Over the past few months, a team at Mozilla has been looking closely at the recent remote hacking cases currently winding their way through the courts. Because the cases involve the possible disclosure of a potential Firefox vulnerability, we wanted to understand both the best outcome for our users and, more generally, the circumstances when courts would be the appropriate venue for such disclosures.
Our analysis regarding the technical arguments in these cases is largely consistent with Nick Weaver and Susan Hennessey’s conclusions; that is, the information disclosed by the FBI is probably sufficient to determine the authenticity of evidence collected without additional disclosures regarding the vulnerability to the defendant. If that analysis is generalizable to other lawful hacking cases—a big if at this point, because law enforcement hacking is likely to grow more complex—this would suggest that there is a path forward whereby defendants can obtain the information required to mount a fair defense without jeopardizing law enforcement’s sensitive collection methods.
Nonetheless, the outcome in these cases thus far should leave everyone dissatisfied. To explain why, we want to provide more detail about our argument and the outcome in the Michaud case.
Advanced Court Disclosure
The relevant issue in Michaud, and a number of related cases, relates to an alleged vulnerability exploited by the government in the Tor Browser. The Tor Browser is based substantially on our Firefox browser codebase and some have speculated that the vulnerability might exist in a portion of that code. At this point, no one outside the government (including us) knows whether that is the case.
In May, we filed a brief in the case asking the court to ensure that, if our code is implicated in a security vulnerability, the government disclose the vulnerability to us before it is disclosed to any other party. At that time, the judge had already ordered that the full exploit be disclosed to the defense team—a decision he later reversed, in part. We thought this raised additional security risks that needed to be addressed and that it was our responsibility to our users to note those concerns with the court.
Read the full post at Lawfare.