Federal prosecutors in the United States have opted to drop charges against a child pornography suspect rather than reveal the hacking technique used to ensnare him – a move that is sparking heated debate.
On March 3, rather than detailing those techniques, the government filed a motion in U.S. District Court in Tacoma, Wash., to dismiss without prejudice the indictment against Jay Michaud, who was arrested in July 2015 in relation to suspected Playpen activity.
The case, which involves a Washington state middle school teacher, is one of dozens initiated by the FBI against people who allegedly visited Playpen, a now-shuttered child pornography website.
The FBI obtained a warrant that allowed the agency to exploit a software vulnerability to obtain the real IP addresses of people browsing to Playpen. The website used a feature of the Tor anonymity network to obscure its real IP address as well as that of its visitors.
Law enforcement has struggled to investigate “dark web” sites that employ Tor to provide what’s known as “hidden services.” This feature offers protection for those with legitimate privacy needs, but conversely also offers greater operational security to potential lawbreakers, such as online vendors of illegal narcotics.
Exploiting the Playpen
To date, the U.S. government has closely guarded its de-anonymizing techniques.
Michaud’s case, for example, was held up after his defense counsel asked the court to require prosecutors to share details on the software flaw that was allegedly used to identify him. Security experts suspect the flaw is a so-called “zero-day” – a vulnerability that can be actively exploited, and for which no software patch is yet available that users could install to protect themselves – in Mozilla’s Firefox browser. A specialized version of the Firefox browser is used to access hidden Tor sites.
In February 2016, U.S. District Court Judge Robert J. Bryan ordered the government to detail the flaw that investigators had exploited. The U.S. government appealed that order, before dropping the appeal in January 2017. In subsequently asking for the dismissal of Michaud’s indictment on March 3, the government said it was faced with two options: “The government must now choose between disclosure of classified information and dismissal of its indictment,” writes U.S. Attorney Annette L. Hayes. “Disclosure is not currently an option.”
This implies that the government believes it could apply the hacking technique in future investigations. And the admission has revived a long-running debate over the government’s obligations to inform software vendors about security problems in their products in order to protect users.
The dismissal, however, doesn’t mean Michaud is off the hook. In her court filing, Hayes says the government could file new charges if the statute of limitations hasn’t expired, and if the government is then in a position to provide the information.
Some security experts suspect that the flaw exploited by the U.S. government has since been patched. But not all users may have installed an updated, patched version of Firefox.
For its part, Mozilla also asked the government for information on the vulnerability, but its request was refused. After Bryan ruled that the details of the flaw must be turned over to Michaud’s defense, Mozilla had petitioned the court to receive the same information, two weeks prior to the disclosure, so it could engineer a patch, since public details of the flaw would put all of its users at greater risk.
The dismissal of Michaud’s case has rankled some observers, who question why child safety appears to be taking a back seat to the government’s hacking arsenal.
“Do you remember those 0-days that were needed to hunt child pornographers?” writes Stefano Zanero, an associate professor in the computer engineering department at Polytechnic University of Milan. “They are apparently more important than children now.”
@ingloriousBOH which I understand. But what good is the method, if then you need to protect it up to the point of dismissal of cases?
— Stefano Zanero (@raistolo) March 5, 2017
Likewise, Susan Hennessy, a managing editor of the Lawfare blog and a Brookings Fellow in National Security Law, also pushed back strongly against Zanero. “This is an utterly false representation of the equities involved. If FBI discloses here, [it] undermines [the] ability to rescue future children,” said Hennessy, who’s the former head of intelligence law at the National Security Agency, via Twitter.
New Laws Needed?
The case pushes into new legal ground, as Hennessy detailed in a January essay, saying that there’s a related dilemma facing the courts: whether such technical information is material to a suspect’s defense, as well as the impact on law enforcement.
Congress, she writes, may need to create a legislative framework with procedures for handling highly technical and privileged law enforcement information. If the government’s hacking is lawful, prosecutors don’t want to be in the position of having to drop cases because classified material would be revealed.
“Such procedures could not alter the substantive constitutional rights of defendants but would ensure that the disclose-or-dismiss dilemma arises only where the tool is, in fact, material to the defense” she writes.
Curiously, in a consolidated Playpen case involving three suspects in the same court, Judge Bryan has ruled that the information related to the software exploit is not material to those cases, according to Hennessy’s paper. She suggests the disparity may have been the result of a poor explanation by prosecutors, combined with the challenges inherent to understanding highly technical evidence.
“The evolution of an individual judge between these cases illustrates one feature of lawful hacking that will undoubtedly arise again in the future: How can judges make legal determinations about the significance of computer code that they do not understand?” she writes.