Tradeoffs: Facebook Helping The FBI Hack Tails To Track Down A Truly Awful Child Predator Raises Many Questions

from the icky-in-many-ways dept

Last week, Lorenzo Franceschi-Bicchierai at Vice had a bombshell of a story about Facebook helping the FBI track down a horrible, horrible person by paying a cybersecurity firm to build a zero-day attack on Tails, the secure operating system setup that is recommended by many, including Ed Snowden, for people who want to keep secrets away from the prying eyes of the government.

The story should make you uncomfortable on multiple levels -- starting with the fact that the person at the center of the story, Buster Hernandez, is way up there on the list of truly terrible people, and there's simply no reason to feel bad that this person is now locked up:

The crimes Buster Hernandez committed were heinous. The FBI's indictment is a nauseating read. He messaged underage girls on Facebook and said something like “Hi, I have to ask you something. Kinda important. How many guys have you sent dirty pics to cause I have some of you?,” according to court records.

When a victim responded, he would then demand that she send sexually explicit videos and photos of herself, otherwise he would send the nude photos he already had to her friends and family (in reality, he didn’t have any nude photos). Then, and in some cases over the course of months or years, he would continue to terrorize his victims by threatening to make the photos and videos public. He would send victims long and graphic rape threats. He sent specific threats to attack and kill victims’ families, as well as shoot up or bomb their schools if they didn’t continue to send sexually explicit images and videos. In some cases, he told victims that if they killed themselves, he would post their nude photos on memorial pages for them.

And it gets worse from there. It's good that the FBI tracked him down.

But, from there, you suddenly start to run into a bunch of other uncomfortable questions regarding Facebook's involvement here. And each of those questions helps demonstrate the many tradeoffs that a company like Facebook (or lots of other internet companies) face in dealing with awful people online. And to be clear there is no "good" answer here. Every approach has some good elements (getting a horrible person away from continuing to terrorize young girls) and some not so great elements (helping the FBI hack Tails, which is used by journalists, whistleblowers, and dissidents around the globe).

The article notes that there was a vigorous debate within Facebook about this decision, but the folks in charge decided that tracking this person down outweighed the concerns on the other side:

“The only acceptable outcome to us was Buster Hernandez facing accountability for his abuse of young girls,” a Facebook spokesperson said. “This was a unique case, because he was using such sophisticated methods to hide his identity, that we took the extraordinary steps of working with security experts to help the FBI bring him to justice.”

Former employees at Facebook who are familiar with the situation told Motherboard that Hernandez's actions were so extreme that the company believed it had been backed into a corner and had to act.

“In this case, there was absolutely no risk to users other than this one person for which there was much more than probable cause. We never would have made a change that affected anybody else, like an encryption backdoor,” said a former Facebook employee with knowledge of the case. “Since there were no other privacy risks, and the human impact was so large, I don’t feel like we had another choice.”

That does sound like a balancing of the risk/rewards here, but the idea that handing over a backdoor to the FBI puts no one else's privacy at risk may raise some eyebrows. The description of the zero day certainly sounds like it could be used against others:

Facebook hired a cybersecurity consulting firm to develop a hacking tool, which cost six figures. Our sources described the tool as a zero-day exploit, which refers to a vulnerability in software that is unknown to the software developers. The firm worked with a Facebook engineer and wrote a program that would attach an exploit taking advantage of a flaw in Tails’ video player to reveal the real IP address of the person viewing the video. Finally, Facebook gave it to an intermediary who handed the tool to the feds, according to three current and former employees who have knowledge of the events.

And while the Facebook spokesperson tried to play down the idea that this was setting an expectation, it's not really clear that's true:

Facebook told Motherboard that it does not specialize in developing hacking exploits and did not want to set the expectation with law enforcement that this is something it would do regularly. Facebook says that it identified the approach that would be used but did not develop the specific exploit, and only pursued the hacking option after exhausting all other options.

But this may be hard to swallow, given that this is the very same FBI that has been pushing tech companies to develop backdoors to encryption for years, and in the famous San Bernardino case, tried to use the All Writs Act to force Apple to create a type of backdoor on iOS to break into a phone.

And obviously, cooperating one time doesn't mean you need to cooperate every time, but it will at least raise questions. Especially at a time when Facebook is supposedly moving all of its messaging systems to fully encrypted. Can the setup there be fully trusted after this story?

