«The Honorable Robert J. Bryan 7 UNITED STATES DISTRICT COURT WESTERN DISTRICT OF WASHINGTON 8 AT TACOMA 9 UNITED STATES OF AMERICA, No. ...»
The Honorable Robert J. Bryan
7 UNITED STATES DISTRICT COURT
WESTERN DISTRICT OF WASHINGTON
8 AT TACOMA
9 UNITED STATES OF AMERICA, No. 15-CR-05351-RJB
10 Plaintiff, MOZILLA’S MOTION TO
INTERVENE OR APPEAR AS11 v. AMICUS CURIAE IN RELATION TO GOVERNMENT’S MOTION
12 JAY MICHAUD, FOR RECONSIDERATION OFCOURT’S ORDER ON THE 13 Defendant. THIRD MOTION TO COMPEL 14 NOTE ON MOTION CALENDAR:
Wednesday, May 11, 2016 Davis Wright Tremaine LLP MOTION TO INTERVENE (15-CR-05351-RJB) LAW OFFICES DWT 29531601v1 0050033-000393 1201 Third Avenue, Suite 2200 Seattle, WA 98101-3045 206.622.3150 main · 206.757.7700 fax I. INTRODUCTION On February 17, 2016, this Court entered an order granting Defendant’s Third Motion to Compel. See Dkt. 161. Among other things, this Order required the Government to produce evidence related to a security vulnerability that it exploited in the Tor Browser. Specifically, the Government was ordered to produce the entire code it used to deploy a Network Investigative Technique that could be used to remotely place instructions on an individual’s system to send back specified information. The Government has a pending Motion for Reconsideration and For Leave to Submit Filing Ex Parte and In Camera in relation to this Order. See Dkt 165.
Mozilla now seeks to intervene in relation to the Government’s pending Motion to request modification of the Order, or in the alternative, to participate in the development of this issue as amicus curiae in favor of neither party, for the purpose of requesting that the Court modify its Order to require the government to disclose the vulnerability to Mozilla prior to disclosing it to the Defendant. Absent great care, the security of millions of individuals using Mozilla’s Firefox Internet browser could be put at risk by a premature disclosure of this vulnerability. This risk could impact other products as well. Firefox is released under an open source license. This means that as Firefox source code is continuously developed, it is publicly available for developers to view, modify, share, and reuse to make other products, like the Tor Browser. The Tor Browser comprises a version of Firefox with some minor modifications to add additional privacy features, plus the Tor proxy software that makes the browser’s Internet connection more anonymous.
Mozilla has reason to believe that the exploit that was part of the complete NIT code that this Court ordered the Government to disclose to the defense involves a previously unknown and potentially still active vulnerability in its Firefox code base. This belief rests on the fact that (1) the Tor Browser at issue relies on a modified version of the Firefox browser;
(2) a prior exploit of the Tor Browser software by the government allegedly took advantage of
9 C. Due Process Requires this Court to Consider Mozilla’s Rights.
Ordering disclosure of the exploit without considering Mozilla’s interests violates Mozilla’s procedural and substantive due process rights under the Fifth Amendment of the United States Constitution. Due process requires courts to hear and consider arguments from parties whose property interests and rights are affected by its decisions. Mathews v. Eldridge, 424 U.S. 319, 348 (1976). Parties “whose property interests are at stake are entitled to ‘notice and an opportunity to be heard.’” Dusenbery v. United States, 534 U.S. 161, 167 (2002).
To consider the weight of Mozilla’s interests, this Court must determine whether the Exploit to be disclosed takes advantage of an unfixed Firefox vulnerability. If it does, Mozilla will suffer harm if the Court orders the government to disclose the vulnerability to the Defendant under the existing protective order. Likewise, Mozilla continues to suffer harm by the Government’s refusal to confirm at this point whether Firefox is the target of the vulnerability. “The fundamental requirement of due process is the opportunity to be heard ‘at a meaningful time and in a meaningful manner.’” Mathews, 424 U.S. at 333; Application of United States for Order Authorizing Installation of Pen Register or Touch-Tone Decoder and Terminating Trap, 610 F.2d 1148, 1157 (3d Cir. 1979) (same). Due process compels this Court to hear Mozilla’s arguments and consider its interests before rendering a decision.8 “The Court's view has been that as long as a property deprivation is not de minimis, its gravity is irrelevant to the question whether account must be taken of the Due Process Clause.” Goss v. Lopez, 419 U.S. 565, 576 (1975).
