A footnote in the Agent's declaration even suggests Parallel Construction:
After Ulbricht’s arrest, evidence was discovered on his computer reflecting that IP address leaks were a recurring problem for him.
It continues on to specify specific instances of leaked IP information, which is completely irrelevant hearsay if the stated means of discovery were supported by properly documented evidence. Instead it provides circumstance in which it seems likely that the server could have been discovered through such a leak. If the server were discovered through illegal means, this information would have been useful in the construction of a technically plausible sounding alternative means.
I'm not claiming that the discovery was illegal, but weev is spot on in his demand for evidence.
I was initially going to downvote you but after analysis you're correct.
It continues on to specify specific instances of leaked IP information, which is completely irrelevant hearsay if the stated means of discovery were supported by properly documented evidence.
Hearsay is, literally, an "out of court statement offered to prove the truth of the matter asserted [in the statement]". Hearsay must be (1) a statement (2) by a person and (3) offered to prove that something else happened. A log of IP addresses generated outside of the courtroom to prove that a defendant visited those computers/sites/addresses would normally be hearsay. However, in the US, hearsay specifically excludes records of regularly conducted activity. (See Federal Rule of Evidence 803). Internet access is a regularly conducted activity, so IP logs, like phone records and GPS addresses, have been deemed by the courts not to be hearsay.
But all of this is irrelevant. Weev's demand is asinine and shows that he (still) doesn't understand the law. In order to use the IP logs in court, the prosecution must turn over the IP logs, and all evidence collected with respect to those logs, to the defense during the discovery phase prior to trial. The defense will get their opportunity to investigate those logs. As other commenters have already pointed out, there isn't likely to be anything in the IP logs that would substantiate the NSA theory over the far more likely scenario of RU having borked his server configuration.
My understanding is that frequently the records must be regularly collected; it might not suffice that the activity is regularly conducted. I wouldn't hope to rely on this in your defense without talking to a lawyer first, but it's a good thing to keep in mind to stress the importance of (for instance) regularly keeping meeting minutes and such which might wind up needing to be exculpatory evidence at some point.
It seems to me that IP logs would be even more "regularly collected" than meeting minutes though. And somewhat ironically, would not be exculpatory evidence here, but substantiating evidence of the FBI claim that DPR didn't know how to configure SR to safely serve as a Tor hidden service.
Sure, it's plenty likely they're still "regularly collected"; my intent was simply to add some interesting tangential details, not to assert that they were relevant to the case at hand.
I don't see how you read Parallel Construction from there.
Instead the amended declaration is responding to the claim from the defense that "there's no way FBI could have found our boy's IP address without NSA hax!!!!1"
The reply to that can be direct: "DPR configured his captcha wrong, it was actually pretty easy...". This is all that's strictly needed, which is why the rest is in a footnote.
But the footnote isn't unimportant: It explains further that it's not that unlikely (again, as the defense had been claiming) for DPR to have leaked IP addresses, as the evidence on SR's own logs showed in retrospect DPR had been having difficulty with that.
This further undermines the defense claims that only mysterious NSA de-anonymity programs, but it doesn't need or even require parallel construction, as the agent clearly explained how he actually found the IP address: from the captcha routine.
This is all that's strictly needed, which is why the rest is in a footnote.
I'm not sure of the legal requirements, or if there even are any.
But I know that I've filed irrelevant bugs with better documentation than the event which is claimed to be the seminal moment when an extremely high profile prosecution was suddenly possible. If for nothing else, whoever saw this packet should have documented it for bragging rights. It should be printed on the back of their business card, the byline to the rest of their career.
Instead they said "this totes happens all the time, trust us".
Bragging rights aside, this packet is the basis of a high profile international search warrant. Visiting the IP and receiving the same page is circumstantial... Anyone could be serving that same page. I'm sure you'll find plenty of them by Googling for whatever text was on the page, but you won't get a search warrant like that. It is the original packet from the source that points to that page which makes that IP crucial. It should be properly documented.
> Instead they said "this totes happens all the time, trust us".
They're the FBI. They probably do see this all the time. Your "bragging rights" is likely just another example of the same stupid mistake that the investigator sees in criminal activities of less fame all the time...
It's not really the Agent's job to make such legal determinations? If I was doing forensic analysis on a server under such circumstances I would have made note and reference to that as well. Again, the IP address leak isn't the real evidence anyway and I don't see how the FBI is on the hook to prove beyond a shadow of a doubt that they got the IP address the way they said they did. His attorneys are spinning a yarn and poking the FBI's story because it's their job, but I think we should not be suggesting the FBI is guilty of something and must be required to prove their innocence. If the FBI have the logs they should answer in kind, however I don't believe the absence of such logs is going to or should help his case any.
That's a lot of different things. Perhaps you could focus on one and try again.
If I was doing forensic analysis on a server under such circumstances I would have made note and reference to that as well.
The footnote is not forensic, and not evidence, and there's no good reason for it to be there. I doubt you are a forensic investigator so it isn't relevant what you think you would have done, but if you were a good one I suspect you would have kept packet logs of everything you saw.
That's really just two things. I apologize if you had trouble discerning that, but I'm not inclined to try again. But thanks for asking and making it clear my opinion doesn't matter ;)
I don't see how the FBI is on the hook to prove beyond a shadow of a doubt that they got the IP address the way they said they did.
That seems kind of important to protect against illegal methods of obtaining evidence. It's not enough to say the evidence could have been obtained legally; it must actually have been obtained legally.
Where it says (the “June 12 Request”), I guess that is referring to a document included with the statement (or otherwise available to the participants in the case). Anybody manage to find it?
After Ulbricht’s arrest, evidence was discovered on his computer reflecting that IP address leaks were a recurring problem for him.
It continues on to specify specific instances of leaked IP information, which is completely irrelevant hearsay if the stated means of discovery were supported by properly documented evidence. Instead it provides circumstance in which it seems likely that the server could have been discovered through such a leak. If the server were discovered through illegal means, this information would have been useful in the construction of a technically plausible sounding alternative means.
I'm not claiming that the discovery was illegal, but weev is spot on in his demand for evidence.