Tradeoffs: Facebook Helping The FBI Hack Tails To Track Down A Truly Awful Child Predator Raises Many Questions

from the icky-in-many-ways dept

Last week, Lorenzo Franceschi-Bicchierai at Vice had a bombshell of a story about Facebook helping the FBI track down a horrible, horrible person by paying a cybersecurity firm to build a zero-day attack on Tails, the secure operating system setup that is recommended by many, including Ed Snowden, for people who want to keep secrets away from the prying eyes of the government.

The story should make you uncomfortable on multiple levels -- starting with the fact that the person at the center of the story, Buster Hernandez, is way up there on the list of truly terrible people, and there's simply no reason to feel bad that this person is now locked up:

The crimes Buster Hernandez committed were heinous. The FBI's indictment is a nauseating read. He messaged underage girls on Facebook and said something like “Hi, I have to ask you something. Kinda important. How many guys have you sent dirty pics to cause I have some of you?,” according to court records.

When a victim responded, he would then demand that she send sexually explicit videos and photos of herself, otherwise he would send the nude photos he already had to her friends and family (in reality, he didn’t have any nude photos). Then, and in some cases over the course of months or years, he would continue to terrorize his victims by threatening to make the photos and videos public. He would send victims long and graphic rape threats. He sent specific threats to attack and kill victims’ families, as well as shoot up or bomb their schools if they didn’t continue to send sexually explicit images and videos. In some cases, he told victims that if they killed themselves, he would post their nude photos on memorial pages for them.

And it gets worse from there. It's good that the FBI tracked him down.

But, from there, you suddenly start to run into a bunch of other uncomfortable questions regarding Facebook's involvement here. And each of those questions helps demonstrate the many tradeoffs that a company like Facebook (or lots of other internet companies) face in dealing with awful people online. And to be clear there is no "good" answer here. Every approach has some good elements (getting a horrible person away from continuing to terrorize young girls) and some not so great elements (helping the FBI hack Tails, which is used by journalists, whistleblowers, and dissidents around the globe).

The article notes that there was a vigorous debate within Facebook about this decision, but the folks in charge decided that tracking this person down outweighed the concerns on the other side:

“The only acceptable outcome to us was Buster Hernandez facing accountability for his abuse of young girls,” a Facebook spokesperson said. “This was a unique case, because he was using such sophisticated methods to hide his identity, that we took the extraordinary steps of working with security experts to help the FBI bring him to justice.”

Former employees at Facebook who are familiar with the situation told Motherboard that Hernandez's actions were so extreme that the company believed it had been backed into a corner and had to act.

“In this case, there was absolutely no risk to users other than this one person for which there was much more than probable cause. We never would have made a change that affected anybody else, like an encryption backdoor,” said a former Facebook employee with knowledge of the case. “Since there were no other privacy risks, and the human impact was so large, I don’t feel like we had another choice.”

That does sound like a balancing of the risk/rewards here, but the idea that handing over a backdoor to the FBI puts no one else's privacy at risk may raise some eyebrows. The description of the zero day certainly sounds like it could be used against others:

Facebook hired a cybersecurity consulting firm to develop a hacking tool, which cost six figures. Our sources described the tool as a zero-day exploit, which refers to a vulnerability in software that is unknown to the software developers. The firm worked with a Facebook engineer and wrote a program that would attach an exploit taking advantage of a flaw in Tails’ video player to reveal the real IP address of the person viewing the video. Finally, Facebook gave it to an intermediary who handed the tool to the feds, according to three current and former employees who have knowledge of the events.

And while the Facebook spokesperson tried to play down the idea that this was setting an expectation, it's not really clear that's true:

Facebook told Motherboard that it does not specialize in developing hacking exploits and did not want to set the expectation with law enforcement that this is something it would do regularly. Facebook says that it identified the approach that would be used but did not develop the specific exploit, and only pursued the hacking option after exhausting all other options.

But this may be hard to swallow, given that this is the very same FBI that has been pushing tech companies to develop backdoors to encryption for years, and in the famous San Bernardino case, tried to use the All Writs Act to force Apple to create a type of backdoor on iOS to break into a phone.

And obviously, cooperating one time doesn't mean you need to cooperate every time, but it will at least raise questions. Especially at a time when Facebook is supposedly moving all of its messaging systems to fully encrypted. Can the setup there be fully trusted after this story?

