LILY HAY NEWMAN
THE DEPARTMENT OF Justice filed a motion in Washington State federal court on Friday to dismiss its indictment against a child porn site. It wasn’t for lack of evidence; it was because the FBI didn’t want to disclose details of a hacking tool to the defense as part of discovery. Evidence in United States v. Jay Michaud hinged at least in part on information federal investigators had gathered by exploiting a vulnerability in the Tor anonymity network.
“Because the government remains unwilling to disclose certain discovery related to the FBI’s deployment of a ‘Network Investigative Technique’ (‘NIT’) as part of its investigation into the Playpen child pornography site, the government has no choice but to seek dismissal of the indictment,” federal prosecutor Annette Hayes wrote in the court filing on Friday. She noted that the DoJ’s work to resist disclosing the NIT was part of “an effort to balance the many competing interests that are at play when sensitive law enforcement technology becomes the subject of a request for criminal discovery.”
In other words, the feds are letting an alleged child pornographer free so that officials can potentially catch other dark-web using criminals in the future.
The feds have relied on the NIT, which is classified, for evidence in hundreds of other cases. Previously, though, the DOJ was able to overturn orders to reveal information about it, or sidestepped disclosure when a defendant pled guilty before trial. This marks only the second time that federal prosecutors dropped charges rather than expose a secret exploit.
For years now, federal investigators have used hacking tools to undermine the Tor anonymity network and identify suspects attempting to conceal their identities and actions. These Tor exploits help federal law enforcement agencies investigate serious crimes, particularly child porn rings on the dark web, that would otherwise be difficult to prosecute. But the DOJ will apparently go to extreme lengths to protect the disclosure of those exploits, raising new questions about the boundaries of investigative hacking.
In fact, United States v. Jay Michaud has turned out to be a sort of case study, at each legal stage, for how the government may treat NITs in the future. Federal investigators arrested school administrator Jay Michaud, of Vancouver, WA, in July 2015 for viewing child pornography. The DOJ built their case using a controversial warrant, and in November Congress expanded the DOJ’s ability to get that type of warrant. As the case progressed, Judge Robert J. Bryan suggested that the DOJ could use a protective order to give relevant details about the NIT to Michaud’s defense in a limited and controlled way. Bryan also noted that he did not have the technical expertise to evaluate any DoJ disclosure himself. The Justice Department refused to pursue a protective order, though, and ultimately opted to drop charges rather than reveal the secret to even a single person.
A Wider Net
The controversy in the case didn’t end there, though. In May, Mozilla, the maker of the Firefox browser which Tor is also partly based on, filed a brief asking that the government tell the company about the NIT if the vulnerability was present in Firefox, thereby endangering the browser’s users. The concern about hoarding vulnerabilitiesinstead of disclosing them to be patched is that criminal hackers could find the flaws and maliciously exploit them while the government is keeping them secret for investigative purposes.
“Mozilla has reason to believe that the exploit that was part of the complete NIT code that this Court ordered the Government to disclose to the defense involves a previously unknown and potentially still active vulnerability in its Firefox code base,” Mozilla wrote in its May submission to the court. “Absent great care, the security of millions of individuals using Mozilla’s Firefox Internet browser could be put at risk by a premature disclosure of this vulnerability.”
In United States v. Jay Michaud the indictment will be dismissed without prejudice, meaning that the DoJ can pick the case up again within the statute of limitations (five years in this case) if it chooses. Federal investigators may be gambling that they can drop the case for now and pick it up again in a few years when technology has evolved, and the NIT has either been disclosed for other reasons or is no longer effective, says Riana Pfefferkorn, a cryptography fellow at the Stanford Law School Center for Internet and Society.
“It’s an interesting avenue to think about whether we might start seeing longer gaps between an alleged offense and an indictment if the government is trying to sort of run out the clock on the utility of its hacking methods.” Pfefferkorn says.
This approach also creates uncertainty for suspects, who are presumed innocent until proven guilty. Jay Michaud will have to wait five years knowing that the DoJ has a case against him, but unsure of whether it will ever pursue the prosecution again.
The drastic measures to hide this exploit may indicate that this particular NIT isn’t just used for domestic criminal cases, but national security investigations as well. “Outside of terrorism-related prosecutions in the FISA context, I can’t think of [situations] where the government uses some type of classified surveillance technique to go after regular domestic crimes—it’s pretty unprecedented,” says Mark Rumold, a senior staff attorney at the digital rights group Electronic Frontier Foundation.
The classified status is one of the many techniques DOJ has used to avoid disclosing the NIT, and the government seems to be using cases like United States v. Jay Michaud as a training ground to figure out how to keep hacking tools secret. All that’s certain is that the feds have dropped a case against an alleged child pornographer, with some unknowable trade-off down the road.
“It does seem to provide this moral hazard that if the government believes they can get away with it, that would seem to incentivize them to push the envelope,” Pfefferkorn says. “And my sense is that the government is continually pushing the envelope in what kind of surveillance it will ask courts to authorize.”