Mozilla Asks Court To Force FBI To Turn Over Information On Hacking Tool It Used In Child Porn Case

from the only-criminals-use-patched-browsers-amirite? dept

An indirectly-involved party in the FBI’s Playpen case has waded into the fray and is demanding answers. Mozilla wants to know about the security flaw the FBI exploited so it can fix it. (h/t Brad Heath, Nate Cardozo)

Mozilla now seeks to intervene in relation to the Government’s pending Motion to request modification of the Order, or in the alternative, to participate in the development of this issue as amicus curiae in favor of neither party, for the purpose of requesting that the Court modify its Order to require the government to disclose the vulnerability to Mozilla prior to disclosing it to the Defendant. Absent great care, the security of millions of individuals using Mozilla’s Firefox Internet browser could be put at risk by a premature disclosure of this vulnerability. This risk could impact other products as well. Firefox is released under an open source license. This means that as Firefox source code is continuously developed, it is publicly available for developers to view, modify, share, and reuse to make other products, like the Tor Browser. The Tor Browser comprises a version of Firefox with some minor modifications to add additional privacy features, plus the Tor proxy software that makes the browser’s Internet connection more anonymous.

With the Tor browser being built on the Firefox framework, any exploit of Tor could affect vanilla Firefox users. Not only that, but the FBI is apparently sitting on another Firefox vulnerability it used in a previous investigation to unmask Tor users. (This refers to the FBI’s 2012 child porn sting, which also used a NIT to obtain information about visitors to a seized website.) The filing notes the FBI has been less than helpful when approached for info about this Firefox/Tor-exploiting NIT.

Mozilla has contacted the Government about this matter but the Government recently refused to provide any information regarding the vulnerability used, including whether it affects Mozilla’s products. Accordingly, Mozilla requests that the Court modify its order to take into account how such disclosure may affect Mozilla and the safety of the several hundred million users who rely on Firefox.

Mozilla wants to see this information two weeks before it’s disclosed to the defendant so it can patch the hole. While it’s not unopposed to the information being turned over to the defendant, this headstart would allow it to fix the vulnerability before it becomes public knowledge and turned into a weapon to be wielded against millions of Firefox users.

There’s a Fifth Amendment implication here as well: the due process right of third parties to act on behalf of properties or interests affected by criminal investigations or court decisions.

To consider the weight of Mozilla’s interests, this Court must determine whether the Exploit to be disclosed takes advantage of an unfixed Firefox vulnerability. If it does, Mozilla will suffer harm if the Court orders the government to disclose the vulnerability to the Defendant under the existing protective order. Likewise, Mozilla continues to suffer harm by the Government’s refusal to confirm at this point whether Firefox is the target of the vulnerability. […] Due process compels this Court to hear Mozilla’s arguments and consider its interests before rendering a decision.

The proposed protective order doesn’t do enough to prevent discovery of the vulnerability, according to Mozilla.

The protective order does not contain restrictions on disclosing knowledge learned through examining NIT Protected Material. This alone marks a serious deficiency in the Protective Order as the damaging information about the vulnerability is likely something that someone can easily remember. Rather, the Protective Order’s disclosure restrictions are limited to the further distribution of the copies of information the defense receives from the government. Without more restrictive provisions, the protective order relies too heavily on the Defendant’s representations he and his defense team will not share copies, but not on any explicit agreement that they will not share or use information learned or that they will put security safeguards in place

Not that the NIT’s specifics are necessarily secure if the court refuses to order disclosure to Michaud or Mozilla. The declaration entered by defendant Jay Michaud’s expert witness points out that the previous use of the NIT in the 2012 case resulted in the FBI turning over information about the exploit to the defendant. So, there’s precedent for disclosure, which is what Michaud’s lawyer is demanding. But there’s also evidence the FBI is hardly the best repository for exploits and vulnerabilities.