As Bruce Schneier rightfully points out, it's fine for the FBI to figure out how to use lawful hacking to track down Hernandez. That is it's job. It's much less clear, though, that Facebook should be handing that info over to the FBI which could then use it elsewhere as well. It certainly does not appear that the FBI or Facebook revealed to the developers of Tails that their system had this vulnerability. Indeed, Tails only found out about it from the Vice story:

A spokesperson for Tails said in an email that the project’s developers “didn't know about the story of Hernandez until now and we are not aware of which vulnerability was used to deanonymize him.” The spokesperson called this "new and possibly sensitive information," and said that the exploit was never explained to the Tails development team.

So... that's a problem. The FBI, under the Vulnerabilities Equities Program, is supposed to reveal these kinds of vulnerabilities -- though it frequently does not (or hangs on to them for a long time before sharing). At the very least, this confirms lots of people's suspicions that the Trump administration's updating of the VEP process was little more than window dressing.

Senator Ron Wyden -- who is often the only one in Congress paying attention to these things -- also seemed quite concerned about how this all went down:

“Did the FBI re-use it in other cases? Did it share the vulnerability with other agencies? Did it submit the zero-day for review by the inter-agency Vulnerabilities Equity Process?” Wyden said in a statement, referring to the government process that is supposed to establish whether a zero-day vulnerability should be disclosed to the developers of the software where the vulnerability is found. “It’s clear there needs to be much more sunlight on how the government uses hacking tools, and whether the rules in place provide adequate guardrails.”

And thus, we're all left in an uncomfortable place. It's good that the FBI was able to trackdown and find Hernandez, and stop him from preying on any more victims. But, Facebook's direct involvement raises tons of uncomfortable questions, as does the FBI's decision to keep this vulnerability a secret (at the very least, it seems like Facebook maybe should have tipped off the Tails folks as well, once the FBI nabbed Hernandez). In an ideal world, the FBI would have figured out how to track down Hernandez without Facebook paying a firm to build the zero-day attack -- and then the FBI would have notified Tails' developers of the vulnerability. But, of course, that's not what happened.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: buster hernandez, fbi, hack, tails, tracking, vep, vulnerabilities, zero day
Companies: facebook


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 16 Jun 2020 @ 9:40am

    Section 230 makes this possible.

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 16 Jun 2020 @ 9:53am

    If the exploit can be used once, it can be used multiple times, and such attacks are never only used once. Also, now that the exploit is known to exist, the temptation will be to make as much use as possible, before the flaw that enabled it is fixed.

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 16 Jun 2020 @ 9:58am

    The original article states that the plan was to eventually report the security issue, but by the time they went to do so the vulnerable code had been removed.

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 16 Jun 2020 @ 10:21am

    Re:

    Believe that to your own peril, for while the software may have been removed from tails, it is probably in use in other distros.

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 16 Jun 2020 @ 10:28am

    Re:

    Sure it was. The security flaw totally no longer exists thanks to some magic coincidence. How amazing! And what was the security flaw? Umm, sorry can't tell you. But it's gone now. Yep totally gone now.

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 16 Jun 2020 @ 10:44am

    You only lose your "I will never provide the government with hacked software" cherry once. Good luck refusing, the next time the FBI comes knocking, Facebook.

    link to this | view in thread ]

  7. icon
    Koby (profile), 16 Jun 2020 @ 10:45am

    Outsourcing Responsibility

    A fascinating case where a government agency outsources at least a portion of a hacking operation. The FBI didn't write the exploit. It didn't even buy it itself. If you have concerns about what happened, well, now the line has blurred between corporate action and law enforcement.

    Fortunately for the FBI, the perp in this case is very well disliked by everyone. But next time, the perp will probably be a "political dissenter". This sort of blurring of responsibility is precisely why I distrust both the FBI and corporations.

    link to this | view in thread ]

  8. icon
    Ehud Gavron (profile), 16 Jun 2020 @ 11:07am

    There's no winning here...

    Either FB could say "We have no way of doing this", or the FBI could say "We have no way of doing this" but nobody thought to make that six-figure payout go from the lawful agency investigating the issue to the security researcher.

    FB failed us. I will never trust them, and I don't violate and threaten young girls like this piece of >>>>. Of course we have to say that because the cases that make the news are the heinous ones where the defendant is socially indefensible.

    The FBI failed us. They used the tool, but did not participate in open disclosure, leaving the TAILS team to figure out "wut?"

    Yes, a piece of >>>> was arrested, plead guilty to 41 charges, and will likely spend 2-5 years in prison thinking on his next scheme. In the meantime BILLIONS of FB users now should be wondering when FB will "decide on its own" their privacy is worth just about nothing.

    The "tradeoff" between "security" and "privacy" and "obeying the law [in the jurisdiction where you are]" are not absolute. FB has now made this even murkier.

    See you later, and not on FB, ever.

    E

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 16 Jun 2020 @ 11:27am

    Re: Re:

    True, and if I read correctly, someone already had an exploit but it had to be ported to tails?

