Facebook worked with cybersecurity experts to quietly help the FBI hack a child predator
- Facebook helped the FBI hack a child predator who used its platform to extort, threaten and harass underage girls, as first reported by Vice and confirmed by the company on Wednesday.
- The company paid cybersecurity experts to develop a "zero-day" exploit for Tails, a privacy-focused operating system, and then shared it with the FBI, according to Vice.
- The developer behind Tails, which is also used by activists and journalists, said Facebook didn't inform it about the exploit, and it's not clear the FBI was aware of Facebook's involvement either, Vice reported.
- While employees told Vice this was the first time Facebook had taken such an approach, the incident raises questions about how tech companies draw the line when deciding whether and how to aid law enforcement.
Facebook paid cybersecurity experts to develop a hacking tool that it then shared with the FBI to help the agency hack a user who was using its platform to extort, threaten and harass underage girls, Vice reported on Wednesday.
Buster Hernandez, who pleaded guilty earlier this year to 41 charges including production of child pornography, coercion and enticement of a minor, and threats to kill, kidnap and injure among others, according to WTHR, used a combination of private browsing tools, messaging apps, email, and Facebook to extort victims for nude pictures and videos and threaten them with rape and violence, Vice reported.
Hernandez had been causing so much harm on the platform and was so skillful at masking his identity that Facebook felt it had no option but to assist law enforcement in tracking him down, though the decision was controversial, employees told Vice.
Hernandez had been using Tails, an operating system that helps anonymize users' identity and is used by criminals as well as activists and journalists, to hide his true identity. A Facebook spokesperson told Business Insider that both the company and the FBI spent lots of time trying to locate Hernandez, but to no avail.
Facebook eventually turned to a third-party cybersecurity company, paying them at least $100,000 to work with one of its engineers to develop a "zero-day" exploit for Tails — which allows someone to take advantage of a software vulnerability that isn't known to the software's developers — and then passed the tool along to the FBI, current and former employees told Vice.
A Facebook spokesperson told Business Insider it chose this route only after exploring every other option and that it enlisted a third party because it doesn't specialize in building these types of tools and didn't want to give law enforcement the impression it would be able to build one again in the future.
"The only acceptable outcome to us was Buster Hernandez facing accountability for his abuse of young girls. This was a unique case, because he was using such sophisticated methods to hide his identity, that we took the extraordinary steps of working with security experts to help the FBI bring him to justice," a Facebook spokesperson told Business Insider in an emailed statement.
Vice reported that the FBI may not have even known of Facebook's involvement in developing the exploit and that a spokesperson for Tails said Facebook didn't alert them to the vulnerability — a common practice among security researchers that allows developers to fix bugs before researchers disclose them publicly.
The incident reignites a years-long debate over whether and how tech companies should assist law enforcement in tracking alleged criminals using their platforms, dating back to documents leaked by Edward Snowden that revealed tech and telecom giants — including Facebook — had been allowing the National Security Agency to spy on users via "backdoors."
Some companies, like Apple and Facebook-owned WhatsApp, have sparred with the FBI over their stances on protecting users' privacy, though law enforcement has still able to compel them to cooperate in a substantial number of cases. At the same time, tech companies are facing increasing scrutiny from lawmakers and activists who argue that they should be doing more to weed out things like child abuse and harassment on their platforms.