Defense teams across the US have been trying to get access to a piece of malware the FBI used to hack visitors of a child pornography site. None have been successful at obtaining all of the malware's code, and the government appears to have no intention of handing it over.
Now, the FBI is classifying the Tor Browser exploit for reasons of national security, despite the exploit already being used in normal criminal investigations well over a year ago. Experts say it indicates a lack of organization or technical capabilities within the FBI.
"The FBI has derivatively classified portions of the tool, the exploits used in connection with the tool, and some of the operational aspects of the tool in accordance with the FBI's National Security Information Classification Guide," government attorneys wrote in a filing earlier this month. It came in response to the defense of Gerald Andrew Darby, who is charged with child pornography offenses.
The case is one of many brought forward from the FBI's investigation of dark web child pornography site Playpen. In February 2015, the FBI took over Playpen and deployed a network investigative technique—the agency's term for a hacking tool—in an attempt to identify visitors of the site. That tool used a vulnerability to circumvent the protections of the Tor Browser Bundle, and then grabbed the suspect's IP address and system information. (Mozilla, the maintainers of the Firefox browser that may also been affected, have tried—unsuccessfully—to get access to the vulnerability).
Court documents had previously showed that, bizarrely, it was only the FBI's reason for not wanting to hand over the exploit that was classified. But according to this recent filing, the government is now waiting on a formal, signed document from an FBI Original Classification Authority to confirm that the exploit is itself classified.
"The FBI is arguing that the tool and exploit are not simply sensitive law enforcement information, but that they actually constitute information which must be classified in the interests of national security," Steven Aftergood from the Federation of American Scientists told Motherboard in an email. To be successfully classified, the exploit must fall into one of several categories listed in Executive Order 13526.
"Which of these categories would apply here? Intelligence sources and methods? Technological activities related to the national security?" Aftergood added. "At first glance, all of them seem like a stretch. It will be interesting to see how FBI defends the move—and whether the court is persuaded."
According to the Department of Justice, the government has a record of mistakenly and inappropriately invoking classification controls. Aftergood pointed to the DOJ's Office of the Inspector General's 2013 report, which read "we found several documents in which unclassified information was inappropriately identified as being classified."
Mark Rumold, senior staff attorney at the Electronic Frontier Foundation told Motherboard in a phone call, "The government is never shy about asserting its classification authority as broadly as it wants to."
So, why now? Why classify the exploit and other information when myriad cases have already made their way through the courts?
"Either the classified information was originally designated by another agency and the FBI only just found out, or the FBI was the original classification authority, and the designation was overlooked in error at some point down the information supply chain. This could have been due to a lack of organization, technical capabilities, or both," Ahmed Ghappour, visiting assistant professor at UC Hastings, College of the Law told Motherboard in an email.
In other court documents, the government has vaguely said it doesn't want to disclose the exploit because it could diminish the future value of investigative techniques; allow individuals to devise counter-measures (or perhaps patch it); and discourage cooperation from third parties and other agencies that rely on these techniques. It also held a closed-off, and apparently convincing, meeting with a judge to explain its reasoning in more detail.
Although classifying material may seem like a surefire way to stop it being disclosed, the FBI's move could open up new legal avenues for defense teams to gain access to it.
The Classified Information Procedures Act (CIPA) is a statute followed when classified information enters a court. It's traditionally used in things like espionage cases, and allows the defense to potentially review classified material.
An FBI spokesperson declined to expand on the information in the recent court filing, or explain the agency's motivations.