Tradeoffs: Facebook Helping The FBI Hack Tails To Track Down A Truly Awful Child Predator Raises Many Questions
from the icky-in-many-ways dept
Last week, Lorenzo Franceschi-Bicchierai at Vice had a bombshell of a story about Facebook helping the FBI track down a horrible, horrible person by paying a cybersecurity firm to build a zero-day attack on Tails, the secure operating system setup that is recommended by many, including Ed Snowden, for people who want to keep secrets away from the prying eyes of the government.
The story should make you uncomfortable on multiple levels -- starting with the fact that the person at the center of the story, Buster Hernandez, is way up there on the list of truly terrible people, and there's simply no reason to feel bad that this person is now locked up:
The crimes Buster Hernandez committed were heinous. The FBI's indictment is a nauseating read. He messaged underage girls on Facebook and said something like “Hi, I have to ask you something. Kinda important. How many guys have you sent dirty pics to cause I have some of you?,” according to court records.
When a victim responded, he would then demand that she send sexually explicit videos and photos of herself, otherwise he would send the nude photos he already had to her friends and family (in reality, he didn’t have any nude photos). Then, and in some cases over the course of months or years, he would continue to terrorize his victims by threatening to make the photos and videos public. He would send victims long and graphic rape threats. He sent specific threats to attack and kill victims’ families, as well as shoot up or bomb their schools if they didn’t continue to send sexually explicit images and videos. In some cases, he told victims that if they killed themselves, he would post their nude photos on memorial pages for them.
And it gets worse from there. It's good that the FBI tracked him down.
But, from there, you suddenly start to run into a bunch of other uncomfortable questions regarding Facebook's involvement here. And each of those questions helps demonstrate the many tradeoffs that a company like Facebook (or lots of other internet companies) face in dealing with awful people online. And to be clear there is no "good" answer here. Every approach has some good elements (getting a horrible person away from continuing to terrorize young girls) and some not so great elements (helping the FBI hack Tails, which is used by journalists, whistleblowers, and dissidents around the globe).
The article notes that there was a vigorous debate within Facebook about this decision, but the folks in charge decided that tracking this person down outweighed the concerns on the other side:
“The only acceptable outcome to us was Buster Hernandez facing accountability for his abuse of young girls,” a Facebook spokesperson said. “This was a unique case, because he was using such sophisticated methods to hide his identity, that we took the extraordinary steps of working with security experts to help the FBI bring him to justice.”
Former employees at Facebook who are familiar with the situation told Motherboard that Hernandez's actions were so extreme that the company believed it had been backed into a corner and had to act.
“In this case, there was absolutely no risk to users other than this one person for which there was much more than probable cause. We never would have made a change that affected anybody else, like an encryption backdoor,” said a former Facebook employee with knowledge of the case. “Since there were no other privacy risks, and the human impact was so large, I don’t feel like we had another choice.”
That does sound like a balancing of the risk/rewards here, but the idea that handing over a backdoor to the FBI puts no one else's privacy at risk may raise some eyebrows. The description of the zero day certainly sounds like it could be used against others:
Facebook hired a cybersecurity consulting firm to develop a hacking tool, which cost six figures. Our sources described the tool as a zero-day exploit, which refers to a vulnerability in software that is unknown to the software developers. The firm worked with a Facebook engineer and wrote a program that would attach an exploit taking advantage of a flaw in Tails’ video player to reveal the real IP address of the person viewing the video. Finally, Facebook gave it to an intermediary who handed the tool to the feds, according to three current and former employees who have knowledge of the events.
And while the Facebook spokesperson tried to play down the idea that this was setting an expectation, it's not really clear that's true:
Facebook told Motherboard that it does not specialize in developing hacking exploits and did not want to set the expectation with law enforcement that this is something it would do regularly. Facebook says that it identified the approach that would be used but did not develop the specific exploit, and only pursued the hacking option after exhausting all other options.
But this may be hard to swallow, given that this is the very same FBI that has been pushing tech companies to develop backdoors to encryption for years, and in the famous San Bernardino case, tried to use the All Writs Act to force Apple to create a type of backdoor on iOS to break into a phone.
