Mozilla Corp has asked a federal judge to order the U.S. government to disclose a vulnerability in its Firefox web browser that the company says the FBI exploited to investigate users of a large and secretive child pornography website.
Mozilla filed papers in federal court in Tacoma, Washington, on Wednesday seeking information on a vulnerability in a browser used to view websites on the anonymous Tor network that is partly based on the code for Firefox.
In a blog post, Denelle Dixon-Thayer, Mozilla’s chief legal and business officer, said a judge had ordered the vulnerability disclosed to lawyers for a defendant caught in the probe, Jay Michaud, but not to any of entities that could fix it.
“We don’t believe that this makes sense because it doesn’t allow the vulnerability to be fixed before it is more widely disclosed,” she wrote.
A U.S. Justice Department spokesman said it would respond at a later date.
Mozilla’s brief came amid renewed attention to the process for disclosing computer security flaws discovered by federal agencies, following a recent standoff between Apple and the FBI over a locked iPhone linked to a shooter involved in a terrorist attack in San Bernardino, California, in which 14 people were killed.
The Federal Bureau of Investigation said it could not submit to an interagency review the hack used to access the iPhone because it did not own the method or possess sufficient knowledge of the underlying vulnerability.
Mozilla said it had asked if the FBI submitted the browser flaw through the vulnerability review process but not received an answer.
Michaud is one of 137 people facing U.S. charges after the FBI in February 2015 seized the server for Playpen, a child porn website on the Tor network, which is designed to allow anonymous online communication and protect user privacy.
In order to identify its 214,898 members, authorities sought a search warrant from the Virginia judge allowing them to deploy a “network investigative technique.”
That technique would cause a user’s computer to send them data any time that user logged onto the website while the FBI operated it for two weeks.
The investigation has recently run into legal trouble, after two defendants secured rulings declaring the warrants used in their cases were invalid.
In Michaud’s case, U.S. District Judge Robert Bryan in February ordered that prosecutors disclose to his lawyers the code used to deploy the “network investigative technique.” Prosecutors have asked Bryan to reconsider.