A federal judge has rejected Mozilla’s request to force the US government into disclosing a vulnerability related to its Firefox web browser. The company says that their browser was exploited by the FBI to investigate users of a large child pornography website.
US District Judge Robert Bryan in Tacoma, Washington, on Monday rejected Mozilla’s bid to intervene in a case against a school administrator charged in the investigation, Jay Michaud.
Bryan had previously ordered prosecutors to disclose to Michaud’s lawyers a flaw in a browser used to view websites including the child porn one on the anonymous Tor network that is partly based on the code for Mozilla’s Firefox browser.
Mozilla, seeking to fix the flaw, moved to intervene, asking Bryan to force the government to disclose to Mozilla the vulnerability before revealing it to Michaud.
After the Justice Department asked Bryan to reconsider, citing national security, he said on Thursday prosecutors did not need to make the disclosure to Michaud.
Bryan on Monday said that made Mozilla’s request moot, adding it “appears that Mozilla’s concerns should be addressed to the United States.”
Mozilla in a statement said it would argue to the government “that the safest thing to do for user security is to disclose the vulnerability and allow it to be fixed.”
A Justice Department spokesman declined comment. Colin Fieman, Michaud’s lawyer, said he would seek the indictment’s dismissal due to prosecutors electing against disclosure.
Michaud is one of 137 people facing U.S. charges after the FBI in February 2015 seized the server for Playpen, a child porn website on the Tor network, which allows anonymous online communication.
To identify its 214,898 members, authorities sought a search warrant from a Virginia judge allowing them to deploy a “network investigative technique.”
The technique caused a user’s computer to send back data any time that user logged onto the website while the FBI operated it for two weeks.
Thousands of people domestically and abroad are being investigated as a result. The probe recently ran into trouble, after two defendants secured rulings declaring warrants in their cases invalid.
Mozilla’s brief came amid renewed attention to the process for disclosing computer security flaws discovered by federal agencies.
Mozilla said it asked if the FBI submitted the browser flaw through an interagency vulnerability review process used to determine if vulnerabilities should be disclosed to affected companies or should be used secretly, but received no answer.