FBI Doesn't Have to Give Mozilla Details on Bug It Used to Bust a Child Porn Ring

518_Firefox
A man is seen next to a Firefox logo at a Mozilla stand during the Mobile World Congress in Barcelona on February 28, 2013. Albert Gea/ REUTERs

A judge in Washington State rejected Mozilla's request for the FBI to disclose a vulnerability in the Firefox browser, a hole that the agency exploited to target a child pornography ring on the dark web.

U.S. Judge Robert Bryan declined the request which would have allowed Mozilla to intervene in the case surrounding a school administrator charged with looking through a child pornography website called Playpen on the Tor network, which allows anonymous online communication. Tor is partially built on Firefox's code, so Mozilla suspects the bug may be a Firefox problem as well. Mozilla says it wants to patch the vulnerability for millions of its users.

"We will continue pressing the point with the government that the safest thing to do for user security is to disclose whether or not there is a vulnerability in the Firefox code base and if so, allow it to be fixed," Mozilla says in a statement to Newsweek. "We want people who identify security vulnerabilities in our products to disclose them to us, and we believe the default position for any government agency should be that vulnerabilities will be disclosed to the entity that can fix them."

A week ago, Mozilla's chief legal counsel, Denelle Dixon-Thayer, filed a brief asking for details on the security hole from the FBI. According to Dixon-Thayer, the defense team for Jay Michaud, a school administrator charged with downloading child pornography from Playpen, already has details of the vulnerability, but not Mozilla. "We don't believe that this makes sense because it doesn't allow the vulnerability to be fixed before it is more widely disclosed," Dixon-Thayer writes.

In response to the brief, the judge simply punted the issue to the federal government. "It appears that Mozilla's concerns should be addressed to the United States and should not be part of this criminal proceeding," Bryan writes in a two-page order on Monday.

"Security of millions of users depends on Mozilla's ability to [figure out the flaw]," Access Now's government surveillance attorney Amie Stepanovich tells Newsweek.

The FBI's investigation into Playpen has been unprecedented in its size and the expansion of governmental powers used to investigate the website, according to cyber civil rights experts. Michaud's case is expected to be just one of over 1500 cases which will come out of the Playpen raid, according to federal public defender Colin Fieman, who is representing Michaud.

Following a warrant by a judge in Virginia, the FBI seized Playpen's domain and ran it on their own servers to track anonymous Playpen users. After obtaining over 1,000 IP addresses of these users, the FBI then hacked their computers to find evidence of child pornography.

The federal government reportedly has a process called the Vulnerabilities Equities Process (VEP), which allows agencies to determine whether they will share any discovered flaws with the tech companies. When the FBI unlocked the San Bernardino shooter's iPhone without Apple's help, many cybersecurity experts hoped the FBI will follow the VEP and disclose to Apple their cracking method.

The FBI announced in April that it will not hand over Apple its secret, and it is unclear that the FBI will cooperate with Mozilla as well. According to the Mozilla's May 11 brief, the federal government remained silent on whether the Tor exploit was processed through or will be processed through the VEP.

"The FBI is operating under some gray authority," Stepanovich says. "Government hacking has been going on since the 1990s and recently these hacking processes have been affirmed by top FBI officials. They've become masters in not revealing their secrets to anyone."

FBI Doesn't Have to Give Mozilla Details on Bug It Used to Bust a Child Porn Ring | Tech & Science