Case 3:15-cr-05351-RJB Document 195 Filed 05/11/16 Page 1 of 54 The Honorable Robert J. Bryan 1 2 3 4 5 6 7 UNITED STATES DISTRICT COURT WESTERN DISTRICT OF WASHINGTON AT TACOMA 8 9 UNITED STATES OF AMERICA, 10 Plaintiff, 11 v. 12 JAY MICHAUD, 13 Defendant. 14 No. 15-CR-05351-RJB MOZILLA’S MOTION TO INTERVENE OR APPEAR AS AMICUS CURIAE IN RELATION TO GOVERNMENT’S MOTION FOR RECONSIDERATION OF COURT’S ORDER ON THE THIRD MOTION TO COMPEL NOTE ON MOTION CALENDAR: Wednesday, May 11, 2016 15 16 17 18 19 20 21 22 23 24 25 26 27 MOTION TO INTERVENE (15-CR-05351-RJB) DWT 29531601v1 0050033-000393 Davis Wright Tremaine LLP L AW O F FI CE S 1201 Third Avenue, Suite 2200 Seattle, WA 98101-3045 206.622.3150 main · 206.757.7700 fax Case 3:15-cr-05351-RJB Document 195 Filed 05/11/16 Page 2 of 54 I. 1 2 INTRODUCTION On February 17, 2016, this Court entered an order granting Defendant’s Third Motion 3 to Compel. See Dkt. 161. Among other things, this Order required the Government to produce 4 evidence related to a security vulnerability that it exploited in the Tor Browser. Specifically, 5 the Government was ordered to produce the entire code it used to deploy a Network 6 Investigative Technique that could be used to remotely place instructions on an individual’s 7 system to send back specified information. The Government has a pending Motion for 8 Reconsideration and For Leave to Submit Filing Ex Parte and In Camera in relation to this 9 Order. See Dkt 165. 10 Mozilla now seeks to intervene in relation to the Government’s pending Motion to 11 request modification of the Order, or in the alternative, to participate in the development of this 12 issue as amicus curiae in favor of neither party, for the purpose of requesting that the Court 13 modify its Order to require the government to disclose the vulnerability to Mozilla prior to 14 disclosing it to the Defendant. Absent great care, the security of millions of individuals using 15 Mozilla’s Firefox Internet browser could be put at risk by a premature disclosure of this 16 vulnerability. This risk could impact other products as well. Firefox is released under an open 17 source license. This means that as Firefox source code is continuously developed, it is publicly 18 available for developers to view, modify, share, and reuse to make other products, like the Tor 19 Browser. The Tor Browser comprises a version of Firefox with some minor modifications to 20 add additional privacy features, plus the Tor proxy software that makes the browser’s Internet 21 connection more anonymous. 22 Mozilla has reason to believe that the exploit that was part of the complete NIT code 23 that this Court ordered the Government to disclose to the defense involves a previously 24 unknown and potentially still active vulnerability in its Firefox code base. This belief rests on 25 the fact that (1) the Tor Browser at issue relies on a modified version of the Firefox browser; 26 (2) a prior exploit of the Tor Browser software by the government allegedly took advantage of 27 MOTION TO INTERVENE (15-CR-05351-RJB) - 1 DWT 29531601v1 0050033-000393 Davis Wright Tremaine LLP L AW O F FI CE S 1201 Third Avenue, Suite 2200 Seattle, WA 98101-3045 206.622.3150 main · 206.757.7700 fax Case 3:15-cr-05351-RJB Document 195 Filed 05/11/16 Page 3 of 54 1 a vulnerability in Firefox code base1; and (3) technical experts in this case have suggested that 2 the government has access to a Firefox vulnerability.2 Mozilla has contacted the Government 3 about this matter but the Government recently refused to provide any information regarding the 4 vulnerability used, including whether it affects Mozilla’s products. Accordingly, Mozilla 5 requests that the Court modify its order to take into account how such disclosure may affect 6 Mozilla and the safety of the several hundred million users who rely on Firefox. 7 If the disclosure involves a vulnerability in a Mozilla product, due process requires this 8 Court to consider Mozilla’s interests and the potentially serious public impact of any disclosure 9 of the vulnerability before ordering the Government to make such disclosure solely to 10 Defendant Jay Michaud (“Defendant”). “For more than a century the central meaning of 11 procedural due process has been clear: ‘Parties whose rights are to be affected are entitled to be 12 heard.’” Fuentes v. Shevin, 407 U.S. 67, 80 (1972). Although Mozilla is not opposed to 13 disclosure to the Defendant, any disclosure without advance notice to Mozilla will inevitably 14 increase the likelihood the exploit will become public before Mozilla can fix any associated 15 Firefox vulnerability. Public disclosure is even more likely where, as here, the protective order 16 does not prevent knowledge about the exploit from being disclosed to third parties, but limits 17 only the circulation of copies of the material provided by the government. The information 18 about the exploit is likely small in quantity and easily remembered. To protect the safety of 19 Firefox users, and the integrity of the systems and networks that rely on Firefox, Mozilla 20 requests that the Court order that the Government disclose the exploit to Mozilla at least 14 21 days before any disclosure to the Defendant, so Mozilla can analyze the vulnerability, create a 22 fix, and update its products before the vulnerability can be used to compromise the security of 23 its users’ systems by nefarious actors.3 24 25 26 27 1 See Dan Goodin, Attackers wield Firefox exploit to uncloak anonymous Tor users, ArsTechnica http://arstechnica.com/security/2013/08/attackers-wield-firefox-exploit-to-uncloak-anonymous-tor-users/). 2 Christopher Soghoian, Twitter (Apr. 28, 2016, 12:18 PM), https://twitter.com/csoghoian/status/ 725720824003592192. 3 Mozilla has high confidence that it will be able to fix a vulnerability within the fourteen day period.. MOTION TO INTERVENE (15-CR-05351-RJB) - 2 DWT 29531601v1 0050033-000393 Davis Wright Tremaine LLP L AW O F FI CE S 1201 Third Avenue, Suite 2200 Seattle, WA 98101-3045 206.622.3150 main · 206.757.7700 fax Case 3:15-cr-05351-RJB Document 195 Filed 05/11/16 Page 4 of 54 II. 1 2 3 4 Mozilla Corporation states that is a wholly owned subsidiary of the Mozilla Foundation, a 501(c)(3) non-profit (collectively referred to herein as “Mozilla”). No publicly held corporation has an ownership stake of 10% or more in Mozilla. III. 5 6 7 8 9 10 11 12 13 14 15 community to create open source products like its web browser Firefox. Mozilla is guided by a set of principles that recognize, among other things, that individuals’ security and privacy on the Internet are fundamental and must not be treated as optional. Mozilla seeks to intervene to protect the security of its products and the large number of people who use those products that are not a party to this proceeding The security community has publicly speculated that the software exploit that was used to deploy the NIT code (“Exploit”) in the Tor Browser implicates an undisclosed vulnerability in Mozilla’s Firefox web browser (“Firefox”). Firefox is among the most popular browsers in the world, with several hundred million users who rely on Firefox to discover, experience, and connect them to the internet on computers, tablets, and mobile phones. IV. 17 A. 18 22 23 24 25 26 27 ARGUMENT The Exploit Employed Here Likely Relates to a Vulnerability in the Firefox Browser. The Government has refused to tell Mozilla whether the vulnerability at issue in this 19 21 STATEMENT OF INTEREST Mozilla is a global, mission-driven organization that works with a worldwide 16 20 CORPORATE DISCLOSURE STATEMENT case involves a Mozilla product. Nevertheless, Mozilla has reason to believe that the Exploit the Government used is an active vulnerability in its Firefox code base that could be used to compromise users and systems running the browser. On April 13, 2016, based on the government’s filings, Motherboard reported that experts believed that the FBI was aware of a vulnerability in the Firefox browser. Joseph Cox, The FBI May Be Sitting on a Firefox Vulnerability, Motherboard (Apr. 13, 2016).4 The article quoted a researcher who noted that the Tor Browser at issue here “is simply Firefox running in a hardened mode.” Id. (quoting 4 http://motherboard.vice.com/read/the-fbi-may-be-sitting-on-a-firefox-vulnerability. MOTION TO INTERVENE (15-CR-05351-RJB) - 3 DWT 29531601v1 0050033-000393 Davis Wright Tremaine LLP L AW O F FI CE S 1201 Third Avenue, Suite 2200 Seattle, WA 98101-3045 206.622.3150 main · 206.757.7700 fax Case 3:15-cr-05351-RJB Document 195 Filed 05/11/16 Page 5 of 54 1 Nicholas Weaver, The FBI’s Firefox Exploit, Lawfare (Apr. 7, 2016)).5 Although it is not 2 “simple,” it is true that the Tor Browser uses several million lines of code from Firefox. 3 Further, the Government’s efforts to resist disclosure here have led commentators to believe 4 that the vulnerability has not been patched and is still effective. Id.; Weaver, supra (“The[ ] 5 mere fact they are expending energy to do [this] may indicate the exploit is a zero day; if it 6 were already publically known there would be limited strategic value in keeping it secret.”) 7 Use of a Firefox vulnerability to investigate Tor users would not be surprising. In 2013, the 8 Guardian published a presentation from the NSA stating that it sought a “native Firefox 9 exploit” to target Tor users effectively. Cox, supra (referencing ‘Peeling back the layers of Tor 10 with EgotisticalGiraffe'—read the document, The Guardian (Oct. 4, 2013)).6 The parties’ affidavits and documents likewise provide a reasonable basis for this belief. 11 12 Special Agent Alfin stated that the NIT is a single component—a single computer instruction 13 delivered to a defendant’s computer. (Decl. of FBI Special Agent Daniel Alfin in supp. of Mot. 14 for Reconsideration (“Alfin Dec.”), Dkt. 166-2 ¶4). It is an “exploit” that took advantage of a 15 “software vulnerability.” (Dkt 166-2 ¶ 6). As such, the exploit is not malware or a program, 16 but a command sent to exploit a vulnerability in the software used by the Defendant. The 17 Defendant used the Tor Browser, and the Tor Browser is based on Mozilla’s Firefox code. 18 (Dkt 48-1, Aff. in supp. of Search Warrant, ¶ 7).7 In other words, the Exploit took advantage of 19 a vulnerability in the browser software used by the Defendant to deploy the NIT on the 20 Defendant's computer. 