This story is over 5 years old.


​Pressure Mounts on FBI To Reveal Tor Browser Exploit

More lawyers argue for information on an exploit the FBI used in a dark web child porn bust.

Things are only getting more complicated for the FBI around its investigation into dark web child porn site Playpen.

Another defense team has demanded that the agency hand over the full code of a piece of malware used to catch suspected pedophiles using the site, including the Tor Browser vulnerability the malware took advantage of.

The case stems from Operation Pacifier, which saw the FBI seize Playpen in February 2015 and briefly run it from a government server. During this time, the agency deployed a network investigative technique (NIT)—read: malware—to identify visitors of the site.


The malware relied on a vulnerability in the Tor Browser, and after infecting a target's computer, it grabbed their real IP address and other technical information.

Mozilla, which maintains the Firefox browser that could also be vulnerable to the attack, previously urged the FBI to provide details, but to no avail. In February, one judge ordered the agency to disclose the vulnerability, but then changed his mind after a closed-off meeting with the government.

But despite those setbacks, and because of the the high number of cases brought as a result of the FBI's operation, there are still people willing to challenge the FBI for the information.

"Defense lawyers who are working on these cases are looking to see what others are doing, and if a strategy looks like it's working, they're going to copy it"

Earlier this month, lawyers representing Edward Joseph Matish, who is charged with child pornography crimes, filed a motion to compel discovery, asking a judge to order the government to hand over the malware code. The lawyers want to verify, among other things, the full extent of the information seized from their client's computer, and have also filed motions asking for evidence to be thrown out.

The case echoes that of Jay Michaud, who was arrested in July 2015 as part of the same overarching operation. In the Michaud case, a judge ordered the FBI to provide its full malware code, before back-tracking on that order.

There is, however, still the question of whether the government will face any sanctions for not disclosing the code to Michaud, and perhaps even be forced to give up the case altogether. This strange stand-off is because the judge says the defense still has a right to see the malware, even if the government can't be forced to disclose it.

"Defense lawyers who are working on these cases are looking to see what others are doing, and if a strategy looks like it's working, they're going to copy it," Christopher Soghoian, principal technologist at the American Civil Liberties Union (ACLU) told Motherboard in an encrypted phone call. The FBI obtained the IP addresses of over a thousand alleged US-based visitors of the site.

But as the Michaud case made clear, it seems the FBI isn't planning on playing along and providing the details of its NIT.

"It's clear the government has no intention of turning over the exploit," Soghoian said.