Mozilla has asked a Washington State District Court to compel FBI investigators to provide details about a vulnerability in the Tor Browser with them before they share it with the defendant in a lawsuit, so that they could fix it before the knowledge becomes public.
The lawsuit in question is against Jay Michaud, a Vancouver (Wa.) teacher that stands accused of accessing and downloading child pornography from a website on the Dark Web.
The network is accessible only via special software (i.e. the Tor Browser), and the FBI used a “network investigative technique” (NIT) to discover the defendant’s IP address and, eventually, his identity. The NIT in question took advantage of a vulnerability in the Tor Browser to unmask users of the illegal website.
Why is Mozilla asking for the details about the flaw?
“The Tor Browser is partially based on our Firefox browser code. Some have speculated, including members of the defense team, that the vulnerability might exist in the portion of the Firefox browser code relied on by the Tor Browser,” Denelle Dixon-Thayer, Chief Legal and Business Officer at Mozilla Corporation, explained.
“At this point, no one (including us) outside the government knows what vulnerability was exploited and whether it resides in any of our code base. The judge in this case ordered the government to disclose the vulnerability to the defense team but not to any of the entities that could actually fix the vulnerability. We don’t believe that this makes sense because it doesn’t allow the vulnerability to be fixed before it is more widely disclosed.”
Mozilla asks the court to modify its order to require the government to disclose the vulnerability to the defendant’s counsel, so that the government is forced to share the information with Mozilla first, i.e. 14 days in advance, if they flaw is, indeed, in Mozilla’s code base.
The government is still arguing that they shouldn’t be compelled to disclose any details about the NIT used in this case.