21 Thus, caught between a wall of silence from the government, serious public speculation 22 about potential vulnerabilities in Firefox, and evidence in the record that supports the belief that 23 Firefox vulnerabilities are involved, Mozilla petitions the Court because the interests of its 24 users are not adequately represented by the parties to this case. 25 26 27 5 https://www.lawfareblog.com/fbis-firefox-exploit. http://www.theguardian.com/world/interactive/2013/oct/04/egotistical-giraffe-nsa-tor-document. 7 https://www.torproject.org/projects/torbrowser.html.en 6 MOTION TO INTERVENE (15-CR-05351-RJB) - 4 DWT 29531601v1 0050033-000393 Davis Wright Tremaine LLP L AW O F FI CE S 1201 Third Avenue, Suite 2200 Seattle, WA 98101-3045 206.622.3150 main · 206.757.7700 fax Case 3:15-cr-05351-RJB Document 195 Filed 05/11/16 Page 6 of 54 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 B. The Court Should Allow Mozilla to Intervene in This Case. Mozilla has a legitimate interest in these proceedings. Courts have long recognized the ability of “corporations and business entities” to intervene in criminal proceedings “to protect privileged or confidential information or documents obtained, or property seized, during a criminal investigation.” Harrelson v. United States, 967 F. Supp. 909, 912-13 (W.D. Tex. 1997) (collecting cases); see also United States v. Cuthbertson, 651 F.2d 189, 193 (3d Cir. 1981), cert. denied, 454 U.S. 1056 (1981), (holding the persons affected by the disclosure of allegedly privileged materials may intervene in pending criminal proceedings and seek protective orders); United States v. Feeney, 641 F.2d 821, 824 (10th Cir. 1981) (holding that a party affected by disclosure of allegedly privileged materials could intervene in a criminal action to seek a protective order). Intervention in a criminal case is appropriate and permitted even though the Federal Rules of Criminal Procedure do not specifically provide for intervention. United States v. Collyard, CRIM. 12-0058 SRN, 2013 WL 1346202, at *2 (D. Minn. Apr. 3, 2013) (“Despite a lack of authority in the criminal rules, motions to intervene in criminal proceedings have been granted in limited circumstances where ‘a third party's constitutional or other federal rights are implicated by the resolution of a particular motion, request, or other issue during the course of a criminal case.’”) (quoting United States v. Carmichael, 342 F.Supp.2d 1070, 1072 (M.D. Ala. 2004)); United States v. Crawford Enterprises, Inc., 735 F.2d 174, 176 (5th Cir. 1984) (remanding for further consideration after denial of motion to intervene where intervenor made showing it was entitled to intervention in part because it was being adversely affected by the disclosure of certain documents). Here, intervention is warranted for reasons similar to those presented by follow-on litigation in United States v. Swartz, 945 F.Supp.2d 216 (D. Mass. 2013). There, after the tragic death of Mr. Swartz, the Massachusetts Institute of Technology (MIT) and JSTOR moved to intervene to partially oppose the modification of a protective order allowing the public disclosure of discovery materials containing sensitive information about vulnerabilities in the organizations’ networks (among other information), without first allowing a pre- 27 MOTION TO INTERVENE (15-CR-05351-RJB) - 5 DWT 29531601v1 0050033-000393 Davis Wright Tremaine LLP L AW O F FI CE S 1201 Third Avenue, Suite 2200 Seattle, WA 98101-3045 206.622.3150 main · 206.757.7700 fax Case 3:15-cr-05351-RJB Document 195 Filed 05/11/16 Page 7 of 54 1 production review. Id. at 218. Noting that “[s]everal courts have recognized this kind of 2 limited intervention as a proper device by which third parties may assert their interest in 3 protecting confidential materials obtained during criminal proceedings,” the court permitted the 4 organizations to intervene. Id. at 218-219. The court granted the organizations’ motions and 5 allowed them to review and redact discovery materials concerning vulnerabilities in their 6 computer networks before public disclosure. Id. at 219, 222. Similarly Mozilla has an interest 7 in pre-review disclosure in this case to avoid causing potential harm to innocent Firefox users. 8 The Court should, therefore, allow Mozilla to intervene to mitigate the risks of such disclosure. 9 C. Due Process Requires this Court to Consider Mozilla’s Rights. Ordering disclosure of the exploit without considering Mozilla’s interests violates 10 11 Mozilla’s procedural and substantive due process rights under the Fifth Amendment of the 12 United States Constitution. Due process requires courts to hear and consider arguments from 13 parties whose property interests and rights are affected by its decisions. Mathews v. Eldridge, 14 424 U.S. 319, 348 (1976). Parties “whose property interests are at stake are entitled to ‘notice 15 and an opportunity to be heard.’” Dusenbery v. United States, 534 U.S. 161, 167 (2002). To consider the weight of Mozilla’s interests, this Court must determine whether the 16 17 Exploit to be disclosed takes advantage of an unfixed Firefox vulnerability. If it does, Mozilla 18 will suffer harm if the Court orders the government to disclose the vulnerability to the 19 Defendant under the existing protective order. Likewise, Mozilla continues to suffer harm by 20 the Government’s refusal to confirm at this point whether Firefox is the target of the 21 vulnerability. “The fundamental requirement of due process is the opportunity to be heard ‘at a 22 meaningful time and in a meaningful manner.’” Mathews, 424 U.S. at 333; Application of 23 United States for Order Authorizing Installation of Pen Register or Touch-Tone Decoder and 24 Terminating Trap, 610 F.2d 1148, 1157 (3d Cir. 1979) (same). Due process compels this Court 25 to hear Mozilla’s arguments and consider its interests before rendering a decision.8 26 27 8 “The Court's view has been that as long as a property deprivation is not de minimis, its gravity is irrelevant to the question whether account must be taken of the Due Process Clause.” Goss v. Lopez, 419 U.S. 565, 576 (1975). MOTION TO INTERVENE (15-CR-05351-RJB) - 6 DWT 29531601v1 0050033-000393 Davis Wright Tremaine LLP L AW O F FI CE S 1201 Third Avenue, Suite 2200 Seattle, WA 98101-3045 206.622.3150 main · 206.757.7700 fax Case 3:15-cr-05351-RJB Document 195 Filed 05/11/16 Page 8 of 54 Other courts have rejected, or altered, the relief requested by the Government to avoid 1 2 placing an undue burden on affected parties. Consideration of the effect of an order on a 3 company’s products has been a frequent source of litigation under the All Writs Act. In 4 Application of U. S. of Am. for Or. Authorizing Installation of Pen Register or Touch-Tone 5 Decoder and Terminating Trap, 610 F.2d 1148, 1156 (3d Cir. 1979), the court found a 6 deprivation of a property interest where a tracing order denied appellants the free use of their 7 equipment and the services of their employees. Id. at 1156 (“The procedural guarantees of due 8 process attach when the state deprives a person of an interest in ‘liberty’ or ‘property’” and 9 “[t]he most important requirement of due process is the opportunity to be heard at a meaningful 10 time.”); see also In re XXX, Inc., No. 14 Mag. 2258, 2014 WL 5510865, at *2 (S.D.N.Y. Oct. 11 31, 2014) (“Courts have held that due process requires that a third party subject to an order 12 under the All Writs Act be afforded a hearing on the issue of burdensomeness prior to 13 compelling it to provide assistance to the Government.”); see also In re Order Requiring Apple, 14 Inc. to Assist in the Execution of a Search Warrant Issued by this Ct., 15-mc-01902-JO, 2015 15 WL 5920207, at *7 (E.D.N.Y. Oct. 9, 2015) (same). Here, the relief each party seeks—disclosure to the Defendant or continued secrecy by 16 17 the Government—will affect Mozilla’s property interests in its business and software. If the 18 Exploit takes advantage of an unfixed Firefox vulnerability, and if the defense receives the 19 Exploit, but Mozilla does not, the vulnerability will be more likely to leak and be used by bad 20 actors, which will harm Mozilla and its users. If the Government retains the vulnerability and 21 does not disclose it at all, Mozilla will continue to be harmed by the nondisclosure, as the 22 vulnerabilities in its software will remain unfixed, exposing Firefox users to potential harm.9 23 24 25 26 27 9 It is worth noting that the Government refuses to tell Mozilla if the Exploit went through the Vulnerabilities Equities Process (“VEP”), which is an interagency process used to determine whether vulnerabilities should be disclosed to the impacted company or should be exploited in secret. MOTION TO INTERVENE (15-CR-05351-RJB) - 7 DWT 29531601v1 0050033-000393 Davis Wright Tremaine LLP L AW O F FI CE S 1201 Third Avenue, Suite 2200 Seattle, WA 98101-3045 206.622.3150 main · 206.757.7700 fax Case 3:15-cr-05351-RJB Document 195 Filed 05/11/16 Page 9 of 54 1 D. If Mozilla Is Not Permitted to Intervene, It Should Be Allowed to Appear as Amicus. 2 If Mozilla is not permitted to intervene to protect its interests, this Court should 3 certainly allow Mozilla to appear as amicus curiae. The Court has broad discretion to permit a 4 non-party to participate in an action as amicus curiae. See, e.g., Gerritsen v. de la Madrid 5 Hurtado, 819 F.2d 1511, 1514 n.3 (9th Cir. 1987); Nat. Res. Def. Council v. Evans, 243 F. 6 Supp.2d 1046, 1047 (N.D. Cal. 2003) (amici “may file briefs and may possibly participate in 7 oral argument” in district court actions). “District courts frequently welcome amicus briefs 8 from non-parties concerning legal issues that have potential ramifications beyond the parties 9 directly involved or if the amicus has ‘unique information or perspective that can help the court 10 beyond the help that the lawyers for the parties are able to provide.’” Sonoma Falls Dev., LLC 11 v. Nevada Gold & Casinos, Inc., 272 F. Supp.2d 919, 925 (N.D. Cal. 2003) (quoting Cobell v. 12 Norton, 246 F. Supp.2d 59, 62 (D.D.C. 2003) (citation omitted). No special qualifications are 13 required; an individual or entity “seeking to appear as amicus must merely make a showing that 14 his participation is useful to or otherwise desirable to the court.” In re Roxford Foods Litig., 15 790 F. Supp. 987, 997 (E.D. Cal. 1991). 