Intent on keeping details private about how it hacked the Tor browser, prosecutors with the U.S. Department of Justice on Friday asked to dismiss a case involving a suspect who visited the Playpen dark web child pornography site in 2015.
“The government must now choose between disclosure of classified information and dismissal of its indictment,” Annette Hayes, a US attorney, wrote in a court filing (.PDF) on Friday. “Disclosure is not currently an option.”
Hayes asked the court to drop charges around the case without prejudice, insisting the government has “simply acted to protect highly sensitive information from criminal discovery as was its obligation.” There’s a chance, if the exploit is unclassified later down the line, the government could reopen its case, she claims.
“Dismissal without prejudice leaves open the possibility that the government could bring new charges should there come a time within the statute of limitations when and the government be in a position to provide the requested discovery,” Hayes wrote.
News the government is unwilling to disclose the exploit–something the FBI refers to as a “Network Investigative Technique” (NIT)–has seemingly been a long time coming; the DOJ has remained resolute to keeping the exploit under wraps. Last April the FBI refused to comply with the judge’s request to describe how it compromised the Tor browser.
The case deals with Jay Michaud, a 62-year-old teacher from Vancouver, Wash. who was arrested in 2015 after allegedly accessing the child pornography dark web site Playpen. The case is one of more than 100 related to the site currently wending their way through the judicial system.
Judge Robert J. Bryan, the U.S. District Judge who has overseen much of “United States v. Michaud” case, granted Michaud’s defense team’s motion to exclude any evidence gathered through the exploit last May. The motion was spurred after the FBI repeatedly failed to discuss how the NIT worked.
“For the reasons stated orally on the record, evidence of the NIT, the search warrant issued based on the NIT, and the fruits of that warrant should be excluded and should not be offered in evidence at trial,” Bryan said at the time.
After the FBI seized servers belonging to Playpen in February 2015, the agency moved the site to a government controlled server in Virginia and spied on its patrons for 13 days. Michaud is one of 137 people who had charges filed against them following the sting.
While details around the NIT haven’t been disclosed, it’s believed the exploit–essentially malware – bypassed Tor’s anonymity protections and siphoned up technical data on victims, including their IP address, MAC address, and other system information, and forwarded it along to law enforcement.
The FBI classified portions of the tool, exploits used in connection with it, and “operation aspects” of the NIT in June 2016, making it highly unlikely information about exploit will become public anytime soon.
Mozilla filed a motion last May with the U.S. District Court in Tacoma, Wash., in hopes of compelling the government to turn over details around the exploit. Since Tor is partially built on Firefox source code, Mozilla was concerned many of its users could be put at risk if the vulnerability was disclosed prematurely. Judge Bryan ultimately rejected Mozilla’s request and instructed the company to address their concerns to the U.S. government directly.
Another vulnerability that affected Firefox and could have been used to de-anonymize Tor users surfaced at the end of November. The vulnerability, which stemmed from a bug in the way the browser handled JavaScript and SVG code, worked “essentially the same way” as the NIT, Mozilla’s Daniel Veditz said at the time.
“If this exploit was in fact developed and deployed by a government agency, the fact that it has been published and can now be used by anyone to attack Firefox users is a clear demonstration of how supposedly limited government hacking can become a threat to the broader Web,” Veditz wrote.
The vulnerability, which existed on Windows, MacOS, and Linux, was patched in both browsers through an emergency update.
Developers with Tor are readying a sandboxed version of the browser, something that should help thwart future de-anonymization attempts, be it by attackers or the government, going forward.