In the legal back-and-forth surrounding the FBI's hack and subsequent arrest of 1,500 users of a dark web child pornography site called Playpen, the FBI has now moved to classify the Tor Browser exploit they used, Motherboard reports, citing reasons of national security. Last month, Mozilla -- whose code much of the Tor Browser is based on -- asked the FBI to identify the exploit the agency used to install location-tracking malware on users' computers. That request was approved and then quickly thrown out by a judge in Washington state, who reversed his decision when the Justice Department also convinced him that the exploit was a matter of national security.
"The FBI has derivatively classified portions of the tool, the exploits used in connection with the tool, and some of the operational aspects of the tool in accordance with the FBI's National Security Information Classification Guide," the government's attorneys wrote in a filing made in response to one of the defendants earlier this month. As Motherboard points out, the FBI originally wanted to classify their reasons for not handing over the exploit, rather than the exploit itself. That filing has been amended and is simply waiting on a signature from the FBI Original Classification Authority to confirm it will be hidden from public view. While experts believe the national security excuse is tenuous, the Department of Justice does have a recorded history of classifying inappropriate information. A 2013 report from the DOJ's own office of the Inspector General revealed several documents in which "unclassified information was inappropriately identified as being classified."
If the FBI is successful in classifying their exploit tool, it would make it difficult to verify that their evidence, which affects over 1,500 related cases, was obtained through legal means. On the other hand, a legal loophole set in place by the Classified Information Procedures Act could allow the defense teams in these cases to review certain classified materials, although that's not guaranteed.
As for the Tor Project, the problems here are clear: how can an open, yet unknown, security flaw endanger the lives or human rights of those around the world who legitimately rely on a browser built for privacy and security?