16 Because Mozilla will present a unique perspective and will represent the interests of 17 millions of Firefox users, its participation as amicus curiae is particularly important. See 18 Liberty Res., Inc. v. Philadelphia Hous. Auth., 395 F. Supp.2d 206, 209 (E.D. Pa. 2005). 19 (“Courts have found the participation of an amicus especially proper . . . where an issue of 20 general public interest is at stake.”). This is because the primary role of an amicus is “to assist 21 the Court in reaching the right decision in a case affected with the interest of the general 22 public.” Russell v. Bd. of Plumbing Examiners of the County of Westchester, 74 F. Supp.2d 23 349, 351 (S.D.N.Y. 1999). In Liberty Resources, a case brought by a disability rights advocacy 24 group against a public housing authority, the court granted amicus curiae status to another 25 advocacy group that represented residents of public housing because the group’s participation 26 “will serve to keep the Court apprised of the interests of non-disabled Section 8 voucher 27 recipients who may be affected by this case.” 395 F. Supp.2d at 209. Similarly, Mozilla here MOTION TO INTERVENE (15-CR-05351-RJB) - 8 DWT 29531601v1 0050033-000393 Davis Wright Tremaine LLP L AW O F FI CE S 1201 Third Avenue, Suite 2200 Seattle, WA 98101-3045 206.622.3150 main · 206.757.7700 fax Case 3:15-cr-05351-RJB Document 195 Filed 05/11/16 Page 10 of 54 1 will represent the interests of Firefox users in maintaining the security of the browser, an 2 interest that is not adequately represented by the parties to this case. Accordingly, this Court 3 should allow Mozilla to appear as amicus curiae and present argument on the Government’s 4 Motion for Reconsideration. 5 E. 6 7 8 9 10 11 12 13 14 15 16 17 If the Court determines that the Exploit takes advantage of an unfixed vulnerability in Firefox, disclosure to any third parties, including the defendant, before it can be fixed may threaten the security of the devices of Firefox users.10 And neither Mozilla nor the government would know if a third-party had received information to exploit the vulnerability until potentially wide-spread damaged had occurred. Firefox is used by individuals, businesses, and governments around the world, including by the U.S. government users and by private-sector users who work as part of the critical infrastructure. As commentators have observed, “Firefox is critical computing infrastructure. Many government computers give the user a choice between Firefox and Internet Explorer. A Firefox exploit in the wrong hands could result in millions of ransomware infections or could permit an adversary to penetrate government networks through phishing URLs, watering-hole attacks, or packet-injection attacks.” Weaver, supra. 18 19 20 21 22 23 24 If the Exploit Implicates Firefox, Failure to Disclose the Vulnerability to Mozilla Threatens to Harm Mozilla, Its Developers, and Its Users. Web browsers are an attractive means of attacking personal and corporate computers because they are the gateway experience to the Internet. In the web browser context, a severe vulnerability is an ambiguity in code that allows a third party to tell the computer to run its code, instead of what the computer should run next. Once this happens, the third party can gain total control of the computer. For example, the third party can see what the user is doing in a different browser tab, read all data on the computer, see every action the user takes or even turn on the computer’s camera or microphone to watch and listen to the user. See, e.g., Nate 25 26 27 10 Indeed, the government’s resistance to making such disclosure appears to be premised, at least in part, on the concern that the disclosure to the defendant could lead to further disclosures, bringing about exactly the type of harm that could be averted if Mozilla were made aware of the nature of the vulnerability. MOTION TO INTERVENE (15-CR-05351-RJB) - 9 DWT 29531601v1 0050033-000393 Davis Wright Tremaine LLP L AW O F FI CE S 1201 Third Avenue, Suite 2200 Seattle, WA 98101-3045 206.622.3150 main · 206.757.7700 fax Case 3:15-cr-05351-RJB Document 195 Filed 05/11/16 Page 11 of 54 1 Anderson, Meet the men who spy on women through their webcams, ArsTechnica (Mar. 10, 2 2013) (describing hackers’ use of a remote access tool to spy on victims through their webcams 3 and search their computers for personal pictures).11 The information contained in the 4 Declaration of Special Agent Alfin suggests that the Government exploited the very type of 5 vulnerability that would allow third parties to obtain total control an unsuspecting user’s 6 computer.12 7 The wider the use of code, the greater the harm in refusing to disclose such a 8 vulnerability.13 “In almost all instances, for widely used code, it is in the national interest to 9 eliminate software vulnerabilities rather than to use them for US intelligence collection. 10 Eliminating the vulnerabilities—‘patching’ them—strengthens the security of US Government, 11 critical infrastructure, and other computer systems.” Id. at 220. Mozilla’s Firefox code falls 12 into this category. Firefox is one of the most used web browsers in the world, with an installed 13 base of several hundreds of million people around the world. See Mozilla Press Center, 14 Mozilla at a Glance.14 And even more products, like the Tor Browser, have incorporated 15 portions of Mozilla’s open source code.15 In light of Firefox’s wide, critical uses, Mozilla’s internal policies reflect the care that 16 17 must be given to vulnerabilities in its code. Bug reports with security vulnerabilities are 18 flagged and assigned special access controls to restrict them to a known group of people. 19 (Ex. A). Mozilla often holds information about these bugs confidential until it can fix the bugs 20 and deploy the fix to users. Although Mozilla’s software development work is typically 21 22 11 23 24 25 26 27 http://arstechnica.com/tech-policy/2013/03/rat-breeders-meet-the-men-who-spy-on-women-through-theirwebcams/1/. 12 Dkt 166-2, Alfin Decl. at ¶¶ 13-15, which indicates that the NIT was delivered to Michaud’s computer, and then was able to obtain data from the computer itself, such as the MAC address, which would usually not be visible to the browser. 13 Report and Recommendations of the President’s Review Group on Intelligence and Communications Technologies, Liberty and Security in a Changing World, 220 (Dec. 12, 2013) https://www.whitehouse.gov/sites/default/files/docs/2013-12-12_rg_final_report.pdf. 14 https://blog.mozilla.org/press/ataglance/. 15 http://www.theatlantic.com/technology/archive/2014/05/should-hackers-fix-cybersecurity-holes-or-exploitthem/371197/. MOTION TO INTERVENE (15-CR-05351-RJB) - 10 DWT 29531601v1 0050033-000393 Davis Wright Tremaine LLP L AW O F FI CE S 1201 Third Avenue, Suite 2200 Seattle, WA 98101-3045 206.622.3150 main · 206.757.7700 fax Case 3:15-cr-05351-RJB Document 195 Filed 05/11/16 Page 12 of 54 1 conducted in public forums, these security processes are intentionally not publicly visible to 2 prevent malicious actors from learning the details of the vulnerability. 3 F. 4 In light of the dangers that could stem from disclosure of the Exploit, the NIT Protective 5 Order is not adequate to protect the sensitivity of this Exploit. A court may modify a protective 6 order in a criminal case “for good cause.” Fed. R. Crim. P. 16. Good cause exists here because, 7 in the hands of an attacker, the Exploit may provide the ability to either extract information 8 from or gain access to a person’s computer. Mozilla is concerned with the implications to its 9 global user base should the Exploit be disclosed to the Defendant and reveal an active 10 vulnerability in Firefox. An attacker may use this vulnerability for nefarious purposes, 11 including to sell the information or provide access to other individuals, organizations, or 12 governments. It makes no sense to allow the information about the vulnerability to be 13 disclosed to an alleged criminal, but not allow it to be disclosed to Mozilla. 14 The Protective Order Does Not Adequately Protect Mozilla or its Users. Because of the serious risks associated with disclosure of a vulnerability in Mozilla’s 15 widely used source code, a previously unknown vulnerability in that source code should be 16 treated with the care given to confidential source code containing trade secrets to prevent 17 disclosure to unauthorized parties. In Telebuyer, LLC v. Amazon.com, Inc., No. 13-CV-1677, 18 2014 WL 5804334, at *2 (W.D. Wash. July 7, 2014), this Court examined a protective order to 19 determine if it adequately protected source code to be disclosed. The Court found that giving 20 “counsel and experts the benefit of the doubt that they will faithfully observe the confidentiality 21 rules to which the parties have already agreed” is not enough. Id. Vulnerabilities in code as 22 widely used as Mozilla’s are similar to source code because they create a “heightened risk of 23 inadvertent disclosure.” Id. (citing Kelora Sys., LLC v. Target Corp., No. 11-cv-01584, 2011 24 WL 6000759, at *7 (N.D. Cal. Aug.29, 2011)). As with source code, “[i]t is very difficult for 25 the human mind to compartmentalize and selectively suppress information once learned, no 26 matter how well-intentioned the effort may be to do so.” In re Deutsche Bank Trust Co. 27 Americas, 605 F.3d 1373, 1378 (Fed. Cir. 2010) (citing FTC v. Exxon Corp., 636 F.2d 1336, MOTION TO INTERVENE (15-CR-05351-RJB) - 11 DWT 29531601v1 0050033-000393 Davis Wright Tremaine LLP L AW O F FI CE S 1201 Third Avenue, Suite 2200 Seattle, WA 98101-3045 206.622.3150 main · 206.757.7700 fax Case 3:15-cr-05351-RJB Document 195 Filed 05/11/16 Page 13 of 54 1 1350 (D.C.Cir.1980)). Thus, disclosure to the Defendant without adequate advance notice to 2 Mozilla in this case could cause great risk to the public. Unlike the protective order Amazon proposed and the Court entered in Telebuyer, the 3 4 protective order here turns copies of the NIT material over to the Defendant, but does not 5 provide adequate safeguards.16 For example, the protective order in Telebuyer required copies 6 to be provided only on password-protected computers stored in a large room. Ex. B, Protective 7 Order, Case No. 13-cv-01677 (W.D. Wash Aug. 7, 2014). It prohibits any viewer of the source 8 code from possessing any input/output device while viewing the source code. It requires 9 viewers to take notes only on a laptop not connected to any network and restricts internet 10 access to another room. Viewers must sign a log stating when they viewed the source code, 11 and all technical advisors must be identified and pre-approved before viewing the source code. The protective order here contains no such restrictions. The relevant provisions of the 12 13 protective order state that: 14 2. The United States will make available copies of discovery materials, including those filed under seal, to defense counsel to comply with the government’s discovery obligations. Possession of copies of the NIT Protected Material is limited to the attorneys of record, members of the defense team employed by the Office of the Federal Defender, and Vlad Tsyrklevich, an expert retained by the defense team. (hereinafter collectively referred to as members of the defense team). 