Mozilla Asks Court To Force FBI To Turn Over Information On Hacking Tool It Used In Child Porn Case
from the only-criminals-use-patched-browsers-amirite? dept
An indirectly-involved party in the FBI's Playpen case has waded into the fray and is demanding answers. Mozilla wants to know about the security flaw the FBI exploited so it can fix it. (h/t Brad Heath, Nate Cardozo)
Mozilla now seeks to intervene in relation to the Government’s pending Motion to request modification of the Order, or in the alternative, to participate in the development of this issue as amicus curiae in favor of neither party, for the purpose of requesting that the Court modify its Order to require the government to disclose the vulnerability to Mozilla prior to disclosing it to the Defendant. Absent great care, the security of millions of individuals using Mozilla’s Firefox Internet browser could be put at risk by a premature disclosure of this vulnerability. This risk could impact other products as well. Firefox is released under an open source license. This means that as Firefox source code is continuously developed, it is publicly available for developers to view, modify, share, and reuse to make other products, like the Tor Browser. The Tor Browser comprises a version of Firefox with some minor modifications to add additional privacy features, plus the Tor proxy software that makes the browser’s Internet connection more anonymous.With the Tor browser being built on the Firefox framework, any exploit of Tor could affect vanilla Firefox users. Not only that, but the FBI is apparently sitting on another Firefox vulnerability it used in a previous investigation to unmask Tor users. (This refers to the FBI's 2012 child porn sting, which also used a NIT to obtain information about visitors to a seized website.) The filing notes the FBI has been less than helpful when approached for info about this Firefox/Tor-exploiting NIT.
Mozilla has contacted the Government about this matter but the Government recently refused to provide any information regarding the vulnerability used, including whether it affects Mozilla’s products. Accordingly, Mozilla requests that the Court modify its order to take into account how such disclosure may affect Mozilla and the safety of the several hundred million users who rely on Firefox.Mozilla wants to see this information two weeks before it's disclosed to the defendant so it can patch the hole. While it's not unopposed to the information being turned over to the defendant, this headstart would allow it to fix the vulnerability before it becomes public knowledge and turned into a weapon to be wielded against millions of Firefox users.
There's a Fifth Amendment implication here as well: the due process right of third parties to act on behalf of properties or interests affected by criminal investigations or court decisions.
To consider the weight of Mozilla’s interests, this Court must determine whether the Exploit to be disclosed takes advantage of an unfixed Firefox vulnerability. If it does, Mozilla will suffer harm if the Court orders the government to disclose the vulnerability to the Defendant under the existing protective order. Likewise, Mozilla continues to suffer harm by the Government’s refusal to confirm at this point whether Firefox is the target of the vulnerability. [...] Due process compels this Court to hear Mozilla’s arguments and consider its interests before rendering a decision.The proposed protective order doesn't do enough to prevent discovery of the vulnerability, according to Mozilla.
The protective order does not contain restrictions on disclosing knowledge learned through examining NIT Protected Material. This alone marks a serious deficiency in the Protective Order as the damaging information about the vulnerability is likely something that someone can easily remember. Rather, the Protective Order’s disclosure restrictions are limited to the further distribution of the copies of information the defense receives from the government. Without more restrictive provisions, the protective order relies too heavily on the Defendant’s representations he and his defense team will not share copies, but not on any explicit agreement that they will not share or use information learned or that they will put security safeguards in placeNot that the NIT's specifics are necessarily secure if the court refuses to order disclosure to Michaud or Mozilla. The declaration entered by defendant Jay Michaud's expert witness points out that the previous use of the NIT in the 2012 case resulted in the FBI turning over information about the exploit to the defendant. So, there's precedent for disclosure, which is what Michaud's lawyer is demanding. But there's also evidence the FBI is hardly the best repository for exploits and vulnerabilities.
