Facebook paid for a tool to hack its own user, then handed it to the FBI

The extreme approach led to the arrest of a serial child abuser.

boonchai wedmakawand via Getty Images

For years, a California man harassed and terrorized young girls, extorting them for nude photos and videos and threatening to kill and rape them or shoot up their schools. Much of this abuse took place on Facebook, and now, months after the man, Buster Hernandez or “Brian Kil,” pleaded guilty, Motherboard has discovered that Facebook paid a security firm to develop the hack that the FBI eventually used to bring Hernandez down.

According to Motherboard, Facebook paid a cybersecurity consulting firm six figures to develop a hacking tool that could infiltrate the privacy-focused Tails OS. The program reportedly took advantage of a flaw in the Tails’ video player and revealed the real IP address of the person viewing the video. Facebook gave the tool to an intermediary who handed it to the Feds, current and former Facebook employees told Motherboard. The FBI then had a victim send a booby-trapped video to Hernandez, ultimately leading to his arrest.

The charges Hernandez pleaded guilty to are pretty horrific, but Facebook’s role raises some serious ethical questions -- like whether it’s okay for a private company to purchase an exploit to hack its own user. Plus, the hack occurred on Tails, not Facebook, and a Tails spokesperson told Motherboard that the exploit was never explained to the Tails development team.

According to Motherboard, it’s unclear if the FBI ever knew Facebook was involved in developing the exploit. This is supposedly the only time Facebook has helped law enforcement hack a user, and a Facebook spokesperson told Motherboard that the company doesn’t want this to set a precedent. Facebook seems to have justified its actions in this instance by pointing to just how awful Hernandez was.

“The only acceptable outcome to us was Buster Hernandez facing accountability for his abuse of young girls,” a Facebook spokesperson told Motherboard. “This was a unique case, because he was using such sophisticated methods to hide his identity, that we took the extraordinary steps of working with security experts to help the FBI bring him to justice.”

Of course, Tails isn’t just used by cybercriminals. It’s also used by thousands of activists, journalists, government officials, domestic-violence survivors and other privacy-minded citizens. It’s even been recommended by Edward Snowden. The exploit that Facebook handed the FBI could have been used against anyone, not just Hernandez. There’s no evidence that happened, but it could be a dangerous door for Facebook to open.