15 16 17 18 3. The attorneys of record and members of the defense team may display and review the NIT Protected Material with the Defendant. The attorneys of record and members of the defense team acknowledge that providing copies of the NIT Protected Material, or information contained therein, to the Defendant and other persons is prohibited, and agree not to duplicate or provide copies of NIT Protected Material, or information contained therein, to the Defendant and other persons. 19 20 21 22 4. The United States Attorney’s Office for the Western District of Washington is similarly allowed to display and review the NIT Protected Material, or information contained therein, to lay witnesses, but is otherwise prohibited from providing copies of the NIT Protected Material, or information contained therein, to lay witnesses, i.e. nonlaw enforcement witnesses. 23 24 25 26 27 16 Nor does it expressly permit disclosure to Mozilla. At the very least, the protective order should not interfere with such disclosure. MOTION TO INTERVENE (15-CR-05351-RJB) - 12 DWT 29531601v1 0050033-000393 Davis Wright Tremaine LLP L AW O F FI CE S 1201 Third Avenue, Suite 2200 Seattle, WA 98101-3045 206.622.3150 main · 206.757.7700 fax Case 3:15-cr-05351-RJB Document 195 Filed 05/11/16 Page 14 of 54 1 (Dkt. 102). The protective order does not contain restrictions on disclosing knowledge learned 2 through examining NIT Protected Material. This alone marks a serious deficiency in the 3 Protective Order as the damaging information about the vulnerability is likely something that 4 someone can easily remember. Rather, the Protective Order’s disclosure restrictions are limited 5 to the further distribution of the copies of information the defense receives from the 6 government. Dkt. 102, ¶¶ 2-4, 8. Without more restrictive provisions, the protective order 7 relies too heavily on the Defendant’s representations he and his defense team will not share 8 copies, but not on any explicit agreement that they will not share or use information learned or 9 that they will put security safeguards in place.17 As the Telebuyer court stated, a sufficient 10 protective order should “restrict[] how, when, and where the information is displayed, how 11 much can be printed, and how it is transported.” Id. As in Telebuyer, the protective order here 12 “does not do these things, and [a] promise of fidelity to the confidentiality rules, however 13 sincere, is not a substitute.” Telebuyer, LLC, 2014 WL 5804334 at *2.18 14 G. 15 1. 16 17 18 19 20 21 22 The Court Should Order Advance Disclosure of the Exploit to Mozilla Advance Disclosure of Software Vulnerabilities to the Impacted Company is a Best Practice in the Security Community. In reconsidering its prior order, the Court should be guided by established best practices of advance disclosure in software vulnerability management. These go by different names in the security community such as “Coordinated Disclosure,” “Partial Disclosure,” and “Responsible Disclosure.” The underlying principle is that the security researcher who discovers the vulnerability notifies the affected company and allows some time for the vulnerability to be fixed before it is disclosed publicly, which may occur at security conferences, in papers, distribution lists, or through the company’s own announcement.19 This 23 24 25 26 27 17 To the extent that the phrase “defense team” for purposes of the NIT incorporates the general protective order, the number of people who will be exposed to the vulnerability may be excessively broad. See (Dkt. 19 ¶ 2 (defining “defense team” to include attorneys of record, and investigators, paralegals, law clerks, experts and assistants for the attorneys of record)). 18 Mozilla was not contacted by the Government regarding the development of the protective order and therefore played no role in the drafting of the order. 19 https://www.mozilla.org/en-US/security/bug-bounty/ MOTION TO INTERVENE (15-CR-05351-RJB) - 13 DWT 29531601v1 0050033-000393 Davis Wright Tremaine LLP L AW O F FI CE S 1201 Third Avenue, Suite 2200 Seattle, WA 98101-3045 206.622.3150 main · 206.757.7700 fax Case 3:15-cr-05351-RJB Document 195 Filed 05/11/16 Page 15 of 54 1 advance notification allows the company to evaluate the damage that may have already 2 occurred, to fix the vulnerability, and to inform future responses to similar attack vectors. It 3 also provides the affected company with an opportunity to mitigate any ongoing harm or 4 additional potential harm that could be caused when a vulnerability is disclosed publicly and 5 weaponized before it can be fixed. By contrast, if a vulnerability is publicly disclosed before a 6 company is notified, criminals can quickly mount attacks using the published information, 7 resulting in the proliferation of malware that can threaten the security of individual, corporate, 8 and government networks (and the information stored therein). See, e.g., Scott Culp, It’s Time 9 to End Information Anarchy, Microsoft TechNet (Oct. 2001) (describing the proliferation of 10 worms following security researchers’ publication of instructions for exploiting system 11 vulnerabilities).20 Advance disclosure is a fundamental part of the 24/7 effort to stay ahead of attackers 12 13 exploiting vulnerabilities. Mozilla receives vulnerability reports from security researchers, 14 governments (U.S. and foreign), other companies, developers working with Firefox code, and 15 even end users. Mozilla, Firefox Bug Bounty Rewards.21 The timeframe to fix a vulnerability 16 varies based on factors such as the severity of the issue, how complex the fix is, whether the 17 reporter has a disclosure timeline, whether other systems are affected, and whether the 18 vulnerability is being actively exploited. Particularly with a vulnerability that is being actively 19 exploited, it is a race against time to fix the vulnerability and deploy an update to protect users 20 from ongoing harm. 21 H. 22 23 24 Advance Disclosure of Software Vulnerabilities to the Impacted Company is in the Public Interest. Disclosure of vulnerabilities typically occurs in the context of security research, where the purpose is to find and disclose vulnerabilities to strengthen the underlying system. In a judicial proceeding, disclosing a vulnerability provides the defendant with information relevant 25 26 27 20 https://web.archive.org/web/20011109045330/http://www.microsoft.com/technet/treeview/default.asp?url=/techn et/columns/security/noarch.asp 21 Available at https://www.mozilla.org/en-US/security/bug-bounty/hall-of-fame/. MOTION TO INTERVENE (15-CR-05351-RJB) - 14 DWT 29531601v1 0050033-000393 Davis Wright Tremaine LLP L AW O F FI CE S 1201 Third Avenue, Suite 2200 Seattle, WA 98101-3045 206.622.3150 main · 206.757.7700 fax Case 3:15-cr-05351-RJB Document 195 Filed 05/11/16 Page 16 of 54 1 to his case. Although these scenarios have different purposes, the underlying risks to disclosure 2 are present in both situations. The same mitigation techniques to prevent harm to users should 3 apply, irrespective of the purpose of disclosure. 4 Should the Court conclude that disclosure to the Defendant is appropriate, the best 5 course of action is first to require the Government to acknowledge to the Court what products 6 the Exploit affects. The Government should then be required to either notify the affected 7 company (or companies) and provide time to fix the vulnerability and deploy updates to their 8 users or to verify that this process has been done. Once completed, or at least underway, the 9 Court could order the Government to disclose the Exploit to the Defendant. Applying this 10 model of advance disclosure protects users when software vulnerabilities are disclosed through 11 the court system. V. 12 CONCLUSION 13 Mozilla respectfully requests it be granted leave to intervene, or alternatively, be 14 permitted to appear as amicus curiae. Mozilla likewise requests that, if the Court orders 15 disclosure to the Defendant and the NIT uses an exploit or vulnerability in Mozilla’s code, it 16 also order the Government to provide information about the NIT to Mozilla 14 days prior to 17 providing that information to the defense to allow Mozilla time to evaluate and fix the 18 vulnerability. Finally, Mozilla requests that the protective order be modified to restrict 19 dissemination and use of knowledge gained from reviewing the NIT Protected Material. 