Dread Pirate Roberts Was Caught By the FBI, But Its Evidence is All Circumstantial
Last week, the FBI announced that it had shut down Silk Road. Silk Road was the Craigslist of illegal stuff, mainly illegal drugs. (For more about Silk Road, see Laura Dimon's excellent article published last August.) The FBI also arrested the alleged administrator and owner of Silk Road, who went by the online moniker "Dread Pirate Roberts" or "DPR" for short. Given the inherent anonymity of Silk Road, positively identifying DPR was bound to be difficult. Indeed, the FBI devoted nine pages of its complaint to setting out the evidence that supposedly identifies DPR as San Francisco resident Ross William Ulbricht.
However, upon closer inspection, the evidence that Ulbricht is DPR is almost entirely circumstantial. For example, the FBI cites Ulbricht's message board inquiries about Silk Road (claiming that he was promoting the site), and that on one site he went by the username "frosty," a word which also appeared on Silk Road servers. Some of the evidence cited in the complaint is even more dubious, e.g. suggesting Ulbricht's profile at the Ludwig von Mises Institute (the most popular institutional economics site in the world) identifies him as DPR (who also frequently cited to mises.org.)
It is easy to understand why the FBI would be suspicious here. These coincidences warrant further investigation, and that is what the FBI has been doing — for almost two years. But after a lengthy investigation, the FBI is usually capable of identifying the defendant with more than just a few uncanny parallels to an online persona. This raises the question: Is the FBI's case just unusually weak, or is there other, more direct evidence, the government is not disclosing? Considering the sequence of the investigation, is it possible (as some have suggested) that Ulbricht’s arrest involved the controversial practice of “parallel construction.”
As described by Reuters, parallel construction is a process used to recreate the path of an investigation to conceal the original source of the information that led law enforcement to the criminal defendant. The DEA’s Special Operations Division (SOD) supplies this information, which includes NSA surveillance, to federal agents. Agents must "omit the SOD's involvement from investigative reports, affidavits, discussions with prosecutors and courtroom testimony." They are instructed to then use "normal investigative techniques to recreate the information provided by SOD."
Despite the government’s apparent concession that Tor remains anonymous, federal authorities were recently able to exploit a bug in the Tor browser allowing them to identify child porn sharing websites using Tor servers operated by Freedom Hosting. A recent Guardian article also suggested NSA might have several ways to unmask the identity of Tor users. Insofar as federal investigators visited Ulbricht about the fake IDs weeks before the Tor exploit was revealed, it is certainly possible they used this same exploit to unmask Ulbricht as DPR. According to one investigator at Baneki Privacy Labs, that is exactly what happened, and the "underlying firepower was all NSA."
Thus, instead of the old-fashioned police work trumpeted by some media outlets, the discovery of Ulbricht may have unfolded much differently. The NSA (or FBI) may have first used one of its Tor exploits to discover the location of the Silk Road server. While the foreign legal process of gaining access to the server was underway, agents might have identified the DPR's IP address and traced it to Ulbricht's apartment. This could have led investigators to intercept Ulbricht’s order of fake IDs as they crossed the Canadian border. To conceal that they acted on a tip from NSA, Canadian authorities claimed to discover the package as part of a routine border inspection. This gave Federal authorities reason to approach Ulbricht directly on July 26, at which point they probably ruled out his roommates as suspects, and confirmed Ulbricht was their guy.
At this point, the FBI knew Ulbricht was DPR, but it could not rely on NSA intercepts as a source of probable cause for the arrest warrant and criminal complaint. This is when the parallel construction team goes to work. With a copy of Silk Road’s server now in hand, agents begin reviewing the file for independent evidence linking Ulbricht to DPR. At the same time, other agents are pouring over Ulbricht’s internet footprint for similar connections. Remember, the investigators already know DPR is Ulbricht — they are just trying to scrape together enough circumstantial evidence to establish probable cause. The result is a criminal complaint that contains just enough circumstantial evidence to make an arrest. The government knows it will find more than enough evidence on the laptop, so it times the arrest right after Ulbricht logs on to his computer at a public library.
This is, of course, only an educated guess as to how the investigation might have unfolded. But given the unusually week evidence of his identity, and especially in light of other Silk Road arrests this week, the parallel construction theory seems more likely than the story depicted in the FBI's complaint.