Davis Wright Tremaine LLP MOTION TO INTERVENE (15-CR-05351-RJB) - 6 LAW OFFICES DWT 29531601v1 0050033-000393 1201 Third Avenue, Suite 2200 Seattle, WA 98101-3045 206.622.3150 main · 206.757.7700 fax Other courts have rejected, or altered, the relief requested by the Government to avoid placing an undue burden on affected parties. Consideration of the effect of an order on a company’s products has been a frequent source of litigation under the All Writs Act. In Application of U. S. of Am. for Or. Authorizing Installation of Pen Register or Touch-Tone Decoder and Terminating Trap, 610 F.2d 1148, 1156 (3d Cir. 1979), the court found a deprivation of a property interest where a tracing order denied appellants the free use of their equipment and the services of their employees. Id. at 1156 (“The procedural guarantees of due process attach when the state deprives a person of an interest in ‘liberty’ or ‘property’” and “[t]he most important requirement of due process is the opportunity to be heard at a meaningful time.”); see also In re XXX, Inc., No. 14 Mag. 2258, 2014 WL 5510865, at *2 (S.D.N.Y. Oct.
31, 2014) (“Courts have held that due process requires that a third party subject to an order under the All Writs Act be afforded a hearing on the issue of burdensomeness prior to compelling it to provide assistance to the Government.”); see also In re Order Requiring Apple, Inc. to Assist in the Execution of a Search Warrant Issued by this Ct., 15-mc-01902-JO, 2015 WL 5920207, at *7 (E.D.N.Y. Oct. 9, 2015) (same).
Here, the relief each party seeks—disclosure to the Defendant or continued secrecy by the Government—will affect Mozilla’s property interests in its business and software. If the Exploit takes advantage of an unfixed Firefox vulnerability, and if the defense receives the Exploit, but Mozilla does not, the vulnerability will be more likely to leak and be used by bad actors, which will harm Mozilla and its users. If the Government retains the vulnerability and does not disclose it at all, Mozilla will continue to be harmed by the nondisclosure, as the vulnerabilities in its software will remain unfixed, exposing Firefox users to potential harm.9 It is worth noting that the Government refuses to tell Mozilla if the Exploit went through the Vulnerabilities Equities Process (“VEP”), which is an interagency process used to determine whether vulnerabilities should be disclosed to the impacted company or should be exploited in secret.
Davis Wright Tremaine LLP MOTION TO INTERVENE (15-CR-05351-RJB) - 7 LAW OFFICES DWT 29531601v1 0050033-000393 1201 Third Avenue, Suite 2200 Seattle, WA 98101-3045 206.622.3150 main · 206.757.7700 fax D. If Mozilla Is Not Permitted to Intervene, It Should Be Allowed to Appear as 1 Amicus.
If Mozilla is not permitted to intervene to protect its interests, this Court should certainly allow Mozilla to appear as amicus curiae. The Court has broad discretion to permit a non-party to participate in an action as amicus curiae. See, e.g., Gerritsen v. de la Madrid Hurtado, 819 F.2d 1511, 1514 n.3 (9th Cir. 1987); Nat. Res. Def. Council v. Evans, 243 F.
Supp.2d 1046, 1047 (N.D. Cal. 2003) (amici “may file briefs and may possibly participate in oral argument” in district court actions). “District courts frequently welcome amicus briefs from non-parties concerning legal issues that have potential ramifications beyond the parties directly involved or if the amicus has ‘unique information or perspective that can help the court beyond the help that the lawyers for the parties are able to provide.’” Sonoma Falls Dev., LLC v. Nevada Gold & Casinos, Inc., 272 F. Supp.2d 919, 925 (N.D. Cal. 2003) (quoting Cobell v.
Norton, 246 F. Supp.2d 59, 62 (D.D.C. 2003) (citation omitted). No special qualifications are required; an individual or entity “seeking to appear as amicus must merely make a showing that his participation is useful to or otherwise desirable to the court.” In re Roxford Foods Litig., 790 F. Supp. 987, 997 (E.D. Cal. 1991).