20 DATED this 11th day of May, 2016. Davis Wright Tremaine LLP Attorneys for Non-Party Mozilla 21 22 By /s/ James E. Howard James E. Howard, WSBA #37259 Jeffrey Coopersmith, WSBA #30954 1201 Third Avenue, Suite 2200 Seattle, WA 98101-3045 Telephone: 206-622-3150 Fax: 206-757-7700 E-mail: jimhoward@dwt.com jeffcoopersmith@dwt.com 23 24 25 26 27 MOTION TO INTERVENE (15-CR-05351-RJB) - 15 DWT 29531601v1 0050033-000393 Davis Wright Tremaine LLP L AW O F FI CE S 1201 Third Avenue, Suite 2200 Seattle, WA 98101-3045 206.622.3150 main · 206.757.7700 fax Case 3:15-cr-05351-RJB Document 195 Filed 05/11/16 Page 17 of 54 1 Marc Zwillinger (pro hac vice to be filed) Jacob Sommer (pro hac vice to be filed) ZwillGen PLLC 1900 M St. NW, Ste. 250 Washington, DC 20036 (202) 296-3585 marc@zwillgen.com Jake@zwillgen.com 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 Davis Wright Tremaine LLP MOTION TO INTERVENE (15-CR-05351-RJB) - 16 DWT 29531601v1 0050033-000393 DWT 29515211v3 L AW O F FI CE S 1201 Third Avenue, Suite 2200 Seattle, WA 98101-3045 0050033-000393 206.622.3150 main · 206.757.7700 fax Case Document 195 Filed 05/11/16 Page 18 of 54 Exhibit A Case 3:15-cr-05351-RJB Document 195 Filed 05/11/16 Page 19 of 54 ABOUT Handling Mozilla Security Bugs PARTICIPATE FIREFOX DONATE About Mozilla Mission History Version 1.1 Leadership IMPORTANT: Anyone who believes they have found a Mozilla-related security vulnerability can and should report it by sending email to the address security@mozilla.org. Governance Introduction Forums Patents In order to improve the Mozilla project’s approach to resolving Mozilla security vulnerabilities, mozilla.org is creating more formal arrangements for handling Our Products Mozilla security-related bugs. First, mozilla.org is appointing a security module owner charged with primary responsibility for coordinating the investigation and resolution of reported Mozilla security vulnerabilities; the security module owner will have one or more peers to assist in this task. At the same time mozilla.org is Software and other innovations designed to advance our mission. also creating a larger “Mozilla security bug group” by which Mozilla contributors and others can participate in addressing security vulnerabilities in Mozilla. This document describes how this new organizational structure will work, and how security-related Mozilla bug reports will be handled. Note that the focus of this new structure is restricted solely to addressing actual security vulnerabilities arising from problems in Mozilla code. This work is separate from the work of developers adding new security features (cryptographically-based or otherwise) to Mozilla, although obviously many of the same people will be involved in both sets of activities. Background Security vulnerabilities are different from other bugs, because their consequences are potentially so severe: users’ private information (including financial information) could be exposed, users’ data could be destroyed, and users’ systems could be used as platforms for attacks on other systems. Thus people have strong feelings about how security-related bugs are handled, and in particular about the degree to which information about such bugs is publicly disclosed. The Mozilla project is a public software development project, and thus we have an inherent bias towards openness. In particular, we understand and acknowledge the concerns of those who believe that all information about security vulnerabilities should be publicly disclosed as soon as it is known, so that users may take immediate steps to protect themselves and so that problems can get the maximum amount of developer attention and be fixed as soon as possible. At the same time the Mozilla project receives substantial contributions of code and developer time from organizations that use (or plan to use) Mozilla code in their own product offerings. Some of these products may be used by large populations of end users, many of whom may not often upgrade or check for recent security fixes. We understand and acknowledge the concerns of those who believe that too-hasty disclosure of exploit details can provide a short-term advantage to potential attackers, who can exploit a problem before most end users become aware of its existence. We believe that both sets of concerns are valid, and that both are worth addressing as best we can. We have attempted to create a compromise scheme for how the Mozilla project will handle reports of security vulnerabilities. We Learn Moreb» Get Involved Become a volunteer contributor in a number of different areas. Learn Moreb» Case 3:15-cr-05351-RJB Document 195 Filed 05/11/16 Page 20 of 54 believe that it is a compromise that can be justified to those on both sides of the question regarding disclosure. General policies mozilla.org has adopted the following general policies for handling bug reports related to security vulnerabilities: Security bug reports can be treated as special and handled differently than “normal” bugs. In particular, the mozilla.org Bugzilla system will allow bug reports related to security vulnerabilities to be marked as “Security-Sensitive,” and will have special access control features specifically for use with such bug reports. However a security bug can revert back to being a normal bug (by having the “Security-Sensitive” flag removed), in which case the access control restrictions will no longer be in effect. Full information about security bugs will be restricted to a known group of people, using the Bugzilla access control restrictions described above. However that group can and will be expanded as necessary and appropriate. As noted above, information about security bugs can be held confidential for some period of time; there is no pre-determined limit on how long that time period might be. However this is offset by the fact that the person reporting a bug has visibility into the activities (if any) being taken to address the bug, and has the power to open the bug report for public scrutiny. The remaining sections of the document describe in more detail how these general policies have been implemented in practice. Organizational structure for handling security bugs We are organizing the investigation and fixing of Mozilla security vulnerabilities similar to the way Mozilla project activities are handled in general: There will be a security module owner, a small core group of active contributors who can act as peers to the module owner, a larger group of less active participants, and other people who may become involved from time to time. As with other parts of the Mozilla project, participation in Mozilla security-related activities will be open to both independent volunteers and to employees of the various corporations and other organizations involved with Mozilla. The Mozilla security module owner and peers The Mozilla security module owner will have a similar level of power and responsibility as other Mozilla module owners; also as with other Mozilla module owners, mozilla.org staff will oversee the work of the security module owner and select a new security module owner should that ever be necessary for any reason. The Mozilla security module owner will work with mozilla.org staff to select one or more people to act as peers to the security module owner in investigating and resolving security vulnerabilities; the peers will share responsibility for overseeing and coordinating any and all activities related to security bugs. The Mozilla security bug group The Mozilla security module owner and peers will form the core of the Mozilla security bug group, and will select a number of other people to round out the group’s membership. Each and every member of the Mozilla security bug group will automatically have access to all Mozilla bugs marked “Security-Sensitive.” The members of the Mozilla security bug group will be drawn primarily from the following groups: security developers (i.e., those whose bugs are often singled out as securityrelevant or who have security-relevant bugs assigned to them), and security QA Case 3:15-cr-05351-RJB Document 195 Filed 05/11/16 Page 21 of 54 people who are the QA contacts for those bugs; “exploit hunters” with a good track record of finding significant Mozilla security vulnerabilities; representatives of the various companies and groups actively distributing Mozilla-based products; and super-reviewers and drivers. (The Bugzilla administrators will technically be in the Mozilla security bug group as well, mainly because they already have visibility into all Bugzilla data hosted through mozilla.org.) The Mozilla security bug group will have a private mailing list, securitygroup@mozilla.org, to which everyone in the security bug group will be subscribed. This list will act as a forum for discussing group policy and the addition of new members, as described below. In addition, Mozilla.org will maintain a second well-known address, security@mozilla.org, through which people not on the security group can submit reports of security bugs. Mail sent to this address will go to the security module owner and peers, who will be responsible for posting the information received to Bugzilla, and marking the bug as “SecuritySensitive” if it is warranted given the nature and severity of the bug and the risk of potential exploits. Other participants Besides the permanent security bug group members described above, there are two other categories of people who may participate in security bug group activities and have access to otherwise-confidential security bug reports: A person who reports a security bug will have continued access to all Bugzilla activities associated with that bug, even if the bug is marked “SecuritySensitive.” Any other persons may be given access to a particular security bug, by someone else (who does have access) adding them to the CC list for that bug. Thus someone reporting a security bug in essence becomes a member of the overall group of people working to investigate and fix that particular vulnerability, and anyone else may be easily invited to assist as well if and when that makes sense. Expanding the Mozilla security bug group As previously described, the Mozilla security module owner can select one or more peers to share the core work of coordinating investigation and resolution of Mozilla security vulnerabilities, and will work with them to create some agreedupon ground rules for how this work can be most effectively shared among themselves. As with other Mozilla modules, we intend that this core group (module owner plus peers) remain small; its membership should change only infrequently and only after consultation with mozilla.org staff. The security module owner and peers will also work with mozilla.org to populate the initial security bug group. We expect that the Mozilla security bug group will initially be significantly larger than the core group of module owner and peers, and that it may grow even further over time. New members can be added to the Mozilla security bug group as follows: New people can apply to join the security bug group, or may be recruited by existing members. Applicants for membership must have someone currently in the security bug group who is willing to vouch for them and nominate them for membership. Nomination is done by the “voucher” sending email