses of AS through numerous efforts.
This brings us full circle to the conduct of Elshinawy, the terrorist who attempted to use a VPN to transfer money from ISIS that would be used to finance an attack on the American homeland. Elshinawy’s attempt to anonymize himself to cover his tracks in using money from abroad demonstrates yet another front in the effort to keep law enforcement from tracking down sources of terrorist income. Since efforts began to track terrorist financing, extremist groups have attempted to stay one step ahead of their trackers; their ingenuity has, at times, allowed them to be relatively successful.
The latest and most publicized front has been the use of cryptocurrencies such as Bitcoin, though a recent EU report concludes that terrorists have been slow to adopt these digital currencies because they lack the technical expertise to do so. But it takes little expertise to use a VPN, and it is perhaps a better method to hide transfers of money. In certain ways, VPN use has parallels the use of encryption for cell phones. Both VPNs and encryption prevent law enforcement from accessing relevant data about you, either because a VPN provider might refuse to unmask the identity of a user, or because they don’t keep logs on use and therefore can’t unmask the user’s identity (just as Apple couldn’t unlock the San Bernadino attacker’s phone because it did not have the encryption key). This isn’t to say that that VPNs or Apple are bad actors, or that their intent is to thwart the efforts of law enforcement. Rather, they care about their users’ privacy in a different way than law enforcement does.
On top of this, VPNs present an even thornier issue than encryption because while there is no right to encryption of cell phones (and in fact there have been movements in the other direction), there may be right to surf the web anonymously. Were a VPN provider to assert First Amendment rights on behalf of their customers (as AOL did here), it would be an interesting question as to whether it would prevail.
VPNs and Unmasking
There are two interrelated prisms through which to view unmasking of customer identities by VPN providers: the legal landscape, and public policy interests.
In recent years, the Supreme Court has increased protections for individuals who use the Internet. For instance, in Packingham v. North Carolina, the Court unanimously guaranteed access to social media for all “person[s] with an Internet connection.” And in granting certiorari in Carpenter v. United States, the Supreme Court may be signaling that it is ready to (at least partially) overturn the “third-party” doctrine articulated in Smith v. Maryland and United States v. Miller and grant Fourth Amendment protection to information individuals provide to third parties. One such protection on the Internet that already exists is “an author’s decision to remain anonymous.” According to the Supreme Court ruling in McIntyre v. Ohio Elections Commission, this decision is “an aspect of the freedom of speech protected by the First Amendment.”
The 1995 case goes on to say that “[a]nonymity is a shield from the tyranny of the majority. It thus exemplifies the purpose behind the Bill of Rights, and of the First Amendment in particular: to protect unpopular individuals from retaliation―and their ideas from suppression―at the hand of an intolerant society.” As discussed above, this is an ideal that has shared by Americans since the Founding generation began trading barbs in public. Seems clear-cut: VPNs are used to anonymize an Internet user, so therefore the right to use them (and by extension to stay anonymous) is protected by the First Amendment.
But the case of Elshinawy (and those like him) demonstrates that the situation is more nuanced than that. In the first place, if law enforcement is armed with a warrant or properly-approved statutory subpoena, then this works more in favor of someone being unmasked. Yet more importantly, though a warrant can be declared invalid as being violative of someone’s rights under the Bill of Rights, it is not clear that the First Amendment applies in Elshinawy’s situation. The protection provided by the First Amendment is clear-cut in the case of someone lashing out against a presidential administration on Twitter―they are speaking and doing so under an “assumed” Twitter handle. But that’s not what Elshinawy was doing with his VPN; he was surfing the web and using it for money transfers. And even though using money can be protected by the First Amendment, that’s only the case in narrow circumstances.
Since Elshinawy was not using his VPN to act in the role of an author under McIntyre, then perhaps his identity would not be protected under the First Amendment. This then is more analogous to cases like RIAA v. Verizon, where there was no speech involved and therefore seeking to unmask a copyrighter infringer was permitted. While one could make the broader argument that any use of a VPN is the exercising of Elshinawy’s First Amendment rights (such as freedom of association)―an argument like which has been made―it might not fly given the current legal environment. But to make the hypothetical even more complicated, it would be nearly impossible for law enforcement to know whether Elshinawy was using the VPN to speak, or for some other purpose, before requesting that he be unmasked.
While it may be legal for law enforcement to unmask someone’s identity under current First Amendment jurisprudence, there is also the normative question of whether it should be legal. It seems that the competition between the desire “to be let alone” (in the words of Justice Brandeis) and the need for law enforcement to interdict criminal and malicious activity will always be in tension. Which one should win out? Given both competing interests are so integral to the functioning of our democratic society, it is hard to say. But the question remains all the same.
As mentioned above, Elshinawy’s use of a VPN was very common. And as Hughes points out for Lawfare, the unique circumstances of his case may become more common over time: “With foreign fighters returning to their home countries, the Islamic State virtual entrepreneur who has until now mobilized with moral suasion may shift to providing financial support to the soldier lying dormant in the west. The model that failed in Elshinawy’s case may now thrive.” As we’ve seen, that has implications not only for how government intelligence and law enforcement agencies will handle the present threat of terrorism, but also for how ordinary Americans access the Internet every day.