Former employees at Facebook who are familiar with the situation told Motherboard that Hernandez's actions were so extreme that the company believed it had been backed into a corner and had to act.“In this case, there was absolutely no risk to users other than this one person for which there was much more than probable cause. We never would have made a change that affected anybody else, like an encryption backdoor,” said a former Facebook employee with knowledge of the case. “Since there were no other privacy risks, and the human impact was so large, I don’t feel like we had another choice.”“Since there were no other privacy risks, and the human impact was so large, I don’t feel like we had another choice.”
All along, he would claim he couldn’t be caught by the police: “You thought the police would find me by now, but they didn’t. they have no clue. The police are useless,” he wrote. “Everyone please pray for the FBI, they are never solving this case lmao … I’m above the law and always will be.”Hernandez used the secure operating system Tails, which runs the anonymizing software Tor and is designed to encrypt and push all of a user's traffic through the network by default, hiding their real IP address from websites or services they use. Using this tool, he contacted and harassed dozens of victims on Facebook for years until 2017, according to court documents. The operating system is also widely used by journalists, activists, and dissidents who are under threat of being surveilled by police and governments. A spokesperson for Tails says it is “used daily by more than 30,000 activists, journalists, domestic-violence survivors, and privacy-concerned citizens.”Do you work or did you use to work at Facebook? Do you work for the FBI or develop hacking tools for law enforcement? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzofb@vice.com
Facebook’s security team, then headed by Alex Stamos, realized they had to do more, and concluded that the FBI needed their help to unmask Brian Kil. Facebook hired a cybersecurity consulting firm to develop a hacking tool, which cost six figures. Our sources described the tool as a zero-day exploit, which refers to a vulnerability in software that is unknown to the software developers. The firm worked with a Facebook engineer and wrote a program that would attach an exploit taking advantage of a flaw in Tails’ video player to reveal the real IP address of the person viewing the video. Finally, Facebook gave it to an intermediary who handed the tool to the feds, according to three current and former employees who have knowledge of the events.“Everything we did was perfectly legal, but we’re not law enforcement.”
That the hack occurred on Tails, not Facebook, adds a particularly thorny ethical layer to the hack. While this particular hack was intended to be used against a specific, heinous criminal, handing zero-day exploits to law enforcement comes with the risk that it will be used in other, less serious cases. The security of these products can't be compromised for some without compromising all, and so zero-day hacking tools are often closely-held secrets and sold for high sums. If they got into the wrong hands, it could be disastrous.A spokesperson for Tails said in an email that the project’s developers “didn't know about the story of Hernandez until now and we are not aware of which vulnerability was used to deanonymize him.” The spokesperson called this "new and possibly sensitive information," and said that the exploit was never explained to the Tails development team. Many security researchers—including those who work at big companies like Google—go through a process called "coordinated disclosure" in which the researchers will inform companies that they've found a vulnerability in their software, and will give them time to fix it before releasing the details to the public.In this case, however, that wasn't done because the FBI intended to leverage the vulnerability against an actual target.“The precedent of a private company buying a zero-day to go after a criminal. That entire concept is fucked up.”