to the security bug group private mailing list. The applicant’s nomination for membership will then be considered for a period of a few days, during which members of the security bug group can speak out in favor of or against the applicant. Case 3:15-cr-05351-RJB Document 195 Filed 05/11/16 Page 22 of 54 At the end of this period, the security module owner will decide to accept the applicant or not, based on feedback and objections from the security bug group in general and from the module owner’s peers in particular. If anyone else in the security bug group has a problem with the module owner’s decision then they can appeal to mozilla.org staff, who will make the final decision. The criteria for membership in the Mozilla security bug group are as follows: The applicant must be trusted by those already in the group. The applicant should have a legitimate purpose for wishing to join the group. The applicant must be able to add value to the group’s activities in some way. In practice, if over time a particular person happens to be frequently added to the CC list for security-sensitive bugs then they would be a good candidate to be invited to join the security bug group. (As described previously, once added to the security bug group that person would then have automatic access to all bugs marked security-sensitive, without having to be explicitly added to the CC list for each one.) Note that although we intend to make it relatively simple for a new person to join the security bug group, and we are not limiting the size of the group to any arbitrary number, we also don’t want the group to expand without any limits whatsoever. We reserve the right to cap the membership at some reasonable level, either by refusing new applications or (if necessary and appropriate) by removing some existing members of the security bug group to make room for new ones. Disclosure of security vulnerabilities The security module owner, peers, and other members of the Mozilla security bug group will not be asked to sign formal nondisclosure agreements or other legal paperwork. However we do expect members of the group not to disclose security bug information to others who are not members of the Mozilla security bug group or are not otherwise involved in resolving the bug, except that if a member of the Mozilla security bug group is employed by a distributor of Mozilla-based products, then that member may share such information within that distributor, provided that this information is shared only with those who have a need to know, only to the extent they need to know, and such information is labeled and treated as the organization generally treats confidential material, not to post descriptions of exploits in public forums like newsgroups, and to be careful in whom they add to the CC field of a bug (since all those CC’d on a security bug potentially have access to the complete bug report). When a bug is put into the security bug group, the group members, bug reporter, and others associated with the bug will decide by consensus, either through comments on the bug or the group mailing list, whether an immediate warning to users is appropriate and how it should be worded. The goals of this warning are: to inform Mozilla users and testers of potential security risks in the versions they are using, and what can be done to mitigate those risks, and to establish, for each bug, the amount of information a distributor can reveal immediately (before a fix is available) without putting other distributors and their customers at risk. A typical warning will mention the application or module affected, the affected versions, and a workaround (e.g. disabling JavaScript). If the group decides to publish a warning, the module owner, a peer, or some other person they may designate will post this message to the Known Vulnerabilities page (which will be the authoritative source for this information) and will also send a copy of this message to an appropriate moderated mailing list and/or newsgroup (e.g., netscape.public.mozilla.announce and/or some other newsgroup/list established Case 3:15-cr-05351-RJB Document 195 Filed 05/11/16 Page 23 of 54 specifically for this purpose). Mozilla distributors who wish to inform their users of the existence of a vulnerability may repost any information from the Known Vulnerabilities page to their own websites, mailing lists, release notes, etc., but should not disclose any additional information about the bug. The original reporter of a security bug may decide when that bug report will be made public; disclosure is done by clearing the bug’s “Security-Sensitive” flag, after which the bug will revert to being an ordinary bug. We believe that investing this power in the bug reporter simply acknowledges reality: Nothing prevents the person reporting a security bug from publicizing information about the bug by posting it to channels outside the context of the Mozilla project. By not doing so, and by instead choosing to report bugs through the standard Bugzilla processes, the bug reporter is doing a positive service to the Mozilla project; thus it makes sense that the bug reporter should be able to decide when the relevant Bugzilla data should be made public. However we will ask all individuals and organizations reporting security bugs through Bugzilla to follow the voluntary guidelines below: Before making a security bug world-readable, please provide a few days notice to the Mozilla security bug group by sending email to the private security bug group mailing list. Please try not to keep bugs in the security-sensitive category for an unreasonably long amount of time. Please try to be understanding and accommodating if a Mozilla distributor has a legitimate need to keep a bug in the security-sensitive category for some reasonable additional time period, e.g., to get a new release distributed to users. (Regarding this point, if all Mozilla distributors have a representative on the security bug group, then even if a bug remains in the security-sensitive category all affected distributors can still be informed and take appropriate action.) The security module owner will be the primary person responsible for ensuring that security bug reports are investigated and publicly disclosed in a timely manner, and that such bug reports do not remain in the Bugzilla database uninvestigated and/or undisclosed. If disputes arise about whether or when to disclose information about a security bug, the security bug group will discuss the issue via its mailing list and attempt to reach consensus. If necessary mozilla.org staff will serve as the “court of last resort.” A final point about duplicate bug reports: Note that security bugs marked as duplicates are still considered separate as far as disclosure is concerned. Thus, for example, if a particular security vulnerability is reported initially and then is independently reported again by someone else, each bug reporter retains control over whether to publicly disclose their own bug, but their decision will not affect disclosure for the bug reported by the other person. Changing this policy This policy is not set in stone. It is our hope that any disputes that arise over membership, disclosure, or any other issue addressed by this policy can be resolved by consensus among the Mozilla security module owner, the module owner’s peers, and other security bug group members through discussions on the private security bug group mailing list. As with other Mozilla project issues, mozilla.org staff will have the final authority to make changes to this policy, and will do so only after consulting with the various parties involved and with the public Mozilla community, in order to ensure that all views are taken into account. Case 3:15-cr-05351-RJB Document 195 Filed 05/11/16 Page 24 of 54 Get Mozilla updates YOUR EMAIL HERE Contact Us · Donate Contribute to this site Portions of this content are ©1998–2016 by individual mozilla.org contributors. Content available under a Creative Commons license. Privacy · Cookies · Legal Report Trademark Abuse Sign Up Now Mozilla: Twitter · Facebook Firefox: Twitter · Facebook · YouTube Case Document 195 Filed 05/11/16 Page 25 of 54 Exhibit Case Case 3:15-cr-05351-RJB 2:13-cv-01677-BJR Document Document195 137 Filed Filed05/11/16 08/07/14 Page Page26 1 of of 29 54 h E E E E E E E A E A EA E b b th t i A E i ti A A E A A A A A E E t PROTECTIVE ORDER A A E A A A A A E t E E E i E t i t E E E t Case of 29 54 Case 3:15-cr-05351-RJB 2:13-cv-01677-BJR Document Document195 137 Filed Filed05/11/16 08/07/14 Page Page27 2 of i ti b i A A A i ti iti i ti ti i bt i i t i t t thi i t t t ti i th i th th i thi iti h i t i ti i i t ti th t i t ti PROTECTED CONFIDENTIAL INFORMATION i th i t i E A E A ti i i it ti i i i E h h i i t b A E E i ti t i ti t th t t th i i t b ti A th t t ti i i t t h thi t i t ti th t ti i i i i th i i t thi i ith thi i ti i E ib E thi t t thi t t i ith t iti tit t i A ti th h i x h h ith thi ti i t ti t b t i ti h th hi h h A A ti t E t i i th t t i A i t i th t i t t i i t i i ti ti E t i t th t E A th Information Designated as “Confidential Information” i ti b t ti t i t h E i thi t i thi i E ti t th t t ti th E t t i ti b E t th t h i A. i thi E t ti b b t tti th th I. ti i hi tt A ti i t th t i t i A i t b t th t th ti t A ti t i i iti ti t b i t h i b i b i i x bi t h i h i t th b th i t Case of 29 54 Case 3:15-cr-05351-RJB 2:13-cv-01677-BJR Document Document195 137 Filed Filed05/11/16 08/07/14 Page Page28 3 of thi t i i t th t i i i t t h t ti i t ti t t t i i t t t i t ti t t i i t i t b i i ti i i i ti t ti i ti ti t i t tt t t t i i t t t t i t i it ti i bi i ti t t titi t E th t i i t b b t th i th thi t t th b t it t i i t ti A t i th ti ti h b i t i ti ti i t i ti i ti t th i i ti i i ti t ti h t th i ti t hit t t t t bi i t th A i ti th t A i ti A it A i ti t i i th i i ti ht i t thi th bi i bt i b i i h bt i i th i b th i i b i ti t i ti it t th t t i ti A i b th th i ti t i t i ti i th t i i ti i ii E E th i t h b t b th i t i i t E i b A t ti iti ti h t h th h i i t iti ti t h i t b E i ti th t th t t iti ti tt t t t i t i th i t b tt Case of 29 54 Case 3:15-cr-05351-RJB 2:13-cv-01677-BJR Document Document195 137 Filed Filed05/11/16 08/07/14 Page Page29 4 of th ii th xt t h th h th t tt h i h b i i ti t t ti h x ti t thi t ti t h i i h t ith b h t