Mozilla Fights FBI In Court For Details On Tor Browser Hack

An anonymous reader writes from a report on Help Net Security: Mozilla has asked a Washington State District Court to compel FBI investigators to provide details about a vulnerability in the Tor Browser hack with them, before they share it with the defendant in a lawsuit, so that they could fix it before the knowledge becomes public. The lawsuit in question is against Jay Michaud, a Vancouver (Wa.) teacher that stands accused of accessing and downloading child pornography from a website on the Dark Web. The FBI used a "network investigative technique" (NIT) to discover the IP address and identity of the defendant, which was only possible from a vulnerability in the Tor Browser. Why does Mozilla care to learn about the vulnerability? "The Tor Browser is partially based on our Firefox browser code. Some have speculated, including members of the defense team, that the vulnerability might exist in the portion of the Firefox browser code relied on by the Tor Browser," Denelle Dixon-Thayer, Chief Legal and Business Officer at Mozilla Corporation, explained.

I think this is a bad idea.

[BitterOak]

If private companies can compel the FBI to disclose their secrets, the FBI could turn that around and say that turnabout is fair play and private companies should be compelled to disclose their secrets to the FBI. Best just to keep a respectful distance.

Vulnerabilities Don't Disciminate

[ytene]

The FBI's stance in this case seems to be another aspect of their world-view on encryption. Just as they believe that it's possible to create a "secure front door" in existing cryptographic algorithms (and thus give them a Master key that doesn't fatally flaw the encryption system), so they seem to be saying here that it is possible to distinguish between a vulnerability used to detect criminals (in this case, an alleged paedophile) and a vulnerability that could compromise the computer of a legitimate, law-abiding end user. Unfortunately, vulnerabilities don't discriminate: they'll work for anyone, for any purpose.

Sadly, proving the FBI's view is wrong would be virtually impossible unless the specific vulnerability was disclosed.

However, imagine a scenario in which the same vulnerability is subsequently identified by criminals and used to build malware that defrauds large numbers of citizens by compromising the security of their on-line banking. Tens, hundreds or thousands of people could be defrauded by hundreds, thousands or millions of dollars. In this scenario we have to ask if, on balance, it is acceptable for the FBI to remain silent in the hope that they might be able to use the same flaw to catch another alleged paedophile in the future or if, on balance, it is wiser to declare the vulnerability and have Mozilla patch it for the security of all.

The FBI, like any law enforcement agency of any western democracy, must themselves abide by the law - since, after all, the salary of every single law enforcement officer employed today is paid for by the tax contributions of the people they are paid to *protect*. As stated above, vulnerabilities don't discriminate and will work for anyone who finds and tries to exploit them. Given that anyone who does exploit a vulnerability is a criminal, the FBI surely have a duty to protect honest citizens against such future criminal exploits. If they don't, then what is the difference between the FBI and a criminal gang?

Consider a scenario [and, yes, this is highly contrived and completely unlikely] in which the vulnerability being exploited by the FBI in this case had at it's heart a mechanism that could be used to readily defeat encryption schemes such as BluRay encryption. Imagine that a criminal finds the vulnerability, spots a similar version in BluRay's implementation of encryption and uses it to produce a widely-available hack that can crack all BluRay disks wide open, regardless of the specific keys being used. Now imagine that the MPAA discover that the FBI had known about the hack for years and stayed silent.

Do you think that the MPAA would say, "Oh, heck, it's the FBI. Stand down, guys - we can't go to court to sue the FBI for beellions [sic] because they've been using this exploit to catch bad guys, which makes this OK..." ???

What this illustration is trying to show is that the moment one applies different "use cases" to the scenario, the "right answer" changes. When that happens in law, it is an example of the law being wrong, because, to be just, the law must be universal and straightforward in it's application.

There are many reasons that the Mozilla Foundation should prevail here. Let's hope that common sense wins the day and that the FBI collaborate and disclose the vulnerability.