In February, a judge ordered the FBI to reveal the full malware code it used to identify visitors of a dark web child pornography site, including the exploit that circumvented the protections of the Tor Browser. The government fought back, largely in sealed motions, and tried to convince the judge to reconsider.
It has succeeded. The government's motion has been granted, and the FBI does not have to provide the exploit code to the defense as previously ordered. That means that the defense in the case will probably be unable to examine how the evidence against their client was collected in the first place.
It is not totally clear why Judge Robert J. Bryan changed his mind. On Thursday, the government and Bryan held a private meeting, where the government presented its reasons for nondisclosure of the Tor Browser exploit. Court filings have indicated that the exploit itself may not be classified, but the reasons for non-disclosure are.
Originally, Bryan had ordered the malware disclosure because, although the case involved highly technical elements, the issue boiled down to a simple, constitutional point.
"You say you caught me by the use of computer hacking, so how do you do it? How do you do it? A fair question," he said during a hearing in February. Despite backtracking somewhat, Bryan still thinks the defense has a reason to see that code, according to audio of the public section of Thursday's hearing provided by activist Phil Mocek. Of course, whether the FBI decides to then provide it is another matter.
The case revolves around the FBI's investigation into child pornography site Playpen. In February 2015 the FBI took over the site and deployed a hacking tool, designed to identify Playpen's users when they clicked on certain areas of the site. One of those was allegedly Jay Michaud, a Vancouver public schools administration worker whose defense argued for the FBI to provide the full malware code under a protective order.
In all, Motherboard has found the FBI obtained over one thousand IP addresses for alleged US-based users, and over three thousand abroad, including in Chile, Denmark, Greece, and the UK.
One reason federal public defenders Colin Fieman and Linda Sullivan, who are representing Michaud, have claimed they require the full NIT code is to verify that the malware did not go beyond the scope of the warrant. That warrant allowed the collection of the target's IP address, MAC address, operating system, and other technical information.
The FBI has maintained, however, that the exploit is not necessary to prove this. FBI Special Agent Daniel Alfin wrote in a declaration in March that the exploit wouldn't explain what information was actually taken by the NIT, and in Thursday's hearing, Assistant US Attorney Matthew Hampton said that the defense has only been able to put forward the theoretical possibility that the NIT went beyond its warrant, rather than any actual evidence.
This battle over access to the Tor Browser exploit is not the only dramatic legal tussle springing from the Playpen investigation. In April, one judge decided to throw out all evidence obtained by the malware because the warrant used to authorise it was invalid, and a second judge recommended the same. And on Wednesday Mozilla, the maintainer of Firefox on which the Tor Browser is based, filed a motion asking the government to disclose the vulnerability used.
Mozilla wanted details of the vulnerability 14 days before the FBI turned it over to the defense. Now with the judge's latest ruling, it looks like the defense won't be getting it at all, unless the FBI has a drastic change of heart.
The government has made it clear that it will "not turn it over under any circumstances," Fieman said during the hearing.