ith ibi it t t i t t hi t i ht titi i thi tt t ti i t ti t t i hi ti t ith thi t i i i th hi i t h i h h i th iti h i h t i B. thi h h i t t i i i iti tt h h t t i b ti t t th i it ti b th ib t i b th ti Att h b h t ti i ti b ith ti t h i i bit t ti t ti t i i thi A ti A h t i ii ti it t t xhibit t t t i ti th i iti ti t t t ti ti ith i ti i tA t it ti i t t ti t ti th i h i t b th tt Information Designated “Confidential Outside Counsel Only” h E th t t t it t t ti i i b th t xi ti th t i t i h thi iti ti th t thi i t h th t t b b t ti i h i i t t t h i h i it it th t tA th i thi t i h t h i Att h b t i th t t b th h h E E E A E E i ti i Case Case 3:15-cr-05351-RJB 2:13-cv-01677-BJR Document Document195 137 Filed Filed05/11/16 08/07/14 Page Page30 5 of of 29 54 t i ti xt iti t i t i t h i h th h tt t h ti t h ti t t i i t b t i A t A t i it t t i t bi t h i i ti ti t i ti t th titi iti th i i t E ti i t i tt i t i ith t i it ti i t h t t tit t t b t t b t th t t h i t i i tt t i ti i t t i hi h i ti A titi t ti t i i A iti bt i b i i E th t t th i t A t E t b i ti th i i i E ith th t th i th t ti t i thi iti ti t E titi i t C. it b t th ti h th t i t i A th i i h b t E b A i b h b tt t t t i Information Designated Restricted Confidential – Source Code i it t hi t i ib i t i th th E xt ii i i i h h ti E th th i E iti it t i t t t ti i E th t i i iti t ti h i i ti i t h b t ti h E t t t t i ti E i i ti t t b A ti i ith E i t i th i h hi h th t h th E E i t b ti i A E E A E E E h b th i b t t th i b th ii i i i Case of 29 54 Case 3:15-cr-05351-RJB 2:13-cv-01677-BJR Document Document195 137 Filed Filed05/11/16 08/07/14 Page Page31 6 of ti th h t t b i b t ht i i t i th t i t t t t i ti t i t th i i i t b th i h i t t tit t i t t h h th t i E h t E th E it b b it t th ti ith ii h i E E E i th t i h b t t t ti i h tit t i th i t i t i b th h i t i i t i th t t i i i t i th i hibit ti i b b i h h th th b ti i t t ti th ti i t th h i t it i b h th t h i t t t i h i t ti i b i b h i E A t th t b t t h i i t h i t i t i i t ti ti t t th t itt ti t A ti t ti b t t b t ti i t ti t i i b i t th t ti t i th th t ithi th ti i ti h t ti thi i i i ith i ti b i ti hi t h i th i thi i hibit t ti t t t t i i t i i i i th t ti b i i hi h h ti th thi i ti b th i i t i b th t th i i i i t h Case of 29 54 Case 3:15-cr-05351-RJB 2:13-cv-01677-BJR Document Document195 137 Filed Filed05/11/16 08/07/14 Page Page32 7 of b t t t t ti i b t h th t i th thi A ti i i i i t ith i th th th xt t x i i th t i thi th t t i i i t i t h xt t th t h i th t E i i t th t i th ti i ithh th i i t t t t t t th t t th th t it i t t x t ti i t b t it i t i ti t b th t i b i t h t th t ti i b h i t t i t t th i t t h t i t t th h i t ti t i i h t b th t i h i t b t h t h i i ti i th t t h i i i i b t i i ti h ith th t ti th th i t th ith th i t E b th i i h i th b E i th b iti t t h h t th t t i th t t i iti i i thi b i ti th i t i h t b i t i t th t t i th th t i t i h i h h t i it th ith t i i ii th t t i i b i t h h b E h i i i t t hi i t thi i t xt ti hi i i h i t h i th t h t h i b i t i t i i t i i ti i b t th b i t t ti i t t i i i th th t th b Case of 29 54 Case 3:15-cr-05351-RJB 2:13-cv-01677-BJR Document Document195 137 Filed Filed05/11/16 08/07/14 Page Page33 8 of th t ti h h i b E h t i t t i t ti i t i t h h i b i h ti i i i i t t h t th ti i i i h i h t i t ti t i t t th i i th t i i t i h b i th t ithi t b i t i i x h t i t i th i t t i i ti h t ti i bi it t t t h i it i ti it ti t h h i i i t ih h t t th i ti iti tit t t i i t th it th t i t i it t i i th th i b i t i ti ti th th b th i ti b i i th i i i ti i it h i th i i hi h th th t b t t h t b th th i t th t th b i h ti th i i b i ti i i t th t t i t t t th t t i t t th th Ex th t i t i t i t b t b i b i ti i t hi h i i h i ith t ti th t th i ti i b th h i t b i i th b i ti t t i t b i i t i h b th b x t t x t th t i it th t i i ti i t itti ti b iti i t t A i th th i i t t th i i i th i E E E i th t i t i t b ith t i it ti t i h th ti t i th i i h t x i t t i i t b ti i ii i it t ti b b i i th h Case of 29 54 Case 3:15-cr-05351-RJB 2:13-cv-01677-BJR Document Document195 137 Filed Filed05/11/16 08/07/14 Page Page34 9 of b t i ti t ii i i ti b bit ti ith tt i t ti i h t tt th iti i i ith t i i hi i ii t t th b th ti h th xt t th i i t th ti i i i ii i i i t i i i ix iti i th i i th t h i ti ti t i i i t b i i iti i th ti t t i ti i th t t th i it it tb th i i b t t i it it ti ti h t i t i t th t i th ix Ex x th ti h i t t t iti tti i i i t xhibit th i i t ti b i bi th i t t th ii h ii xhibit t t i ti h t i i h ii i th t th t E ti t i E i E b xt t ti i th t i A t th i th t i i i it h t th thi t ti t E i t i th E E E i t i i ti i i t t th t t th t i i i t t i t t E i i i t i i t E th xt t ith t h t t th t i i i h t th i i b th t th th t th h th i t b b i t ii A E th ti th ti E i b t i tt i th t b t t E ti t E t t ii th h b it A t h 3:15-cr-05351-RJB Document 195 Case 2:13-cv-01677-BJR 137 Filed 05/11/16 08/07/14 Page 35 10 of 54 29 iti i i t ti iii th t i h h h i t ti i i t i ti b t i i ti ii i t ti i t i i ii Ex h t i i i ti th i h b tit t b th it t t ith t th i i i t th hi h th t h E t b E t t ti iti i t i i i i t i it i th t t t th h i t th th i i t it t i th i th hi t i tit t i t th i i i t itt hi i i i i i h i t i th i t i i th th i th t h xit h i th ti iti b th t xit i i h t it t h th i i i i t th i i i th t t t th i xit i i t hi t i i i i i i h tit th i i i b th ti i i h i t E i i th i t b t t th b h th t h th t h t t h th t b i i t it th t b th t i i i th t h i t b th t i i i i i t h i i th i th t i t t i t h h ti i th i t t t ti h xit i i i ti b h t t h i h h th t t t th t th th xhibit i h ti t b iti A t i th iti ti t i At i b i t iti t b i ti bit ti t th i t th i i i i thi t t th 3:15-cr-05351-RJB Document 195 Case 2:13-cv-01677-BJR 137 Filed 05/11/16 08/07/14 Page 36 11 of 54 29 i h i ht t th t i i i ti t i t x h t b ti ti th i th t th t ith t bi it i th t th ii i i i h h b t th x th th h t b t th E A i E t th i E t i i tt ti i t h i it t th ti t thi i t h i i t it t h i i ti th i i h h t thi t ti t t i t h i th h i it ti t i h iti t th i t t t ti t i thi iti ti th i i t i i t hi A E th i i i ti ti i ti t i i i E t t ti th i t xhibit b th t th b b th i i i th i i th iti t i i t t thi x i i b th E i ii b th it t b i i i ti tt h t i t th iti t th i t ti iii i i i i i i b t i i thi i i t ti hi t ti i h E itt th t ith E t ti i t th iti i ti ith th t ti i h h t t i b i i t ti i t i x t th i 3:15-cr-05351-RJB Document 195 Case 2:13-cv-01677-BJR 137 Filed 05/11/16 08/07/14 Page 37 12 of 54 29 th ti t E A h A t i i E A h E E i i x t t E th t ii i h b E A t t ith b i tb i h th h ti E ith h tt t t x t i t h ti b i i t i i t th i i ti th t t th t tt h xhibit b it th t i ii iti t i t xhibit th h th iti b i i i i iti t ti h i i E E b t b tb b t i i tt b i i b th xhibit E h t t t ti t ti i i h b i t th t b t i h i th h th iti h th t i ti th t ti t th ith th i it ti h b h i i i t t t At th t h hi h i th t i i t h E tb ti E t E t i th i thi ti i th it t i b i h b i b iti th t t tt it i t i i t i th t ti thi t t ib th t ti i i t i h i ti x ti th t th ti th i i t t i i h x t tb t i ti t it t it i i t b hi i th i iti th i i th t i ti hi h ti 3:15-cr-05351-RJB Document 195 Case 2:13-cv-01677-BJR 137 Filed 05/11/16 08/07/14 Page 38 13 of 54 29 i i i t i i h thi iti ti h i th t tit t th t t t i t th t th D. t h it t t t t th t t t thi hi t i i i ti h i thi t ti th i i i t t h t h E A tb it Identifying Protected Information A t t i ti E b i thi t t i t ti i th A A i i t i E t E i t th ti ti i t th i hi h i t h t t th i E t th ti itt E E t ti t i t i i i ix th t ixi th t t th i E h ih t E i t i t t t ib h i th i t th thi i i b i t h it i i it i h t A h t i th thi i ix th i t i t ti i t i i h xt i t i t i i t t t t ib ib t ix th hi h th i ti t A hi h h i ti h i t t tb ti i t b i iti t t i t b th b t t t i t th i th t t b i th ti th i t i th i ib h i i t i i i ti t th th t t ti A th i E E i E t ti t th i b i th th t ti iti t iti th i 3:15-cr-05351-RJB Document 195 Case 2:13-cv-01677-BJR 137 Filed 05/11/16 08/07/14 Page 39 14 of 54 29 th t ii ti th t ti E i E ti t i it t b t ti E h ti t th t ti i i tt i ti th t ti th iti i it i ii t ti E i t th th t th ti t E i t i th th th i i i i h th t tb th tt th th t h i ti i it th h i ht t i ti i t th b x i ti b t ti th th t ti th ti t ti t E t t t i i i t t i i t t th t t t i i i b t h t ti ith th i th b t t th th i it t i i th ti it i th ii it b t i thi iti ti ti t ith t th t t th i th E ih b t i th t t i i t i th ti i ith th i t i t it i t ti th ti E i i h th ii th t i ti th t i xhibit t th i t E t E th ti it th t th i i E th t t t Use of Protected Information in Filings with the Court ti i t ti it i h t i i i i A th A it t E t ti th b th h t ti hi h i ti h t t th E hi t t t i t i th t b E b it t i ht h tit th th t ti b t A E. ti thi h ti th t A E i i b i h th t i th t ti ii E E t ti i ht t h th A A th t ti iti i E E ti th t t t i th ii th i t t t t t t t ti ti ii t th i t t i ith t i t i 3:15-cr-05351-RJB Document 195 Case 2:13-cv-01677-BJR 137 Filed 05/11/16 08/07/14 Page 40 15 of 54 29 th th th t ti t ii t th t t i h t t th i t th ii thi i i t thi iti ti b ih t t th t t h Att h xt t th ti i i t i t t ti i t i i i i i t t h i i i hi h t t tA h i t b b t t itt i i t i i t t ii ti i th th t t th h t i t tt h i ith ti t i th t th t h i i h t t th i t i ti i i i i i t h i t t th t i i h h x ith b ti hi h th E t iti ti b i th t h i E h t th t h i i th ti i x th i i th i t h i t t t i t i i t i i t th t h i t i h t ti i i hi i i th ti x i th it h ii i i i t h i i th t th t h i t tit t i t ht h i t i i i ti b ti i ti h t th i b t h i i b t t th t t th t th t th b i iti ti ti i A i h ith ti ti ti th t t h i i i b ii E t ti b i t i b th ti i ith th i Disclosure of Protected Information to Technical Advisers th i i h t th h i F. ti h ith i i i t t t it i th b i b h b ti ti i b ti h i i i ti t i t t ti i t th t h i i i th h 3:15-cr-05351-RJB Document 195 Case 2:13-cv-01677-BJR 137 Filed 05/11/16 08/07/14 Page 41 16 of 54 29 ti xt t th i t t ti t h i i ti it th t i b i ti i ti iti b th ti t i i h i i t t ib ithi th th i i th ii t b th ti th i t itt b t th i t h th t ti it b i ti h i t t i b i i ti t th t t i th t i ti t ti i b t t th i t t i i t t th ti t i t ii i t i th t t t h i th