As Bruce Schneier rightfully points out, it's fine for the FBI to figure out how to use lawful hacking to track down Hernandez. That is it's job. It's much less clear, though, that Facebook should be handing that info over to the FBI which could then use it elsewhere as well. It certainly does not appear that the FBI or Facebook revealed to the developers of Tails that their system had this vulnerability. Indeed, Tails only found out about it from the Vice story:

A spokesperson for Tails said in an email that the project’s developers “didn't know about the story of Hernandez until now and we are not aware of which vulnerability was used to deanonymize him.” The spokesperson called this "new and possibly sensitive information," and said that the exploit was never explained to the Tails development team.

So... that's a problem. The FBI, under the Vulnerabilities Equities Program, is supposed to reveal these kinds of vulnerabilities -- though it frequently does not (or hangs on to them for a long time before sharing). At the very least, this confirms lots of people's suspicions that the Trump administration's updating of the VEP process was little more than window dressing.

Senator Ron Wyden -- who is often the only one in Congress paying attention to these things -- also seemed quite concerned about how this all went down:

“Did the FBI re-use it in other cases? Did it share the vulnerability with other agencies? Did it submit the zero-day for review by the inter-agency Vulnerabilities Equity Process?” Wyden said in a statement, referring to the government process that is supposed to establish whether a zero-day vulnerability should be disclosed to the developers of the software where the vulnerability is found. “It’s clear there needs to be much more sunlight on how the government uses hacking tools, and whether the rules in place provide adequate guardrails.”

And thus, we're all left in an uncomfortable place. It's good that the FBI was able to trackdown and find Hernandez, and stop him from preying on any more victims. But, Facebook's direct involvement raises tons of uncomfortable questions, as does the FBI's decision to keep this vulnerability a secret (at the very least, it seems like Facebook maybe should have tipped off the Tails folks as well, once the FBI nabbed Hernandez). In an ideal world, the FBI would have figured out how to track down Hernandez without Facebook paying a firm to build the zero-day attack -- and then the FBI would have notified Tails' developers of the vulnerability. But, of course, that's not what happened.

Filed Under: buster hernandez, fbi, hack, tails, tracking, vep, vulnerabilities, zero day
Companies: facebook


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 16 Jun 2020 @ 9:40am

    Section 230 makes this possible.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Jun 2020 @ 9:53am

    If the exploit can be used once, it can be used multiple times, and such attacks are never only used once. Also, now that the exploit is known to exist, the temptation will be to make as much use as possible, before the flaw that enabled it is fixed.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Jun 2020 @ 9:58am

    The original article states that the plan was to eventually report the security issue, but by the time they went to do so the vulnerable code had been removed.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Jun 2020 @ 10:21am

      Re:

      Believe that to your own peril, for while the software may have been removed from tails, it is probably in use in other distros.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 16 Jun 2020 @ 11:27am

        Re: Re:

        True, and if I read correctly, someone already had an exploit but it had to be ported to tails?

        I guess looking at commit history during the relevant timeframe needs to happen then.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Jun 2020 @ 10:28am

      Re:

      Sure it was. The security flaw totally no longer exists thanks to some magic coincidence. How amazing! And what was the security flaw? Umm, sorry can't tell you. But it's gone now. Yep totally gone now.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Jun 2020 @ 10:44am

    You only lose your "I will never provide the government with hacked software" cherry once. Good luck refusing, the next time the FBI comes knocking, Facebook.

    reply to this | link to this | view in chronology ]

  • icon
    Koby (profile), 16 Jun 2020 @ 10:45am

    Outsourcing Responsibility

    A fascinating case where a government agency outsources at least a portion of a hacking operation. The FBI didn't write the exploit. It didn't even buy it itself. If you have concerns about what happened, well, now the line has blurred between corporate action and law enforcement.

    Fortunately for the FBI, the perp in this case is very well disliked by everyone. But next time, the perp will probably be a "political dissenter". This sort of blurring of responsibility is precisely why I distrust both the FBI and corporations.

    reply to this | link to this | view in chronology ]

  • icon
    Ehud Gavron (profile), 16 Jun 2020 @ 11:07am

    There's no winning here...

    Either FB could say "We have no way of doing this", or the FBI could say "We have no way of doing this" but nobody thought to make that six-figure payout go from the lawful agency investigating the issue to the security researcher.

    FB failed us. I will never trust them, and I don't violate and threaten young girls like this piece of >>>>. Of course we have to say that because the cases that make the news are the heinous ones where the defendant is socially indefensible.

    The FBI failed us. They used the tool, but did not participate in open disclosure, leaving the TAILS team to figure out "wut?"