The Cottom case, which also involved an FBI NIT, provides a helpful comparison. In Cottom, the government agreed to cooperate with the defense’s discovery requests. However, the FBI later reported to the Nebraska court that it had lost part of the NIT source code. Given the potential harms and security issues the government has raised in connection with the disclosure information, the FBI’s loss of NIT code in Cottom is still hard to understand. But there at least the government did not dispute the defense’s need to analyze all of the available components and code to prepare pre-trial motions, a Daubert challenge, and potential trial defenses.

Hard to understand, indeed. How does someone lose “part” of an exploit’s code, especially considering the FBI’s obvious interest in deploying it in other investigations? Might just be stupidity, but considering its evidentiary implications and the FBI’s extreme reluctance to expose “means and methods,” it also smells a bit of maliciousness.

While Mozilla’s attempted intervention may force the FBI to turn over information on its NIT, it’s unlikely to be much of a direct benefit to Michaud. His lawyer is opposed to Mozilla’s request for exploit info and its offer to appear as an amicus in support of Michaud’s motion to compel. His filing notes that while Mozilla is not opposed to the FBI also turning over this information to Michaud, he and his client have no interest in returning the favor should the court side with Michaud, rather than Mozilla.

Mr. Michaud has no stake in Mozilla’s dispute with the Government. Further, the defense has no intention of disclosing any NIT discovery to Mozilla, a third party, or the public in general under any circumstances. To the extent that Mozilla is concerned that the existing NIT protective order does not provide “adequate safeguards” (dkt. 195 at 12), the defense has stated that it is amenable to any and all additional security measures and modifications to the existing NIT protective order that the Court deems appropriate.

Not an unreasonable response, as Michaud’s lawyer’s ultimate duty is to serve his client, not millions of Firefox/Tor users. As for the government, it’s likely incredibly irritated that its super-secret tool is gaining it no traction in supposedly open-and-shut child porn prosecutions. Not only are courts finding the warrants used to perform this extrajurisdictional searches invalid from word one, but defendants are pushing back hard against the FBI’s “investigative methods” secrecy and dismissive attitude towards the Fourth Amendment. I’m sure it had no idea it would be 198 documents deep into a single child porn case at this point — much less being nowhere closer than day one to securing a conviction.





Filed Under: , , , , ,
Companies: mozilla

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Mozilla Asks Court To Force FBI To Turn Over Information On Hacking Tool It Used In Child Porn Case”

Subscribe: RSS Leave a comment
15 Comments
Anonymous Coward says:

Typical Government

We cannot or will not provide you with the methods processes or tools used to gather evidence that can put people away for years.

You just have to trust us because… that’s right! Nation Security!

Any juror that convicts someone based on parallel construction or with a piece of evidence that does not have a very clear chain of custody and explanation of how it was procured is a failure of a citizen and a scumbag human fucking being!

DannyB (profile) says:

Golden Exploit instead of a Golden Key

Dear James Comey,

It seems you’re faced with a dilemma here.

Should you:
(A) hand over the exploit so that Mozilla (and other software projects) can make everyone safe
(B) keep the exploit to yourself because you don’t want bad guys to know about it

How about you take the same advice that you give to the ‘nerds’ and ‘geeks’ who should work out how to build your mythical Golden Key?

A Golden Exploit. It works for the government to hack into people’s systems and perform your NIT (network investigative technique), but it doesn’t work for hackers and bad guys that would make everyone less safe.

C’mon, you can do it. Just as you think silicon valley can do it.

Oh, wait. Maybe the government is part of ‘the bad guys’? Maybe that’s why we have the 4th, 5th and other amendments.

Maybe the court should order the FBI to produce such a magical Golden Exploit?

Anonymous Coward says:

Even if the court agreed with Mozilla and ordered the government to disclose it it won’t do them any good since the govt will just defy the courts order anyway and keep it secret. They may have to drop some cases letting actual bad guys go free but hey, who wants to put bad guys away if we actually have to disclose how we found them and got the evidence.

Anonymous Coward says:

As was already mentioned here, the FBI has already replied:

Here, the Government has already signaled its decision. It has stated that the FBI will not comply with the Court’s discovery order under any circumstances…

So, in what way will the judge compel the FBI to comply, eh? Summon Comey, and charge him with contempt if he doesn’t cough up?

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...