Pewter was unmasked last year as Jay Michaud, a 62-year-old administrator in the Vancouver, Washington, public schools. With a second warrant, agents searched the suspect’s home and found a thumb drive that allegedly contained multiple images of children engaged in sex acts. Last July, Michaud was arrested and charged with possession of child pornography.

Michaud’s is the lead case in a sweeping national investigation into child porn on the so-called dark Web, the universe of sites that are off Google’s radar and where users can operate with anonymity.

As criminals become savvier about using technology such as Tor to hide their tracks, investigators are turning to hacking tools to thwart them. In some cases, US law enforcement is placing malware on sites that might have thousands of users. Some privacy advocates and analysts worry that in doing so, investigators may also wind up hacking and identifying the computers of law-abiding people who are seeking to remain anonymous, people who can also include political dissidents and journalists.

“As the hacking techniques become more ambitious, failure in execution can lead to large-scale privacy and civil liberties abuses at home and abroad,” said Ahmed Ghappour, a professor at the University of California Hastings College of Law. “It’s imperative that Congress step in to regulate exactly who and how law enforcement may hack.”

But US Justice Department officials said that the government investigates crime based on evidence of illegal activities. “When we obtain a warrant, it’s because we have convinced a judge that there is probable cause that we’ll be able to find evidence in a particular location,” said a senior department official, who spoke on condition of anonymity under ground rules set by the department.

In the Playpen case, the government activated malware on a site with 215,000 members as of last February and obtained Internet protocol addresses of 1,300 computers. Out of that group, the government said it has charged 137 people.

“It’s a lot of people,” said Colin Fieman, a public defender in Tacoma representing Michaud. “There never has been any warrant I’ve seen that allows searches on that scale. It is unprecedented.”

Michaud is arguing that his charges be dismissed on grounds that the government’s use of the tool violated the Fourth Amendment. Fieman argues that some people might have gone to the site seeking to express fantasies, which while repugnant, are legal. The site, he said, doesn’t clearly advertise itself as devoted to child pornogaphy.

He likened the government’s warrant to a “general warrant,” referring to the British practice during the colonial era of allowing government searches without any individualised suspicion.

A judge in the case was scheduled on Friday to hear a defence motion to throw out the charges against Michaud.

“This is a grey area in the law,” said Thomas Brown, a former federal prosecutor in the Southern District of New York who handled cases involving the use of hacking techniques. “It’s another instance where you’ve got technology outstripping the law.”

The FBI seized Playpen last year, and after operating it for two weeks, shut it down. During those two weeks, according to court documents, it deployed what it obliquely calls a “network investigative technique,” or NIT, to capture the IP address of anyone who logged into the website.

Fieman also argued that the government itself violated the law when it seized Playpen last year and then rather than shut it down immediately or find ways to reroute visitors, continued to operate the child porn site.

“What the government did is comparable to flooding a neighbourhood with heroin in the hope of snaring an assortment of low-level drug users,” Fieman said in a motion to dismiss filed in November.

The issue, said Ghappour, the law professor, is not the use of the malware per se, but “whether hacking warrants are written narrowly enough to guarantee that only those culpable set the trigger [to launch the NIT], and consequently get hacked,” he said. “Given the scale of these operations, the smallest mistake could result in hundreds, if not thousands, of privacy violations.”