Major tech companies regularly help law enforcement agencies to the best of their abilities but working with the government to create new exploits to track down a user isn’t something we normally see. Reported by Motherboard, here’s how and why Facebook “took the extraordinary steps” to create a zero-day exploit to help the FBI catch a child predator.
Note: contains some violent details
For years, a California man systematically harassed and terrorized young girls using chat apps, email, and Facebook. He extorted them for their nude pictures and videos, and threatened to kill and rape them. He also sent graphic and specific threats to carry out mass shootings and bombings at the girls’ schools if they didn’t send him sexually explicit photos and videos.
Considering the extent of the horrific acts of Buster Hernandez and how difficult he was to track down, Facebook made the decision to help hack this FBI target.
Buster Hernandez, who was known as “Brian Kil” online, was such a persistent threat and was so adept at hiding his real identity that Facebook took the unprecedented step of helping the FBI hack him to gather evidence that led to his arrest and conviction, Motherboard has learned. Facebook worked with a third-party company to develop the exploit and did not directly hand the exploit to the FBI; it is unclear whether the FBI even knew that Facebook was involved in developing the exploit. According to sources within the company, this is the first and only time Facebook has ever helped law enforcement hack a target.
While it is great to see a criminal like this convicted, Motherboard notes how the situation “raises difficult ethical questions about when—if ever—it is appropriate for private companies to assist in the hacking of their users.”
This previously unreported case of collaboration between a Silicon Valley tech giant and the FBI highlights the technical capabilities of Facebook, a third-party hacking firm it worked with, and law enforcement, and raises difficult ethical questions about when—if ever—it is appropriate for private companies to assist in the hacking of their users. The FBI and Facebook used a so-called zero-day exploit in the privacy-focused operating system Tails, which automatically routes all of a user’s internet traffic through the Tor anonymity network, to unmask Hernandez’s real IP address, which ultimately led to his arrest.
Facebook commented on the case to Motherboard, explaining why it took the steps it did:
“The only acceptable outcome to us was Buster Hernandez facing accountability for his abuse of young girls,” a Facebook spokesperson said. “This was a unique case, because he was using such sophisticated methods to hide his identity, that we took the extraordinary steps of working with security experts to help the FBI bring him to justice.”
And here’s how one former Facebook employee sees the company helping the FBI in this case as different from creating a backdoor into the platform.
“In this case, there was absolutely no risk to users other than this one person for which there was much more than probable cause. We never would have made a change that affected anybody else, like an encryption backdoor,” said a former Facebook employee with knowledge of the case. “Since there were no other privacy risks, and the human impact was so large, I don’t feel like we had another choice.”
Even so, there was said to be a rift between Facebook employees on the matter.
According to several current and former Facebook employees that Motherboard spoke to, however, the decision was much more controversial within the company.
You can read the full report from Motherboard here.
FTC: We use income earning auto affiliate links. More.