By Nora Macaluso
Last of two parts.
In two recent cases, law enforcement joined with social media to track, arrest and charge criminal suspects. The moves raise many privacy concerns, experts say. This report examines the ramifications of Facebook’s hiring of a cybersecurity firm to help the FBI find a child predator.
Facebook’s hiring of a cybersecurity firm in 2017 to help it and the FBI hack into Tails, the popular Linux-based operating system used for secure communications, to track down a child predator has some experts concerned about potential privacy ramifications.
Others say the incident was a one-off, the result of an unusual set of circumstances unlikely to recur.
Either way, the idea of a major technology company helping to expose one of its users was likely unprecedented.
“This story raises the likelihood that prosecutors, both at the federal and state levels, are experimenting with techniques they don’t understand the implications of,” said Alan Butler, interim executive director and general counsel at the Washington-based Electronic Privacy Information Center (EPIC).
Vice.com’s Motherboard site reported in June that Facebook had worked with a third party to develop a tool to hack into Tails and identify the IP address of Buster Hernandez, a California man who used the platform to threaten and extort teenage girls.
Hernandez was 26 at the time of his indictment in 2017, according to news reports.
The hack allowed the government to find and arrest Hernandez, who pleaded guilty in February to charges including production of child pornography and threats and extortion. He is scheduled to be sentenced Sept. 11.
“We confirm the details included in both of the Vice articles, but we cannot provide more context right now,” Tails told Digital Privacy News. “We’re still trying to figure out the technical details of the exploit and make sure that all our users are safe today.”
The FBI declined to comment. Facebook defended its action, noting the unusual circumstances surrounding the case.
“There really isn’t a way to make these systems insecure only for the bad guy.”Alan Butler, Electronic Privacy Information Center.
The unmasking strikes at “systems that journalists and everyday consumers and others rely on to secure computers and secure sensitive information,” EPIC’s Butler said.
It’s a concern for a government to “take an active role in developing something that could be used to commit crimes,” and it’s a further concern for a private company to be involved in deploying a vulnerability, he said.
“The security of these systems impacts everyone who uses them,” Butler told Digital Privacy News. “There really isn’t a way to make these systems insecure only for the bad guy.”
While the case doesn’t necessarily set a policy precedent, it does raise questions about the government’s adherence to procedure regarding computer security, he said.
“The government is committed to using the vulnerability-equities process to deal with these sorts of issues,” Butler said. “It seems more like this is not being run through this process.”
The hackers used a so-called zero-day exploit, a previously unidentified flaw in software, in Tails’ default video player, Gnome, to unmask Hernandez, according to the Motherboard report.
Tails uses Tor, which reroutes Internet traffic so it can’t be traced back to the user, to keep them anonymous. Tails is used by journalists and sources, among others, to keep conversations and data confidential.
Tails and Gnome developers found out about the hack through the Motherboard article, according to a subsequent report on the site.
“Gnome was not previously aware of this story and is not able to guess
which vulnerability might have been exploited,” Gnome told Digital Privacy News by email. “We appreciate that Facebook planned to report this vulnerability to us before discovering that the affected code had been removed from Gnome.”
The notion of a company helping to develop an exploit to access another company’s software is surprising, said Gregory T. Nojeim of the Center for Democracy & Technology.
He’s senior counsel and director of the center’s Freedom, Security and Technology Project in Washington.
“These were pretty unique circumstances, and unlikely to recur.”Gregory T. Nojeim, Center for Democracy & Technology.
Nojeim told Digital Privacy News that he was not aware of any legal requirement for Facebook or the FBI to alert Tails or Gnome about the hack, either before or after the fact.
Gnome said it recognized “that exploiting software vulnerabilities is sometimes the only practical way for law enforcement to investigate criminals.”
“That said, the security of law-abiding users is jeopardized when such vulnerabilities are not disclosed to us in a timely manner,” the company said.
Moreover, problems still could occur.
Gnome said its software was shipped by integrators and “can be supported for
many years, so it is possible this exploit is still unfixed in older versions.
“Accordingly,” the company added, “we still expect Facebook or the FBI to report the issue to us so that we can ensure a CVE (Common Vulnerabilities and Exposures, a standardized identifier for a particular vulnerability or exposure) is assigned to the issue — and so downstream products can assess whether they are impacted.”
Still, Nojeim said, “these were pretty unique circumstances, and unlikely to recur.”
“There was an extremely bad actor abusing the Facebook platform for years,” and the exploit took place a few days before it would have been rendered ineffective by a software update, making for “a pretty rare set of circumstances,” he added.
That, apparently, was Facebook’s thinking.
“The only acceptable outcome to us was Buster Hernandez facing accountability for his abuse of young girls,” a company spokesperson told Digital Privacy News.
“This was a unique case, because he was using such sophisticated methods to hide his identity, that we took the extraordinary steps of working with security experts to help the FBI bring him to justice.”
Facebook is one of more than 100 companies party to the Cybersecurity Tech Accord, the spirit of which says “they’re not going to assist with cyberattacks,” Nojiem said.
The accord calls for the companies to “protect against tampering with and exploitation of technology products and services during their development, design, distribution and use.”
“The ground has shifted on privacy,” Nojeim said.
“Companies are increasingly reticent to help governments launch attacks” on individuals or companies, he added, and “the tech accord signals that shift in the landscape.”
Nora Macaluso is a writer based in Philadelphia.
Sources (external links):