Because Mozilla will present a unique perspective and will represent the interests of millions of Firefox users, its participation as amicus curiae is particularly important. See Liberty Res., Inc. v. Philadelphia Hous. Auth., 395 F. Supp.2d 206, 209 (E.D. Pa. 2005).
(“Courts have found the participation of an amicus especially proper... where an issue of general public interest is at stake.”). This is because the primary role of an amicus is “to assist the Court in reaching the right decision in a case affected with the interest of the general public.” Russell v. Bd. of Plumbing Examiners of the County of Westchester, 74 F. Supp.2d 349, 351 (S.D.N.Y. 1999). In Liberty Resources, a case brought by a disability rights advocacy group against a public housing authority, the court granted amicus curiae status to another advocacy group that represented residents of public housing because the group’s participation “will serve to keep the Court apprised of the interests of non-disabled Section 8 voucher recipients who may be affected by this case.” 395 F. Supp.2d at 209. Similarly, Mozilla here
3 F. The Protective Order Does Not Adequately Protect Mozilla or its Users.
In light of the dangers that could stem from disclosure of the Exploit, the NIT Protective Order is not adequate to protect the sensitivity of this Exploit. A court may modify a protective order in a criminal case “for good cause.” Fed. R. Crim. P. 16. Good cause exists here because, in the hands of an attacker, the Exploit may provide the ability to either extract information from or gain access to a person’s computer. Mozilla is concerned with the implications to its global user base should the Exploit be disclosed to the Defendant and reveal an active vulnerability in Firefox. An attacker may use this vulnerability for nefarious purposes, including to sell the information or provide access to other individuals, organizations, or governments. It makes no sense to allow the information about the vulnerability to be disclosed to an alleged criminal, but not allow it to be disclosed to Mozilla.
Because of the serious risks associated with disclosure of a vulnerability in Mozilla’s widely used source code, a previously unknown vulnerability in that source code should be treated with the care given to confidential source code containing trade secrets to prevent disclosure to unauthorized parties. In Telebuyer, LLC v. Amazon.com, Inc., No. 13-CV-1677, 2014 WL 5804334, at *2 (W.D. Wash. July 7, 2014), this Court examined a protective order to determine if it adequately protected source code to be disclosed. The Court found that giving “counsel and experts the benefit of the doubt that they will faithfully observe the confidentiality rules to which the parties have already agreed” is not enough. Id. Vulnerabilities in code as widely used as Mozilla’s are similar to source code because they create a “heightened risk of inadvertent disclosure.” Id. (citing Kelora Sys., LLC v. Target Corp., No. 11-cv-01584, 2011 WL 6000759, at *7 (N.D. Cal. Aug.29, 2011)). As with source code, “[i]t is very difficult for the human mind to compartmentalize and selectively suppress information once learned, no matter how well-intentioned the effort may be to do so.” In re Deutsche Bank Trust Co.
Americas, 605 F.3d 1373, 1378 (Fed. Cir. 2010) (citing FTC v. Exxon Corp., 636 F.2d 1336,
14 G. The Court Should Order Advance Disclosure of the Exploit to Mozilla 15 1. Advance Disclosure of Software Vulnerabilities to the Impacted Company is a Best Practice in the Security Community.
In reconsidering its prior order, the Court should be guided by established best practices of advance disclosure in software vulnerability management. These go by different names in the security community such as “Coordinated Disclosure,” “Partial Disclosure,” and “Responsible Disclosure.” The underlying principle is that the security researcher who discovers the vulnerability notifies the affected company and allows some time for the vulnerability to be fixed before it is disclosed publicly, which may occur at security conferences, in papers, distribution lists, or through the company’s own announcement.19 This To the extent that the phrase “defense team” for purposes of the NIT incorporates the general protective order, 25 the number of people who will be exposed to the vulnerability may be excessively broad. See (Dkt. 19 2 (defining “defense team” to include attorneys of record, and investigators, paralegals, law clerks, experts and assistants for the attorneys of record)).
Mozilla was not contacted by the Government regarding the development of the protective order and therefore played no role in the drafting of the order.