The FBI and the Mozilla Foundation Lock Horns over Known Security Hole
The Mozilla Foundation and the FBI recently have clashed over security weaknesses. The FBI is aware of a weakness in the Tor browser that may affect Firefox—it's a weakness the FBI has exploited during an investigation.
Mozilla wants the FBI to reveal the details of the exploit ahead of the trial, but the FBI is playing its cards close to its chest. Because of the potential risk to its users, Mozilla has turned to the courts to force the FBI to reveal its information.
It's just the latest of several high-profile cases this year concerning security and privacy. Each of these cases has involved the Federal government and software firms or communities. For the average guy on the street, it's just business as usual. But for those who keep an ear to the ground, it's hard not to read between the lines.
The Mozilla Foundation is a strong proponent of our right to encryption and sees it as an extension of our basic rights to privacy. And, indeed, there are many who see privacy as a fundamental human right and believe we should be allowed to use technology to protect those rights. But, then there are those who seek to circumvent that technology and intrude on those rights.
On the one hand, we have cyber-criminals who steal private information and use their knowledge to harm others. On the other hand, we have law enforcement agencies who break down the walls of anonymity to expose crime and punish the guilty.
But, it's not so black and white. In fact, there's an entire spectrum of gray shades. This is what makes privacy such a thorny topic. Privacy and encryption are often at the heart of conflicts between governments, individuals and groups.
There are whistle-blowers who expose corruption within governments and public institutions, often at risk of their liberty or even their lives. Without software that protects privacy and encodes messages, they can't perform their civic duty safely.
The same technology is also used by governments to protect sensitive information and diplomatic communications.
We all rely on encryption to keep our sensitive information safe. In fact, we all require the protection offered by encryption software. You wouldn't want your banking details or medical records to become public.
But, many use the same technology for dark purposes—child pornographers, drug traffickers and terrorists to name a few. Surely governments should be able to circumvent technology to catch them?
Then again, wherever there's power, there's a risk of corruption. Corruption exists within the ivory halls of government, just as it does in all walks of life.
As citizens, we have an undeniable right to protect our privacy. And we are right to expect our government to investigate and prevent cyber-crime. Both of these interests are valid, and they are often at odds.
There's no black-and-white answer to the question of encryption and security. Perhaps it's simpler to look at this as a software issue. Software should work. It should meet its requirements and fulfill its specifications. When software contains defects, they should be detected and fixed.
If users have a right to protect their privacy with software, then they should be able to demand that the software works as expected. And if people know about a flaw in the software, they should let the developers know. While this makes sense from a software developer's point of view, I can't help but feel naively idealistic as I write this.
When the FBI brings its case to trial, it will have to hand its evidence over to the court and the defendant. In this case, the defendant is a teacher who stands accused of downloading child pornography. It's a heinous crime, and there are few who would object to the FBI using any tools at its disposal to stop it.
But from the moment the FBI reveals the details of its investigation, the security weakness will become a matter of public record. The security holes that made the investigation possible instantly will become available to everyone, including criminals who could exploit it.
Mozilla wants to gain access to that information in advance, so it can patch any weaknesses in the Firefox codebase. At the moment, Mozilla isn't even sure if the weakness affects every version of Firefox or just the Tor browser.
It's hard to imagine what the FBI has to gain by withholding this information. As soon as it becomes public knowledge, hardened cyber-criminals will know about it and be able to circumvent it. So it will lose its value as an investigative tool almost overnight.
But the millions of everyday users who rely on Firefox for their day-to-day browsing will be at risk, and Mozilla will have to rush to repair the damage. Of course, Mozilla will get a security patch out quickly, but in the meantime, who's to say how many innocent users could be compromised?
The subject of encryption and security are highly politically charged and easily misunderstood. Hopefully, Mozilla's legal team will be able to get these points across in court.