Federal judge rejects Mozilla's demand to see bug in Tor browser
Last week, Mozilla filed a motion with a federal court in Seattle asking U.S. District Judge Robert Bryan to force authorities to disclose the Tor browser vulnerability to Mozilla before revealing the bug to others, including the defendant in an ongoing case who was charged with visiting a child pornography website.
"If the Court determines that the Exploit takes advantage of an unfixed vulnerability in Firefox, disclosure to any third parties, including the defendant, before it can be fixed may threaten the security of the devices of Firefox users," Mozilla's lawyers argued in a May 11 motion.
More than 100 were identified by the FBI as visitors to a child pornography site, including the case in question's defendant, Jay Michaud. The FBI used what it called a "network investigative technique," or NIT, to track visitors to the site, which was masked by the Tor network. The FBI traced visitors who had used the Tor browser by exploiting an undisclosed vulnerability in the browser.
Mozilla wanted to know whether the bug was also in Firefox, and if so, wanted the necessary information to patch the vulnerability. The organization argued that it should be allowed to intervene in the case, or failing that, be allowed to participate as an amicus curiae, or "friend of the court."
Judge Bryan put the kibosh on Mozilla's request.
"That the plaintiff is not required to produce the requested discovery apparently makes Mozilla's Motion to Intervene or Appear as Amicus Curiae moot," Bryan ruled on Monday. "Mozilla's concerns should be addressed to the United States [government] and should not be part of this criminal proceeding."
The case has been confusing of late.
After Michaud's lawyer demanded access to the NIT last year, Bryan originally ruled that the defendant had a right to see the exploit's source code. But the government objected, and in a closed-door session this month, convinced the judge to reverse himself.
"The Court ruled orally that the government had made a sufficient showing and was not required to disclose the entire N.I.T. code to the defendant," Bryan wrote.
Yesterday, however, Bryan issued another ruling that essentially said he was caught between a rock and a hard place.
"The defendant has the right to review the full N.I.T. code, but the government does not have to produce it," Bryan noted in a May 18 order. "Thus, we reach the question of sanctions: What should be done about it when, under these facts, the defense has a justifiable need for information in the hands of the government, but the government has a justifiable right not to turn the information over to the defense"
That Catch-22 will, said Bryan, be addressed during oral arguments by the government and Michaud's lawyer in a hearing slated for May 25.
For the moment, Mozilla has been stymied in its effort to see the exploit and determine whether it leveraged a Firefox vulnerability. But the open-source developer said it is not going to give up.
"We will continue pressing the point with the government that the safest thing to do for user security is to disclose whether or not there is a vulnerability in the Firefox code base and if so, allow it to be fixed," Denelle Dixon-Thayer, Mozilla's top lawyer, said in a statement. "We want people who identify security vulnerabilities in our products to disclose them to us, and we believe the default position for any government agency should be that vulnerabilities will be disclosed to the entity that can fix them."
Dixon-Thayer's call for "the default position of any government agency" has little chance of being answered.
Last month, in a much higher-profile case, the FBI said it would not reveal to Apple how a terrorist's iPhone password was cracked, saying it had only paid for the use of the exploit, not the exploit itself. For the same reason, the FBI said it was not going to bring the iOS bug before the Vulnerabilities Equities Process (VEP) panel, a group that decides whether a flaw used by a U.S. government agency should be passed along to the vendor for patching.