Facebook security personnel and engineers helped the FBI track down a notorious child predator by helping a third-party company develop an exploit in a security-focused version of the Linux operating system, Tails, per a Wednesday report by Vice. But they did so quietly and without notifying the developers of Tails afterwards of the major security flaw, potentially violating security industry norms while handing over a surveillance backdoor to federal agents.
According to Vice, for years Facebook had been tracking a suspect who had regularly used the platform to extort young women for nude photos and videos, as well as send them threats of rape, bombings, and mass shootings at schools — California man Buster Hernandez, who was charged and arrested in August 2017 and recently pleaded guilty to 41 counts which could see him spend the rest of his life in prison. Under his pseudonym as “Brian Kil,” court documents show, Hernandez targeted hundreds of underage girls over a period of years with blackmail and terroristic threats. In addition to Facebook, he reportedly attracted the attention of FBI field offices in multiple locations.
Hernandez was able to evade capture for so long because he used Tails, a version of Linux designed for users at high risk of surveillance and which routes all inbound and outbound connections through the open-source Tor network to anonymize it. According to Vice, the FBI had tried to hack into Hernandez’s computer but failed, as the approach they used “was not tailored for Tails.” Hernandez then proceeded to mock the FBI in subsequent messages, two Facebook employees told Vice.
Facebook had tasked a dedicated employee to unmasking Hernandez, developed an automated system to flag recently created accounts that messaged minors, and made catching Hernandez a priority for its security teams, according to Vice. They also paid a third party contractor “six figures” to help develop a zero-day exploit in Tails: a bug in its video player that enabled them to retrieve the real I.P. address of a person viewing a clip. Three sources told Vice that an intermediary passed the tool onto the FBI, who then obtained a search warrant to have one of the victims send a modified video file to Hernandez (a tactic the agency has used before).
There’s no clear evidence as to whether the FBI knew the exploit was developed in part by Facebook, leading one to wonder how forthcoming it was planning to be about its involvement. There are also obvious ethical issues with developing exploits in another company’s product, especially Tails, which was designed with the security of users including reporters, whistleblowers, stalking victims, and political activists in mind.
Facebook also never notified the Tails team of the flaw — breaking with a long industry tradition of disclosure in which the relevant developers are notified of vulnerabilities in advance of them becoming public so they have a chance at implementing a fix. Sources told Vice that since an upcoming Tails update was slated to strip the vulnerable code, Facebook didn’t bother to do so, though the social media company had no reason to believe Tails developers had ever discovered the bug.
Some of the current and former Facebook employees aware of the decision to help the FBI were critical, with one telling Vice that the “precedent of a private company buying a zero-day to go after a criminal” was “fucked up” and “sketchy as hell.” Others told the site it was a decision made of last resort that doesn’t set a precedent, with one saying it was the “right thing” to do and other companies would not be willing to “[spend] the amount of time and resources to try to limit damage caused by one evil guy.”
News of the operation also comes at time when some members of Congress, the FBI, and other federal agencies like the Departments of Justice and Homeland Security have been raising alarms about end to end encryption, build surveillance backdoors into their products.
Doing so could not only result in far more intensive government mass surveillance of private communications, but a security nightmare if the keys to exploiting those backdoors fall into the wrong hands. Facebook has fought other attempts to force it to compromise the security of its own products, successfully defeating an anti-drug task force’s order that it wiretap its Messenger product to catch members of the MS-13 gang. A bill currently circulating through Congress would create an unelected 19-member commission that could set so-called best standards for internet firms and penalise them if they do not meet them, which has widely been interpreted as an end-run around many companies’ refusals to create surveillance backdoors.
It’s not clear whether the FBI could have used the exploit in other cases or could have passed it on to other federal agencies.
Senator Ron Wyden told Vice, “Did the FBI re-use it in other cases? Did it share the vulnerability with other agencies? Did it submit the zero-day for review by the inter-agency Vulnerabilities Equity Processes? It’s clear there needs to be much more sunlight on how the government uses hacking tools, and whether the rules in place provide adequate guardrails.”
“The only acceptable outcome to us was Buster Hernandez facing accountability for his abuse of young girls,” a Facebook spokesperson told Vice.. “This was a unique case, because he was using such sophisticated methods to hide his identity, that we took the extraordinary steps of working with security experts to help the FBI bring him to justice.”