x i ti thi t t t ti th b ti i t t t it th t t th b t h i ti i i i t ii i th t i t th ti th b b ti h h b ti ti ii t t t th b ti t th tb ithh b ti ithi th b ti A i t E i ti ti i i th b iti h t ithi th i i ti t t i t t it t t th ti t th b i i i b t t th ti i i th i t t b i th i t b h i b i i i ti b t E th h i i E i t i i ith t i ti h x ti t h i b i i ti ti b hi h b b b t t th t ti ti thi h b b t th t A i t ti t t i i ithi thi ti b i h b i ti t h i i t i t ti b A t h i h t th t h i h i h i t i ti t t t t b th ti i th t ti b i i t i b ti t th t 3:15-cr-05351-RJB Document 195 Case 2:13-cv-01677-BJR 137 Filed 05/11/16 08/07/14 Page 42 17 of 54 29 th ti t th i xt t t ith t i t t ti h t i ith thi ti t t th b h ti t ti ti i t h t t b th i i ti t h i i i ti t t t t ti b t ti t i G. b i t th i b ti ti t i i b th t i th i t th t i hi t t th i t tit ti i t t b ti t h i ti th t th t h i t th ii i h th t i b bi h i h t i ti t A i t ti b i i t i th th i A t ti i t t b i i i t t t i E th t t t E ti t h th tb h bi t h h ti b i t t th i t ti h h i t h i ti i t t ti ith h t th ti t i i h t th t th ti t t t t ti i ti t t t ti h i h i t t t th h i thi ti i i th t i b thi t ith E t ti t th t i ti ti th t i th h bi it t i t ti t t i i i t Challenges to Confidentiality Designations. h i t t t th th th b i ti ti t h i hi tit it i th t i h h i b h t h i i i t t h i h t h i ti i th i thi t t ith h h t th t h i th ti bi i i t b i i t itt h t h ti t t t i th b ti h t ti th t b i h th i b t tb h th 3:15-cr-05351-RJB Document 195 Case 2:13-cv-01677-BJR 137 Filed 05/11/16 08/07/14 Page 43 18 of 54 29 i i t t th t th t ti ti th b i i ti t th i H. ti ti h b i ti h t b th b t th i t t th t ti i i h b t t thi Limitations on the Use of Protected Information it i i i ti t A h i i t t b i i t i ti h i t ti t t i ti h ti h i tb i ti i A b t t it ti t tit thi t i h t b h t h tit t b i h i h i t i h b i t ti t t b b t b t i t i i t ti it h i h i t t th t thi iti ti b h t h i h t i i t iti ti thi th h t iti b t t x i ti it i it hi h th h t b th iti ti i b th t ti i ith t i ti i iti th i t b th t t h A i Ex b x t i i i A i i t t t t t t ti hi h h b t b i t ti h b th t hi i x tit t t i i t t hi h h h E E t t i t t t ti tt hi h th b b th t it t i t t i b i i hi h t i ith t t th i t ti E i b x i t ti i t 3:15-cr-05351-RJB Document 195 Case 2:13-cv-01677-BJR 137 Filed 05/11/16 08/07/14 Page 44 19 of 54 29 t i i t t t ti t ti t h t t A ti th th t t th ii thi t i i th t t t hi t t i t th th t i ti th x i ti hibiti t th th x t ith t th th i i t h t t ti t i i th i i i i i ti i ti i i I. E bt x i ti th ii h i th h i t tt i t i i h tt t ti t t ti ti ti t i th x t i th t thi t i th t h i th th t ti thi b h th ti t i ii ti t h th thi E i t hi b ith thi ti i h b E ti i ti i t i t i i E th ti b i it h i b h ti t E i th t t A ith thi A ti t th t ii Inadvertent Production of Protected Information Without E i t t t thi ti h t th t h i i t E th t t t i ti h tt h bt E E t t b ii i i t E tAh i h t A iti ti ii i i th i E ti t t x b it i ii tt t th t th t tt b i ti it t t t itt t Ex t th t i th i i ti t t it i th h t t Att h i ti t th th ti t i th x t th t ti x hi t t i i b i t i th th th tt i thi h h th i it t h x t i ith th t ti it ti i i t b i hi h i t i thi hi t i ith th ti i b hi th t t i i i t A i t t t 3:15-cr-05351-RJB Document 195 Case 2:13-cv-01677-BJR 137 Filed 05/11/16 08/07/14 Page 45 20 of 54 29 Confidentiality Designation. t t t t h ti hi h t b t ti i th t ti ti t i b i i th th i t th i i i i i t h th th i th i t t ti ith t t i ti t t th i th t th ti i t i t i t th t i t th t t t t th i t t ti t i i t ti h th th i b th t i i h h t t ithi i th t th h th th th E i E h h b t t t h itt ti b i itt ith th b ti t t i i th i h t i i t ti t b t t t t th th i ti ti h t t i b b ti i th t t t th t th t i i h ti t t t i ti t t t ti th t th th b it t i ti b t b i ti t t h h ith i t i i i t i t E ti i t ti ith th th bit t i i h ti Protected Information Requested to Be Produced Outside This Litigation. b x t t i i t i t ti i i t i i i t th i i th i t ti th i i i t t t J. i thi t th ti i t t th th i h t th ti t t i th t ib t i t ti t t t iti b thi th ti t h th th i i i ti it ti i th th i t i t t i t ti i t t i t i th t t h i i th t b t th 3:15-cr-05351-RJB Document 195 Case 2:13-cv-01677-BJR 137 Filed 05/11/16 08/07/14 Page 46 21 of 54 29 i t i ti b th h h b i bi it b i thi tt h i i h ti h ibi it t th b x t ti t i t ti ti t h th th i th i i ii it ti b ti t i ii xt t th t t i t i i th t t ti t t i b thi ti ith ti t b t t it t i th t K. Destruction of Protected Information After Suit Ends. At i i ti i t h i ti ithi thi t t th ti hi h b tt t t th i i b t t i b t tit ti i h i b i i th b th ti i ti th ti i ti i t b th t ti t i thi i ti ti th i i th iti ti ti i b i ti t itt h ti i xhibit th t t t i t i i t i t t ti xhibit th h t t i ii i t th t itt t t t t i t i h i i i t i t i iti ti t t i t t E i t th t i t E it h b i xhibit t t i tt t E ti t i thi h i t ith t xhibit th t b ti t ti i th b ith t th t t th h t i thi i t i th i t t t t ti t t t i i th ti th i th t t t i ithi t t b i i t th th t i ti bi i i t ti ti t i t x th i tt t t 3:15-cr-05351-RJB Document 195 Case 2:13-cv-01677-BJR 137 Filed 05/11/16 08/07/14 Page 47 22 of 54 29 t hi h i E i L. t t ti E A E A E hi Nonparties to the Litigation A b t i t i t t th t t t ti h thi t t it i i b th t t it A ti tit tt t t t ti h ti t i ti t th th t ti thi i thi th t ti it b i ti t i i xt t th t t t t i i ti b t i t t ti t th t t t it t t t t ti b t i thi II. PROSECUTION BAR ti E A E i i E E ti bi h t t h ti i i th A i iti i i i iti hi t i i t h i t thi ii E E i i b i iti t t ti i i i i i ti th hi t bi i b ti ti b h i t t i thi h i i ti i i t i i t th t h t t t t i ti i t ti it ti i i t i i b ti b A i i A ti it t t h th E A E th t i i t thi ti ti i i A ti it E i ti h h t ti A E t E ii i A E t t A t i t i b t h i t t E E t i t i t i i t t t t t ti i i h i ti 3:15-cr-05351-RJB Document 195 Case 2:13-cv-01677-BJR 137 Filed 05/11/16 08/07/14 Page 48 23 of 54 29 i x i i th ti i t th t t i i ti i it t t i b i i ti t t i th i iti t t i ti i th ii t t b t tt ti i i ht b th i i i b i III. th t t h i t tt t tt b itt t th t t it ti b h x t i t t i iti i ht t t t t h t i hi i i ti t i ti i ti t i t inter partes t ti i ti i t i i i ti b t i h t thi ti iti i i t th iti ti i ti ti i t thi b i thi i i i t i i i ith i x ti h h iti ti b i h i thi t i i thi t t ith t x ith t t i tt i i i i ith it i t inter partes inter partes i ti i t h i ti thi t i t i i x i i th ti ti t t i i t tb th i i i i ti ti t t ex parte i i i x bt h i i i i i t i th ii i ti iti ti x i inter partes i A iti th th t i i t t t b i i iti ti i t i th b ti t i t t b h x ti t b x t i PRIVILEGED INFORMATION. A. Limits on Waiver of Privilege. thi t i th E t t i i i E i thi ti E i ht b th i it h i tt i t h ti ti i i i ti th t th t i th t t ti it i i 3:15-cr-05351-RJB Document 195 Case 2:13-cv-01677-BJR 137 Filed 05/11/16 08/07/14 Page 49 24 of 54 29 th i thi t t i iti ti th th i t b th i t t b th i it i i bt i th t i i t i h t i b th i i h i t t th t t th i h IV. ti ii t th t t b th tb i ti i ti i t t t i i i t ti i i i t h i t t th i h t h t i th t b h ti b ti th t i t th h h t t i t i ti t i i th i t t t t i i ti th i i t t th t h t h t th i i tit t i i b i i i i i t ithi t t t ti ti t th t i i i i i h A th th t t t th t t th i i t i i t t i tt i i t i th t t t i i ht t i i t t t th i t i th t th ti th t tt i t i t i i ti i t i thi tt i t i i i i i ti th ti t ti t t tt ith thi t ti ti LIMITS ON DISCOVERABILITY OF EXPERT MATERIALS. ti i t th i i t t i thi t t ti x i ti ti t i i thi t ti ith t b t i ti t E E E i h tb t iti ti t b tt i i th iti t ti i t x x t x t th i t i i t x i i t t th t t h i iti ti t th t t i b i i thi t bi t t ti iti iti x ti x i ti t t th t b th t ti i i t t t ti i t ti i t x h i i ti hi ti i i t i t x t 3:15-cr-05351-RJB Document 195 Case 2:13-cv-01677-BJR 137 Filed 05/11/16 08/07/14 Page 50 25 of 54 29 t i i V. i MISCELLANEOUS hi th t t th ti i i t i ti i ti t thi t th th t b t h bi i x i t t ith hi th t t t h A i b b thi t h t t t i ti i t t E E th it i th th t ti thi t t i i t h thi ti t b tt th ti bi i i t i t th i ti t ti thi i ti ti i t i ti ith thi t t ti i t i iti ti th bt t t thi t b b h th i th t b ti h t thi thi th i ti b th thi i i ti itt i b th t th t th thi th t th thi t i thi ti E i i ti thi ti ii thi t ti ii i t hi ti th h thi t t ith i thi hi h th h i ti E h t i ti i h th i t t t i th th i i t th t th h ti i ti i i thi i t b th t i h i t t i t t bi it t h b t thi iti ti t th t i iti ti ti thi iti ti i t t th h i t ti ib thi i ht it h t i t i x iti th i ti t th t t t th hi i i t t t t h t t i ti ith t ti thi t t t iti t ith i h h b t t t t i i i i i t t i t i i t Case 2:13-cv-01677-BJR 3:15-cr-05351-RJB Document 195 137 Filed 05/11/16 08/07/14 Page 51 26 of 54 29 thi ii t th t i h t t t t ti ithi th h ii i t A E th i t t t it E i tit t i t b b th i i ti tt h t t E E E thi 7th E b t E t t i i t E i i i t i th t thi i th t th ti i t t thi ti b th i August i t i th A E E b b th i i i ti i ht it it i i i t A i ti tit t t i i th A t th t t t h h i ib i ith ti i i t i t i i t i thi h i i ht t h E E t i thi E t i i t A E h i E h i i E th t th b thi i i t h thi h i h th E h i ht t i ht ti tt h E i tti i A h t th i th hi h th i thi A ti th i i ti hi h th t i i E it E i t ib ti i E hi h A A E t it i A t t t thi i x E th i t i ti t b i E b xt t th th iti E t th i thi A i b t b ti i t ti ti i thi ti th t i i th th i th Case 2:13-cv-01677-BJR 137 Filed 05/11/16 08/07/14 Page 52 27 of 54 29 3:15-cr-05351-RJB Document 195 E E E E A E E 3:15-cr-05351-RJB Document 195 Case 2:13-cv-01677-BJR 137 Filed 05/11/16 08/07/14 Page 53 28 of 54 29 ATTACHMENT A CONFIDENTIALITY AGREEMENT i i t t i t h ti th b i ti t ti i t h b b h i th ti t ii i b it t t t iti t t i t i th E h i ti E ti t b i t t i x i h i E i t E E A i i t t th t th i it ii th it th th t E t E i i t iti A E h E E th i ti i i t th t i th th i i t i ii thi ti b E th t i E i i ith t ti A A th t t E i th t t E i h t t t th th E t x t E t i i i ti A i t E tt E h b th t th A E i t b b t E ti iti ti b t i t i i h hi th t t i ti th i ti ith iti t E ti i b t i b t i t i ith h ti i th ti ti it b i bt i t t t A hi i th t Case 2:13-cv-01677-BJR 3:15-cr-05351-RJB Document 195 137 Filed 05/11/16 08/07/14 Page 54 29 of 54 29 Ex t E E E