    I guess looking at commit history during the relevant timeframe needs to happen then.

    link to this | view in thread ]

  10. icon
    Upstream (profile), 16 Jun 2020 @ 11:45am

    Another notch on the ratchet

    This is standard practice, to use a particularly heinous case with a particularly despicable villain to justify actions that would otherwise be (and should always be) considered out of the question. This moves the Overton Window on what is justifiable in terms of violating everyone's privacy and security in the wrong direction. We must resist the "OK, but just this once" response, no matter the circumstances of the particular case at hand.

    And, no, this may not be a good answer, since it might delay the catching of a dangerous predator, but it is the right answer. It is the answer we must insist on giving.

    Fortunately, the TAILS folks seem to be pretty good about updates.

    link to this | view in thread ]

  11. identicon
    Kitsune106, 16 Jun 2020 @ 11:49am

    This could be bad news if not handeled right

    Since the exploit was not handed over. Also, given the current protests and the fact that the FBI and DOJ are getting involved, well, its going to be hard on Facebook to prove it did not help the FBI on protestors, or took the steps to make sure it could not redeploy the exploit. as given the gag orders, well, its going to be difficult to not keep people from assuming the worst. Especially given how the administration has moved before.

    link to this | view in thread ]

  12. icon
    Anonymous Anonymous Coward (profile), 16 Jun 2020 @ 12:18pm

    Re: This could be bad news if not handeled right

    It's not possible to prove a negative, though I am sure Facebook will try, and even if actually innocent of any other similar action they will not be successful. The tricky part will be coming up with some 'evidence' to initiate the charges. Of course these could be made up by anyone as the way 'evidence works these days the mere charge will be enough.

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 16 Jun 2020 @ 12:25pm

    This is another one of those deals where the fuzz should have to explain how they did what they did (got an IP address in this case?), and can't refer to "investigative methods and techniques so secret no one can talk about them", because that is a travesty of two mockeries and a sham.

    link to this | view in thread ]

  14. identicon
    bobob, 16 Jun 2020 @ 1:32pm

    The encryption issue aside, there really is a fairly good way to address this that is practiced in several countries. Anytime a wiretap or surveillance is ordered, the person being surveilled is assigned an attorney (without the person knowing this, obviously) to represent him/her during the surveillance to ensure the surveillance is carried out as required by law. This also applies to the types of warrants in those countries analogous to those issued by our FISA court, in which case the attorneys have the required security clearances.

    This seems like a very easy solution to implement and addresses a lot of issues with respect to things like parallel construction and other abuses.

    link to this | view in thread ]

  15. icon
    Upstream (profile), 16 Jun 2020 @ 2:17pm

    Re:

    With secret courts issuing secret warrants and secret attorneys supposedly standing up for our rights (are rights even a thing in this scenario?), and maybe making secret objections, which would be heard by the secret courts, in secret sessions, of course, I don't see how this helps the situation any. Or is that a secret, too?

    link to this | view in thread ]

  16. icon
    R.H. (profile), 16 Jun 2020 @ 3:33pm

    Re: Re:

    In countries that use that method to maintain an adversarial system, I'd guess that the secret proceedings would be revealed to the defendant once he or she is actually charged with a crime. That way, if something dirty happened in the process of getting the secret warrant in the first place, it could be appealed by their attorney at that point.

    link to this | view in thread ]

  17. icon
    tz1 (profile), 16 Jun 2020 @ 3:43pm

    Mein!

    (german accent) I know they do that other nasty business in the concentration camps, but rape is such a terrible crime and Herr Fuhrer needs some place to send the rapists to deter the crime. Ignore the other thing because rape is so horrendous!

    link to this | view in thread ]

  18. icon
    lucidrenegade (profile), 16 Jun 2020 @ 4:42pm

    Re: There's no winning here...

    Why would you have trusted FaceBook to begin with? Zuckerberg is only in it for the money.

    link to this | view in thread ]

  19. identicon
    bobob, 16 Jun 2020 @ 5:19pm

    Re: Re: Re:

    Correct. The whole point is to have someone to represent the potential defendant's interest the entire time rather than how it's done here in the US.

    link to this | view in thread ]

  20. identicon
    bobob, 16 Jun 2020 @ 5:22pm

    Re: Re:

    So, you prefer the current US system in which everything is secret and you do NOT have an attorney to represent you? If not, what exactly was your point other than to troll?

    link to this | view in thread ]

  21. identicon
    Anonymous Coward, 16 Jun 2020 @ 11:47pm

    Re: bruce schneier hasn't been mention yet

    but the numbers pan out

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.