from the icky-in-many-ways dept
Last week, Lorenzo Franceschi-Bicchierai at Vice had a bombshell of a story about Facebook helping the FBI track down a horrible, horrible person by paying a cybersecurity firm to build a zero-day attack on Tails, the secure operating system setup that is recommended by many, including Ed Snowden, for people who want to keep secrets away from the prying eyes of the government.
The story should make you uncomfortable on multiple levels — starting with the fact that the person at the center of the story, Buster Hernandez, is way up there on the list of truly terrible people, and there’s simply no reason to feel bad that this person is now locked up:
The crimes Buster Hernandez committed were heinous. The FBI’s indictment is a nauseating read. He messaged underage girls on Facebook and said something like ?Hi, I have to ask you something. Kinda important. How many guys have you sent dirty pics to cause I have some of you?,? according to court records.
When a victim responded, he would then demand that she send sexually explicit videos and photos of herself, otherwise he would send the nude photos he already had to her friends and family (in reality, he didn?t have any nude photos). Then, and in some cases over the course of months or years, he would continue to terrorize his victims by threatening to make the photos and videos public. He would send victims long and graphic rape threats. He sent specific threats to attack and kill victims? families, as well as shoot up or bomb their schools if they didn?t continue to send sexually explicit images and videos. In some cases, he told victims that if they killed themselves, he would post their nude photos on memorial pages for them.
And it gets worse from there. It’s good that the FBI tracked him down.
But, from there, you suddenly start to run into a bunch of other uncomfortable questions regarding Facebook’s involvement here. And each of those questions helps demonstrate the many tradeoffs that a company like Facebook (or lots of other internet companies) face in dealing with awful people online. And to be clear there is no “good” answer here. Every approach has some good elements (getting a horrible person away from continuing to terrorize young girls) and some not so great elements (helping the FBI hack Tails, which is used by journalists, whistleblowers, and dissidents around the globe).
The article notes that there was a vigorous debate within Facebook about this decision, but the folks in charge decided that tracking this person down outweighed the concerns on the other side:
?The only acceptable outcome to us was Buster Hernandez facing accountability for his abuse of young girls,? a Facebook spokesperson said. ?This was a unique case, because he was using such sophisticated methods to hide his identity, that we took the extraordinary steps of working with security experts to help the FBI bring him to justice.?
Former employees at Facebook who are familiar with the situation told Motherboard that Hernandez’s actions were so extreme that the company believed it had been backed into a corner and had to act.
?In this case, there was absolutely no risk to users other than this one person for which there was much more than probable cause. We never would have made a change that affected anybody else, like an encryption backdoor,? said a former Facebook employee with knowledge of the case. ?Since there were no other privacy risks, and the human impact was so large, I don?t feel like we had another choice.?
That does sound like a balancing of the risk/rewards here, but the idea that handing over a backdoor to the FBI puts no one else’s privacy at risk may raise some eyebrows. The description of the zero day certainly sounds like it could be used against others:
Facebook hired a cybersecurity consulting firm to develop a hacking tool, which cost six figures. Our sources described the tool as a zero-day exploit, which refers to a vulnerability in software that is unknown to the software developers. The firm worked with a Facebook engineer and wrote a program that would attach an exploit taking advantage of a flaw in Tails? video player to reveal the real IP address of the person viewing the video. Finally, Facebook gave it to an intermediary who handed the tool to the feds, according to three current and former employees who have knowledge of the events.
And while the Facebook spokesperson tried to play down the idea that this was setting an expectation, it’s not really clear that’s true:
Facebook told Motherboard that it does not specialize in developing hacking exploits and did not want to set the expectation with law enforcement that this is something it would do regularly. Facebook says that it identified the approach that would be used but did not develop the specific exploit, and only pursued the hacking option after exhausting all other options.
But this may be hard to swallow, given that this is the very same FBI that has been pushing tech companies to develop backdoors to encryption for years, and in the famous San Bernardino case, tried to use the All Writs Act to force Apple to create a type of backdoor on iOS to break into a phone.
And obviously, cooperating one time doesn’t mean you need to cooperate every time, but it will at least raise questions. Especially at a time when Facebook is supposedly moving all of its messaging systems to fully encrypted. Can the setup there be fully trusted after this story?
As Bruce Schneier rightfully points out, it’s fine for the FBI to figure out how to use lawful hacking to track down Hernandez. That is it’s job. It’s much less clear, though, that Facebook should be handing that info over to the FBI which could then use it elsewhere as well. It certainly does not appear that the FBI or Facebook revealed to the developers of Tails that their system had this vulnerability. Indeed, Tails only found out about it from the Vice story:
A spokesperson for Tails said in an email that the project?s developers ?didn’t know about the story of Hernandez until now and we are not aware of which vulnerability was used to deanonymize him.? The spokesperson called this “new and possibly sensitive information,” and said that the exploit was never explained to the Tails development team.
So… that’s a problem. The FBI, under the Vulnerabilities Equities Program, is supposed to reveal these kinds of vulnerabilities — though it frequently does not (or hangs on to them for a long time before sharing). At the very least, this confirms lots of people’s suspicions that the Trump administration’s updating of the VEP process was little more than window dressing.
Senator Ron Wyden — who is often the only one in Congress paying attention to these things — also seemed quite concerned about how this all went down:
?Did the FBI re-use it in other cases? Did it share the vulnerability with other agencies? Did it submit the zero-day for review by the inter-agency Vulnerabilities Equity Process?? Wyden said in a statement, referring to the government process that is supposed to establish whether a zero-day vulnerability should be disclosed to the developers of the software where the vulnerability is found. ?It?s clear there needs to be much more sunlight on how the government uses hacking tools, and whether the rules in place provide adequate guardrails.?
And thus, we’re all left in an uncomfortable place. It’s good that the FBI was able to trackdown and find Hernandez, and stop him from preying on any more victims. But, Facebook’s direct involvement raises tons of uncomfortable questions, as does the FBI’s decision to keep this vulnerability a secret (at the very least, it seems like Facebook maybe should have tipped off the Tails folks as well, once the FBI nabbed Hernandez). In an ideal world, the FBI would have figured out how to track down Hernandez without Facebook paying a firm to build the zero-day attack — and then the FBI would have notified Tails’ developers of the vulnerability. But, of course, that’s not what happened.
Filed Under: buster hernandez, fbi, hack, tails, tracking, vep, vulnerabilities, zero day