    Yes, a piece of >>>> was arrested, plead guilty to 41 charges, and will likely spend 2-5 years in prison thinking on his next scheme. In the meantime BILLIONS of FB users now should be wondering when FB will "decide on its own" their privacy is worth just about nothing.

    The "tradeoff" between "security" and "privacy" and "obeying the law [in the jurisdiction where you are]" are not absolute. FB has now made this even murkier.

    See you later, and not on FB, ever.

    E

    reply to this | link to this | view in chronology ]

  • icon
    Upstream (profile), 16 Jun 2020 @ 11:45am

    Another notch on the ratchet

    This is standard practice, to use a particularly heinous case with a particularly despicable villain to justify actions that would otherwise be (and should always be) considered out of the question. This moves the Overton Window on what is justifiable in terms of violating everyone's privacy and security in the wrong direction. We must resist the "OK, but just this once" response, no matter the circumstances of the particular case at hand.

    And, no, this may not be a good answer, since it might delay the catching of a dangerous predator, but it is the right answer. It is the answer we must insist on giving.

    Fortunately, the TAILS folks seem to be pretty good about updates.

    reply to this | link to this | view in chronology ]

  • identicon
    Kitsune106, 16 Jun 2020 @ 11:49am

    This could be bad news if not handeled right

    Since the exploit was not handed over. Also, given the current protests and the fact that the FBI and DOJ are getting involved, well, its going to be hard on Facebook to prove it did not help the FBI on protestors, or took the steps to make sure it could not redeploy the exploit. as given the gag orders, well, its going to be difficult to not keep people from assuming the worst. Especially given how the administration has moved before.

    reply to this | link to this | view in chronology ]

    • icon
      Anonymous Anonymous Coward (profile), 16 Jun 2020 @ 12:18pm

      Re: This could be bad news if not handeled right

      It's not possible to prove a negative, though I am sure Facebook will try, and even if actually innocent of any other similar action they will not be successful. The tricky part will be coming up with some 'evidence' to initiate the charges. Of course these could be made up by anyone as the way 'evidence works these days the mere charge will be enough.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Jun 2020 @ 12:25pm

    This is another one of those deals where the fuzz should have to explain how they did what they did (got an IP address in this case?), and can't refer to "investigative methods and techniques so secret no one can talk about them", because that is a travesty of two mockeries and a sham.

    reply to this | link to this | view in chronology ]

  • identicon
    bobob, 16 Jun 2020 @ 1:32pm

    The encryption issue aside, there really is a fairly good way to address this that is practiced in several countries. Anytime a wiretap or surveillance is ordered, the person being surveilled is assigned an attorney (without the person knowing this, obviously) to represent him/her during the surveillance to ensure the surveillance is carried out as required by law. This also applies to the types of warrants in those countries analogous to those issued by our FISA court, in which case the attorneys have the required security clearances.

    This seems like a very easy solution to implement and addresses a lot of issues with respect to things like parallel construction and other abuses.

    reply to this | link to this | view in chronology ]

    • icon
      Upstream (profile), 16 Jun 2020 @ 2:17pm

      Re:

      With secret courts issuing secret warrants and secret attorneys supposedly standing up for our rights (are rights even a thing in this scenario?), and maybe making secret objections, which would be heard by the secret courts, in secret sessions, of course, I don't see how this helps the situation any. Or is that a secret, too?

      reply to this | link to this | view in chronology ]

      • icon
        R.H. (profile), 16 Jun 2020 @ 3:33pm

        Re: Re:

        In countries that use that method to maintain an adversarial system, I'd guess that the secret proceedings would be revealed to the defendant once he or she is actually charged with a crime. That way, if something dirty happened in the process of getting the secret warrant in the first place, it could be appealed by their attorney at that point.

        reply to this | link to this | view in chronology ]

        • identicon
          bobob, 16 Jun 2020 @ 5:19pm

          Re: Re: Re:

          Correct. The whole point is to have someone to represent the potential defendant's interest the entire time rather than how it's done here in the US.

          reply to this | link to this | view in chronology ]

      • identicon
        bobob, 16 Jun 2020 @ 5:22pm

        Re: Re:

        So, you prefer the current US system in which everything is secret and you do NOT have an attorney to represent you? If not, what exactly was your point other than to troll?

        reply to this | link to this | view in chronology ]

  • icon
    tz1 (profile), 16 Jun 2020 @ 3:43pm

    Mein!

    (german accent) I know they do that other nasty business in the concentration camps, but rape is such a terrible crime and Herr Fuhrer needs some place to send the rapists to deter the crime. Ignore the other thing because rape is so horrendous!

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.