The Cottom case, which also involved an FBI NIT, provides a helpful comparison. In Cottom, the government agreed to cooperate with the defense's discovery requests. However, the FBI later reported to the Nebraska court that it had lost part of the NIT source code. Given the potential harms and security issues the government has raised in connection with the disclosure information, the FBI's loss of NIT code in Cottom is still hard to understand. But there at least the government did not dispute the defense's need to analyze all of the available components and code to prepare pre-trial motions, a Daubert challenge, and potential trial defenses.Hard to understand, indeed. How does someone lose "part" of an exploit's code, especially considering the FBI's obvious interest in deploying it in other investigations? Might just be stupidity, but considering its evidentiary implications and the FBI's extreme reluctance to expose "means and methods," it also smells a bit of maliciousness.
While Mozilla's attempted intervention may force the FBI to turn over information on its NIT, it's unlikely to be much of a direct benefit to Michaud. His lawyer is opposed to Mozilla's request for exploit info and its offer to appear as an amicus in support of Michaud's motion to compel. His filing notes that while Mozilla is not opposed to the FBI also turning over this information to Michaud, he and his client have no interest in returning the favor should the court side with Michaud, rather than Mozilla.
Mr. Michaud has no stake in Mozilla’s dispute with the Government. Further, the defense has no intention of disclosing any NIT discovery to Mozilla, a third party, or the public in general under any circumstances. To the extent that Mozilla is concerned that the existing NIT protective order does not provide “adequate safeguards” (dkt. 195 at 12), the defense has stated that it is amenable to any and all additional security measures and modifications to the existing NIT protective order that the Court deems appropriate.Not an unreasonable response, as Michaud's lawyer's ultimate duty is to serve his client, not millions of Firefox/Tor users. As for the government, it's likely incredibly irritated that its super-secret tool is gaining it no traction in supposedly open-and-shut child porn prosecutions. Not only are courts finding the warrants used to perform this extrajurisdictional searches invalid from word one, but defendants are pushing back hard against the FBI's "investigative methods" secrecy and dismissive attitude towards the Fourth Amendment. I'm sure it had no idea it would be 198 documents deep into a single child porn case at this point -- much less being nowhere closer than day one to securing a conviction.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: doj, fbi, malware, nit, playpen, tor
Companies: mozilla
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Double negative alert
I assume you mean "not opposed" here?
[ link to this | view in chronology ]
Typical Government
You just have to trust us because... that's right! Nation Security!
Any juror that convicts someone based on parallel construction or with a piece of evidence that does not have a very clear chain of custody and explanation of how it was procured is a failure of a citizen and a scumbag human fucking being!
[ link to this | view in chronology ]
Re: Typical Government
Umm, so?
[ link to this | view in chronology ]
Re: Typical Government
[ link to this | view in chronology ]
Maybe next time it will not perform evidence-laundering to make a case.
[ link to this | view in chronology ]
Re:
Evidence Laundering is what it really is. Parallel Construction is the euphamism to make it sound nice.
Just as "enhanced interrogation" is the euphemism to make "torture" sound nice.
[ link to this | view in chronology ]
Re: Re:
The whole "Undocumented" immigrants term is another victim of whitewashing terrible shit!
[ link to this | view in chronology ]
Golden Exploit instead of a Golden Key
It seems you're faced with a dilemma here.
Should you:
(A) hand over the exploit so that Mozilla (and other software projects) can make everyone safe
(B) keep the exploit to yourself because you don't want bad guys to know about it
How about you take the same advice that you give to the 'nerds' and 'geeks' who should work out how to build your mythical Golden Key?
A Golden Exploit. It works for the government to hack into people's systems and perform your NIT (network investigative technique), but it doesn't work for hackers and bad guys that would make everyone less safe.
C'mon, you can do it. Just as you think silicon valley can do it.
Oh, wait. Maybe the government is part of 'the bad guys'? Maybe that's why we have the 4th, 5th and other amendments.
Maybe the court should order the FBI to produce such a magical Golden Exploit?
[ link to this | view in chronology ]
Again, the FBI talks with lips that lie.
To any other legal team trying this method it is merely lies and more lies. With the FBI it's ... well it's the same.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
So, in what way will the judge compel the FBI to comply, eh? Summon Comey, and charge him with contempt if he doesn't cough up?
[ link to this | view in chronology ]
What part of Firefox isn't a vulnerability?
[ link to this | view in chronology ]
Yes, he is just doing his job. If it is at the rest of the worlds expense, too fucking bad, he is being reasonable.
[ link to this | view in chronology ]