Lance Bellers - Fotolia

FBI chooses to protect Tor vulnerability and dismiss child porn case

The Department of Justice dropped a child pornography case in order to avoid disclosing a Tor vulnerability; dozens more cases potentially affected.

Forced to decide between disclosing a Tor vulnerability used to gather evidence or dismiss the child porn case it had built; the U.S. Department of Justice chose to protect the exploit.

The undisclosed Tor vulnerability was used by the FBI to deanonymize user traffic to the Playpen child porn website hosted as a Tor hidden service. However, the evidence was deemed inadmissible by the court unless the FBI disclosed the method used to gather it. In a filing on the case federal prosecutor Annette Hayes wrote that the suppression order filed by the FBI "has deprived the government of the evidence needed to establish defendant Jay Michaud's guilt beyond a reasonable doubt at trial."

Hayes said "the government has no choice but to seek dismissal of the indictment" because the FBI was unwilling to disclose the Tor vulnerability "network investigative technique" used to build the case against Michaud, a Playpen child porn site visitor.

Hayes wrote the government was forced to "choose between disclosure of classified information and dismissal of its indictment," but determined "disclosure is not currently an option."

"Dismissal without prejudice leaves open the possibility that the government could bring new charges should there come a time within the statute of limitations when and the government be in a position to provide the requested discovery," Hayes wrote in the court filing. "The government has not sought unfair advantage over Michaud, nor has it acted with any improper motive. It simply acted to protect highly sensitive information from criminal discovery as was its obligation. The Court should therefore dismiss this case without prejudice."

David Holtzman, internet pioneer and president of GlobalPOV, wrote on Twitter that this decision by the government has troubling implications.

Other FBI Tor battles

The Tor vulnerability used by the FBI to deanonymize the real names and IP addresses of deep web users has been connected to approximately 200 prosecutions. Many other prosecutions have come under fire regarding the warrant issued to authorize the FBI to use the Tor vulnerability exploit under Rule 41. 

Rule 41 of the Federal Rules of Criminal Procedure, which governs search and seizure of evidence, is a controversial federal criminal procedure updated last year to expand federal law enforcement agencies hacking of systems outside of the jurisdiction where the warrant was granted. Recent changes to the rule specifically allow for warrants targeting systems concealed through technical means, like being hidden behind the Tor network.

A court filing against another visitor of the Playpen site, Robert Clay Eldred, in Vermont revealed there have been "over three dozen motions to suppress" any evidence gathered under the warrant "on the grounds that Magistrate Judge Buchanan lacked jurisdiction under Federal Rule of Criminal Procedure 41 to authorize a search that would be executed outside of the Eastern District of Virginia."

The filing also noted a minimum of 24 decisions have ruled the FBI warrant was not valid under Rule 41. It is unclear as yet what impact the government's decision to dismiss the case against Michaud will have on other cases. 

Next Steps

Learn why security and privacy experts are wary of Rule 41.

Find out about a Tor vulnerability patched by Mozilla and Tor that could deanonymize users.

Get info on the FBI being questioned on the use of the verified equities process in the Playpen case.

Dig Deeper on Application and platform security