SEATTLE (AP) " The Justice Department's refusal to disclose information about a software weakness it exploited during a major child pornography investigation last year is complicating some of its prosecutions arising from the bust.
During the investigation, the FBI allowed a secret child porn website on the largely anonymous Tor network to run for two weeks while it tried to identify users by hacking into their computers. The cases highlight how courts have struggled to square technological advances with existing legal rules.
A federal judge in Washington state last month threw out the government's evidence against one of the defendants, saying that unless the FBI detailed the vulnerability it exploited, the man couldn't mount an effective defense.
In another case, a Virginia judge rejected a similar request in an opinion unsealed Thursday, saying even if the defendant had demonstrated a need for the full source code, that need would be outweighed by the government's interest in keeping it secret to protect investigative techniques.
The judge suggested that even though the FBI obtained a warrant to hack into the defendants' computers, it didn't need one. He compared the agency's exploiting of the software vulnerability to a police officer being able to see through broken window blinds into someone's home " an analogy privacy and computer security experts called obviously wrong.
For starters, people know if their blinds are broken and have a chance to fix them. An officer looking through them is only observing what anyone else could observe. And "even if their blinds are broken doesn't mean you get to go into their house and search," said Mark Rumold, a senior staff attorney at the San Francisco-based Electronic Frontier Foundation.
"The court's decision that you don't have a reasonable expectation of privacy in a laptop in your own home " people should be very worried," he said.
The DOJ has said the information is not relevant. Defendants have been offered or provided all the evidence they need, including limited source code and data streams showing what the program did, the FBI has argued.
The department has also declined to disclose the information to Mozilla Corp., which believes it might concern a previously undisclosed flaw in its open-source Firefox browser.
"We'll continue to encourage the Government to disclose vulnerabilities to affected technology companies to allow us to do our job to prevent users from being harmed and to make the Web more secure," Denelle Dixon-Thayer, Mozilla's chief legal and business officer, said in an email.
The child porn website, called Playpen, operated on Tor, which provides users anonymity by routing their communications through multiple computers around the globe, and it had more than 150,000 members. The Tor browser is based on Firefox, and while the network is used for various reasons " including circumventing free-speech restrictions in some parts of the world " it has also provided sanctuary for child pornography, drug trafficking and other criminality.
After arresting Playpen's operator in Florida in early 2015, the FBI let the website continue running for two weeks while trying to identify users " something the agency said was necessary to apprehend those posting and downloading images of children being sexually abused. Defense attorneys criticized the tactic as unethical.
A magistrate in Virginia issued a search warrant allowing the agency to deploy what it calls a "network investigative technique": code that prompted the computers that signed into Playpen to communicate back to the government certain information, including IP addresses, despite the anonymity normally afforded by Tor.
The FBI then obtained further warrants to search the suspects' homes. At least 137 people have been charged, and many more could be: In a court filing in Michigan this month, prosecutors said thousands of the website's users, in the U.S. and abroad, are under investigation.
"The indiscriminate use of the technology to get into people's computers is unprecedented," said public defender Colin Fieman, who represents Washington state defendant Jay Michaud. "Never before has the government tried to get permission to search an unlimited number of computers " we're really talking about people's homes here, since that's where the computers are " based on a single warrant."
Defendants have challenged the FBI's hacking on numerous grounds, including that the magistrate exceeded her authority by issuing a warrant that permitted searches of computers in other judicial districts. Several federal judges have agreed she violated the rules of criminal procedure, but they've differed about whether the violation was merely technical, as judges in Ohio and Pennsylvania found, or requires the suppression of evidence, as courts in Massachusetts and Oklahoma have held.
The Justice Department has been pressing for changes to the criminal procedure rules that would allow such warrants when investigators don't know the location of the computers they want to search.
"The various rulings in these cases highlight why the government supports the clarification of the rules of procedure currently pending before Congress to ensure that criminals using sophisticated anonymizing technologies to conceal their identities while they engage in crime over the Internet are able to be identified and apprehended," DOJ spokesman Peter Carr wrote in an email.
Follow Johnson at https://twitter.com/GeneAPseattle