Lance Bellers - Fotolia

FBI queried on use of vulnerabilities equities process in Playpen case

A U.S. district judge grants the defendants in a child porn case the right to know whether the FBI used the vulnerabilities equities process before the hack of the Playpen Tor hidden service site.

Fallout continues from the Playpen child pornography case, as the latest court ruling has put the FBI and U.S. government's vulnerabilities equities process under the microscope.

U.S. District Court Judge Robert Bryan, of the Western District of Washington at Tacoma, called on the FBI to answer two simple questions: Was the vulnerability used in the FBI's Tor-busting network investigative technique (NIT) submitted to the White House to undergo the executive branch's vulnerabilities equities process? If so, what was the outcome of that process?

Bryan's decision gave defendants a partial victory in their challenge to the FBI's methods used to decloak their anonymity on the Tor anonymity network. While many of the defendants' discovery requests were rejected, Bryan ordered the prosecution to reveal whether the exploit used in the Playpen operation was considered under the vulnerabilities equities process (VEP), and what the outcome was of that submission.

Bryan's ruling read: "The Government should inform Defendants and the Court in a brief memorandum or similar format two issues: (1) whether the 'exploit used in the Playpen operation ... [was] submitted ... to the [VEP],' and (2) the decision or outcome, if any, made by the VEP. If answering these two simple questions requires the Government to reveal classified information, the Government may make a showing to persuade the Court of proposed limitations."

The vulnerabilities equities process is the blueprint used by the U.S. government to determine if information about a particular vulnerability should be restricted and used in carrying law enforcement or intelligence functions, or whether it should be disclosed to improve cybersecurity for the public.

Bryan also ruled last week on a number of other discovery issues in favor of the defendants, David Tippens, Gerald Lesan and Bruce Lorente, calling on the FBI to reveal details related to the period of time the FBI had taken control of the Tor hidden service site hosting child pornography.

Last week's ruling called on the FBI to reveal the number of Playpen-related investigations that were initiated, but did not result in criminal charges -- beyond the approximately 200 cases that are currently pending. The ruling also called on the FBI for the number of total IP addresses and MAC IDs seized during the time the FBI controlled the site -- beyond the currently pending cases -- and details of IP and MAC addresses seized from foreign computers, as well as the countries in which they were seized.

In April of this year, the FBI faced a similar ruling by Bryan to disclose details of the NIT used in the Playpen operation in a different case. The FBI argued in that case that details of the NIT were not relevant to the defense attorneys' defense.

This May, Mozilla filed an amicus curiae motion in a separate case related to the FBI's Playpen operation in Bryan's court. Mozilla requested the vulnerability be disclosed and noted that the government "refuses to tell Mozilla if the exploit went through the vulnerabilities equities process, which is an interagency process used to determine whether vulnerabilities should be disclosed to the impacted company or should be exploited in secret."

The Playpen operation has raised a number of different legal issues. Last month, a federal court in Texas ruled law enforcement hacking in this instance violates the Fourth Amendment protections against unreasonable search and seizure without a warrant.

The origins of the FBI's NIT used in the Playpen operation to identify users connecting to the site through Tor have also been murky; last year, it was alleged the FBI had paid researchers at Carnegie Mellon University in Pittsburgh $1 million to devise an attack that would deanonymize users of Tor's hidden services.

The Playpen was a Tor hidden services site whose primary purpose was to advertise and distribute child pornography; Motherboard reported earlier this year that the site had nearly 215,000 user accounts and averaged roughly 11,000 unique visitors each week. By early 2015, according to a legal filing, in another Playpen case, a "foreign law enforcement agency" advised the FBI of the IP address linked to the Playpen site in Lenoir, N.C., and the FBI took over control of the site.

"Hoping to locate and identify visitors to the site, the FBI placed a complete copy of the Playpen website, including all of the child pornography on the website, on a government-controlled server located in Newington, Va.," the filing read. Approximately 1,300 IP addresses were eventually identified in the operation.

Next Steps

Find out more about the FBI's use of zero-day vulnerabilities.

Learn why the FBI believes encryption backdoors are unnecessary if companies comply with court orders.

Read what Nathaniel Gleicher, former White House cybersecurity policy director, has to say about the vulnerabilities equities process.

Dig Deeper on Information security laws, investigations and ethics