While the dispute between Apple and the Department of Justice over terrorists’ iPhones appears to have come to a conclusion, it is clear that we can expect to see privacy issues continue to develop between the government and private sector. While the privacy issues between Apple and the DOJ received significant media attention, another matter between the government and Mozilla, a “free software community” that created the Firefox web browser, provides further insight into privacy concerns arising out of criminal investigations.
On July 10, 2015, the U.S. government filed a criminal complaint in Washington state alleging Jay Michaud possessed child pornography. The criminal complaint contained a number of allegations related to the FBI’s investigation of Michaud, including his extensive use of computer equipment to access child pornography. In particular, the criminal complaint discussed Michaud’s use of software that allowed him to anonymously use the Internet.
The criminal complaint describes a process where “software protects users’ privacy online by bouncing their communications around a distributed network of relay computers run by volunteers around the world, thereby masking the users’ IP address which could otherwise be used to identify a user.” In an effort to make sure the government met its burden, Michaud filed a motion seeking information on the government’s investigation which, in turn, could publicly disclose Firefox’s code.
Mozilla was concerned that this anonymity was created by an altered form of its Firefox browser, and, on May 11, 2016, filed a motion to allow it to enter into the criminal child pornography case. In its Motion to Intervene or Appear As Amicus Curiae in Relation to Government’s Motion for Reconsideration of Court’s Order on the Third Motion to Compel, Mozilla sought to intervene “for the purpose of requesting that this court modify its order to require the government to disclose the vulnerability to Mozilla prior to disclosing it to the defendant.”
In its motion, Mozilla argued “[a]bsent great care, the security of millions of individuals using Mozilla’s Firefox Internet browser could be put at risk by a premature disclosure of its vulnerability.” Mozilla asserted Firefox’s source code “is continuously developed” and is “publicly available for developers to view, modify, share, and reuse to make other products….” And, in the case of the government’s investigation, it became clear that Michaud used a modified version of Firefox that provided him the anonymity necessary to access child pornography.
Mozilla further argued that, while it is not opposed to disclosure, “any disclosure without advance notice to Mozilla will inevitably increase the likelihood the exploit will become public before Mozilla can fix any associated Firefox vulnerability.” Consequently, Mozilla requested the court modify its prior orders to require the government to disclose how it accessed Michaud’s browser at least 14 days prior to disclosure to Michaud in order to allow Mozilla to “analyze the vulnerability, create a fix, and update its products before the vulnerability can be used to compromise the security of its users’ systems by nefarious actors.”
On May 11, 2016, Michaud filed his response to Mozilla’s motion where he stated “Mr. Michaud has no stake in Mozilla’s dispute with the government. Further, the defense has no intention of disclosing any NIT discovery to Mozilla, a third party, or the public in general under any circumstances….”
After hearing the motion (and the related motion for reconsideration of order, granting defendant’s motion to compel) on May 12, 2016, the court held, after an In Camera presentation (closed chambers meeting) on the topics included in Mozilla’s motion, that the government was not required to produce the information related to Mozilla’s code.
While the information in the court’s May 12 order is limited, it is clear that the parties and the court made the security of Firefox’s code a priority. That is, the In Camera inspection allowed the parties to determine the security issues without disclosing Mozilla’s code to the public (“Following the conclusion of the In Camera hearing, the Court finds the Pltf is not required to produce requested discovery.”)
Interestingly, the security and privacy issues could not be ignored when Mozilla’s motion papers pointed out the fact that even government workers used the Firefox browser and public disclosure could put them at risk. While the Apple/DOJ privacy dispute was heated, it appears a result was achieved in this matter that all the parties could work with: Mozilla’s code was protected; Michaud was able to see if the government met its burden; and the government was given the opportunity to show how it intended to meet its burden.