The FBI’s refusal to share details about a network investigative technique it used to gather evidence against a Vancouver teacher charged with possession of child pornography has forced a federal judge’s hand to exclude the evidence from trial. The NIT used by the FBI to hack the Playpen website is believed to have de-anonymized users visiting the site who were using the Tor browser.
Judge Robert J. Bryan, a U.S. District Judge, on Wednesday granted defendant Jay Michaud’s motion to exclude the evidence. “For the reasons stated orally on the record, evidence of the N.I.T., the search warrant issued based on the N.I.T., and the fruits of that warrant should be excluded and should not be offered in evidence at trial,” Bryan wrote. Michaud, a 62-year-old teacher, was arrested last July in Seattle and was charged with possession of child pornography he allegedly downloaded from a dark web site called Playpen. The Washington Post reported that FBI seized the site’s servers and in February 2015 launched the exploit on the site leading to charges against 137 people. On Feb. 17, 2016, Michaud’s defense team was granted a motion compelling the government to produce evidence related to the network investigative technique (NIT) it deployed. Michaud’s defense team filed a new motion seeking the evidence be tossed after several requests in discovery to see the exploit and learn more about how it worked were rebuffed by the FBI. The defense wrote in a motion filed May 9 that the FBI’s use of its NIT against the site and Tor users exposed Michaud’s computer and storage devices seized under the warrant to third-party attacks associated with the distribution of child pornography. The defense suggests—and has computer science and experts corroborating—that the NIT could have allowed third parties to use Michaud’s computer to remotely transmit and store the illegal content. The motion quotes Dr. Matthew Miller, a University of Nebraska computer science professor: “[w]ithout knowing what exploit was used by the FBI in this case,” along with other discovery that the Court has ordered, it is not possible to “determine whether the files [i.e. child pornography] that the government says were located on various storage devices were put on those devices by Mr. Michaud.” The FBI’s exploit bypassed the anonymity protections afforded by the Tor browser and gathered IP addresses, MAC addresses and other system data from visitors to the site over a 13-day period. Mozilla had also previously filed a motion asking the FBI to share its exploit so that the vulnerability being attacked could be patched in the Firefox browser. The Tor browser is partially built on Firefox code. The FBI argued that exposing the exploit against Tor would not provide any insight as to how the FBI gathered data on visitors to Playpen. “Knowing how someone unlocked the front door provides no information about what that person did after entering the house,” special agent Daniel Alfin wrote, “Determining whether the government exceeded the scope of the warrant thus requires an analysis of the NIT instructions delivered to Michaud’s computer, not the method by which they were delivered.” The defendant’s most recent motion argued that the FBI’s refusal to hand over details on its exploit interferes with Michaud’s ability to get a fair trial. “The problem for the Government is that, even if all of that were true, the situation in this case would remain the same: a choice between deferring to the Government’s position that it will not or cannot comply with the Court’s discovery order and upholding Mr. Michaud’s constitutional rights to effective representation and a fair trial,” Michaud’s attorneys wrote. “As detailed in the accompanying declarations, the discovery ordered by the Court goes to the heart of Mr. Michaud’s defense. The Supreme Court has already made plain that, in situations like this, a defendant’s constitutional rights must prevail.”