And obviously, cooperating one time doesn't mean you need to cooperate every time, but it will at least raise questions. Especially at a time when Facebook is supposedly moving all of its messaging systems to fully encrypted. Can the setup there be fully trusted after this story?
As Bruce Schneier rightfully points out, it's fine for the FBI to figure out how to use lawful hacking to track down Hernandez. That is it's job. It's much less clear, though, that Facebook should be handing that info over to the FBI which could then use it elsewhere as well. It certainly does not appear that the FBI or Facebook revealed to the developers of Tails that their system had this vulnerability. Indeed, Tails only found out about it from the Vice story:
A spokesperson for Tails said in an email that the project’s developers “didn't know about the story of Hernandez until now and we are not aware of which vulnerability was used to deanonymize him.” The spokesperson called this "new and possibly sensitive information," and said that the exploit was never explained to the Tails development team.
So... that's a problem. The FBI, under the Vulnerabilities Equities Program, is supposed to reveal these kinds of vulnerabilities -- though it frequently does not (or hangs on to them for a long time before sharing). At the very least, this confirms lots of people's suspicions that the Trump administration's updating of the VEP process was little more than window dressing.
Senator Ron Wyden -- who is often the only one in Congress paying attention to these things -- also seemed quite concerned about how this all went down:
“Did the FBI re-use it in other cases? Did it share the vulnerability with other agencies? Did it submit the zero-day for review by the inter-agency Vulnerabilities Equity Process?” Wyden said in a statement, referring to the government process that is supposed to establish whether a zero-day vulnerability should be disclosed to the developers of the software where the vulnerability is found. “It’s clear there needs to be much more sunlight on how the government uses hacking tools, and whether the rules in place provide adequate guardrails.”
And thus, we're all left in an uncomfortable place. It's good that the FBI was able to trackdown and find Hernandez, and stop him from preying on any more victims. But, Facebook's direct involvement raises tons of uncomfortable questions, as does the FBI's decision to keep this vulnerability a secret (at the very least, it seems like Facebook maybe should have tipped off the Tails folks as well, once the FBI nabbed Hernandez). In an ideal world, the FBI would have figured out how to track down Hernandez without Facebook paying a firm to build the zero-day attack -- and then the FBI would have notified Tails' developers of the vulnerability. But, of course, that's not what happened.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: buster hernandez, fbi, hack, tails, tracking, vep, vulnerabilities, zero day
Companies: facebook
Reader Comments
Subscribe: RSS
View by: Time | Thread
Section 230 makes this possible.
[ link to this | view in thread ]
If the exploit can be used once, it can be used multiple times, and such attacks are never only used once. Also, now that the exploit is known to exist, the temptation will be to make as much use as possible, before the flaw that enabled it is fixed.
[ link to this | view in thread ]
The original article states that the plan was to eventually report the security issue, but by the time they went to do so the vulnerable code had been removed.
[ link to this | view in thread ]
Re:
Believe that to your own peril, for while the software may have been removed from tails, it is probably in use in other distros.
[ link to this | view in thread ]
Re:
Sure it was. The security flaw totally no longer exists thanks to some magic coincidence. How amazing! And what was the security flaw? Umm, sorry can't tell you. But it's gone now. Yep totally gone now.
[ link to this | view in thread ]
You only lose your "I will never provide the government with hacked software" cherry once. Good luck refusing, the next time the FBI comes knocking, Facebook.
[ link to this | view in thread ]
Outsourcing Responsibility
A fascinating case where a government agency outsources at least a portion of a hacking operation. The FBI didn't write the exploit. It didn't even buy it itself. If you have concerns about what happened, well, now the line has blurred between corporate action and law enforcement.
Fortunately for the FBI, the perp in this case is very well disliked by everyone. But next time, the perp will probably be a "political dissenter". This sort of blurring of responsibility is precisely why I distrust both the FBI and corporations.
[ link to this | view in thread ]
There's no winning here...
Either FB could say "We have no way of doing this", or the FBI could say "We have no way of doing this" but nobody thought to make that six-figure payout go from the lawful agency investigating the issue to the security researcher.
FB failed us. I will never trust them, and I don't violate and threaten young girls like this piece of >>>>. Of course we have to say that because the cases that make the news are the heinous ones where the defendant is socially indefensible.
The FBI failed us. They used the tool, but did not participate in open disclosure, leaving the TAILS team to figure out "wut?"
Yes, a piece of >>>> was arrested, plead guilty to 41 charges, and will likely spend 2-5 years in prison thinking on his next scheme. In the meantime BILLIONS of FB users now should be wondering when FB will "decide on its own" their privacy is worth just about nothing.
The "tradeoff" between "security" and "privacy" and "obeying the law [in the jurisdiction where you are]" are not absolute. FB has now made this even murkier.
See you later, and not on FB, ever.
E
[ link to this | view in thread ]
Re: Re:
True, and if I read correctly, someone already had an exploit but it had to be ported to tails?
I guess looking at commit history during the relevant timeframe needs to happen then.
[ link to this | view in thread ]
Another notch on the ratchet
This is standard practice, to use a particularly heinous case with a particularly despicable villain to justify actions that would otherwise be (and should always be) considered out of the question. This moves the Overton Window on what is justifiable in terms of violating everyone's privacy and security in the wrong direction. We must resist the "OK, but just this once" response, no matter the circumstances of the particular case at hand.
And, no, this may not be a good answer, since it might delay the catching of a dangerous predator, but it is the right answer. It is the answer we must insist on giving.
Fortunately, the TAILS folks seem to be pretty good about updates.
[ link to this | view in thread ]
This could be bad news if not handeled right
Since the exploit was not handed over. Also, given the current protests and the fact that the FBI and DOJ are getting involved, well, its going to be hard on Facebook to prove it did not help the FBI on protestors, or took the steps to make sure it could not redeploy the exploit. as given the gag orders, well, its going to be difficult to not keep people from assuming the worst. Especially given how the administration has moved before.
[ link to this | view in thread ]
Re: This could be bad news if not handeled right
It's not possible to prove a negative, though I am sure Facebook will try, and even if actually innocent of any other similar action they will not be successful. The tricky part will be coming up with some 'evidence' to initiate the charges. Of course these could be made up by anyone as the way 'evidence works these days the mere charge will be enough.
[ link to this | view in thread ]
This is another one of those deals where the fuzz should have to explain how they did what they did (got an IP address in this case?), and can't refer to "investigative methods and techniques so secret no one can talk about them", because that is a travesty of two mockeries and a sham.
[ link to this | view in thread ]
The encryption issue aside, there really is a fairly good way to address this that is practiced in several countries. Anytime a wiretap or surveillance is ordered, the person being surveilled is assigned an attorney (without the person knowing this, obviously) to represent him/her during the surveillance to ensure the surveillance is carried out as required by law. This also applies to the types of warrants in those countries analogous to those issued by our FISA court, in which case the attorneys have the required security clearances.
This seems like a very easy solution to implement and addresses a lot of issues with respect to things like parallel construction and other abuses.
[ link to this | view in thread ]
Re:
With secret courts issuing secret warrants and secret attorneys supposedly standing up for our rights (are rights even a thing in this scenario?), and maybe making secret objections, which would be heard by the secret courts, in secret sessions, of course, I don't see how this helps the situation any. Or is that a secret, too?
[ link to this | view in thread ]
Re: Re:
In countries that use that method to maintain an adversarial system, I'd guess that the secret proceedings would be revealed to the defendant once he or she is actually charged with a crime. That way, if something dirty happened in the process of getting the secret warrant in the first place, it could be appealed by their attorney at that point.
[ link to this | view in thread ]
Mein!
[ link to this | view in thread ]
Re: There's no winning here...
Why would you have trusted FaceBook to begin with? Zuckerberg is only in it for the money.
[ link to this | view in thread ]
Re: Re: Re:
Correct. The whole point is to have someone to represent the potential defendant's interest the entire time rather than how it's done here in the US.
[ link to this | view in thread ]
Re: Re:
So, you prefer the current US system in which everything is secret and you do NOT have an attorney to represent you? If not, what exactly was your point other than to troll?
[ link to this | view in thread ]
Re: bruce schneier hasn't been mention yet
but the numbers pan out
[ link to this | view in thread ]