Tech companies, privacy and vulnerabilities: How much transparency is enough?
Views and opinions published in this article are intended to foster productive thought and discussion around challenges in the cybersecurity industry. Views expressed in this article do not necessarily represent the views of Infosec.
In late June 2020, a story was published by Vice’s Motherboard technology investigative platform with a revelation that sent shockwaves through the privacy and security communities. In 2017, Facebook hired a cybersecurity company to develop a new exploit for a security-focused operating system — a zero-day. Once completed, the social media brand then passed the exploit on to the FBI through an intermediary, which the FBI then used to track down and eventually arrest a child predator.
Followers of security and privacy will likely recall that this isn’t the first time that the FBI shared headlines with a private cybersecurity company over the use of zero-day exploits in order to support their law enforcement duties. A year prior, in 2016, the FBI battled with Apple in court to get their help in unlocking the phones of the San Bernardino terrorists, but ultimately paid an unnamed cybersecurity firm to use a zero-day
During the 2016 court battle with the FBI, Apple and many of their rivals, including Amazon, Samsung, Dropbox, Microsoft, Yahoo and even Facebook, fought for the security of their customers’ privacy. Apple’s chief executive, Tim Cook, stated that “privacy is a fundamental human right.”
In the years since this high-profile court case, Americans’ concerns surrounding private companies and their right to privacy has only continued to grow. In fact, only 9 percent of American social media users “were ‘very confident’ that social media companies would protect their data.”
According to Pew Research, about half of users were not at all or not too confident their data were in safe hands. However, according to the same 2017 Pew Research study, about seven in ten American adults (69 percent) claim that they use some kind of social media platform.
So what do these two conflicting narratives reveal about security and privacy in the hands of global technology giants? Should the specific circumstances of this case allow for such tailored development and use of a zero-day by Facebook and the FBI? This article will attempt to explore some of the key questions surrounding the 2017 incident.
Facebook, the FBI and a GNOME zero-day
After years of hard investigative work on behalf of several law enforcement agencies, a California man who went by the online alias Brian Kil was still at large harassing and extorting teenage girls. Kil, whose real name is Buster Hernandez, used Facebook to force young girls to send him nude pictures of themselves and threatened them with violence against them and their friends and family if they did not listen to his demands.
To help hide his identity and keep investigators off of his online tracks, Hernandez used a computer operating system popular with journalists and their sources known as Tails. This automatically routes internet traffic through the mis-attributable Tor network so it cannot be traced back to the user, keeping them anonymous.
According to the Vice article, there was a vulnerability in the Tails video player, Gnome. An unidentified cybersecurity research company used this vulnerability to create a zero-day exploit, which Facebook paid “six figures” to help develop and deliver. Through an intermediary, Facebook then passed on the zero-day exploit to the FBI. Once in hand and armed with a search warrant, the FBI was able to use the exploit against the vulnerability in the Tails Gnome video player to collect and reveal the true IP address of Hernandez.
Per the article, the Tails and Gnome developers had no previous knowledge of the vulnerability or that the FBI had used a specialized exploit until the Motherboard team reached out to the platforms for their comment. There were, however, plans to fix the bug in an upcoming patch that has since been released.
Security and privacy: Key questions
While the players and the scenario will be different, it’s safe to assume that this will not be the last time there will be a case involving technology giants, law enforcement and vulnerability exploitation that privacy advocates will flag. And, as always, the line between law enforcement and privacy will continue to be a fine one.
On one side of this debate, there are those that say that this was a one-off, highly specific incident with an unusual set of circumstances that are unlikely to occur. Additionally, the bug in the operating system has since been patched. On the other side, privacy advocates draw a strict line with the idea of a global technology platform helping to reveal details of one of its users as a scary and unprecedented milestone.
What is certain, however, is that this incident raises a number of key questions for security professionals to consider.
Should Facebook have been involved in making and paying for the zero-day exploit?
According to an interview published in a Digital Privacy News article published about the incident, a Facebook spokesman noted that, “The only acceptable outcome to us was Buster Hernandez facing accountability for his abuse of young girls.” The statement from Facebook continued, “This was a unique case, because he was using such sophisticated methods to hide his identity, that we took the extraordinary steps of working with security experts to help the FBI bring him to justice.”
And while no one doubts the FBI’s authority and need to take down criminals and suspected terrorists through any means within the boundaries of US law, including lawful hacking, privacy advocates have trained their ire on Facebook. Additionally, according to the Vice article, the FBI did not know of or ask Facebook to partner with the cybersecurity research firm to develop the exploit.
In fact, Facebook is one of more than 80 companies that have signed the Cybersecurity Tech Accord. This “promotes a safer online world by fostering collaboration among global technology companies committed to protecting their customers and users and helping them defend against malicious threats.” However, by being involved in the development and funding for the zero-day exploit and not alerting Tails developers, Facebook looks to stand in direct contract to the principles of the Accord that they signed on to.
Should Facebook, the FBI and the cybersecurity firm have disclosed the vulnerability to Tails or GNOME after the arrest?
A second key question raised by the Vice articles focuses on if Facebook, the FBI, and the cybersecurity firm — or one of the above — should have alerted Tails or GNOME of the vulnerability after the criminal was arrested? According to a statement in the Vice piece, over three years later, notification of the media player exploitation has not been made to either company.
While the cybersecurity research firm that participated in the development of the zero-day was not named, they are likely (as in the case of Facebook and the FBI) long-term participants in the industry’s tradition of disclosing vulnerabilities to the source code developers and the larger technology community so a fix can be rolled out.
The Vice article notes that some of Facebook’s drive to develop and indirectly deliver the zero-day was driven by the expected patch of the vulnerability in an impending fix and that they therefore did not need to share it with Tails. However, Tails states that there is no way to know for sure if the bug is still of concern without more details about the exploit itself.
“The only way for Tails to be sure that every single aspect of the zero-day is indeed fixed already is to learn about the full details of the zero-day,” a Tails spokesperson said to Vice. “Without these full details, we cannot have a strong guarantee that our current users are 100 percent safe from this zero-day as of today.” In other words, it is possible that the flaw relied on a chain of other flaws that may still be partially unpatched, leaving other users of the platform at risk.
Should the FBI use exploits from private companies?
A final key question raised in the wake of the article focuses on whether the FBI should be using exploits developed by private companies. The FBI’s interest in and use of lawful hacking is becoming better understood recently and, as in the San Bernardino case and the investigation into the 2019 shooting at a naval base in Pensacola have shown. the federal law enforcement agency is becoming increasingly more adept at doing so.
But is what happened in this case different? According to three Facebook sources that spoke with Vice, an intermediary passed the tool on to the FBI, who then obtained a court-ordered search warrant to have one of the victims send a modified video file to Hernandez. So while the FBI acted in their role as a lawful authority, should they have used the Gnome zero-day? And should they have notified Tails prior to or after their use of it?
Privacy advocates could be concerned with the government taking an active role in using a zero-day exploit without notifying Gnome, especially since the flaw could have been identified by others with more nefarious intentions to commit crimes against other law-abiding Gnome users. What is certain, however, is that questions like these are not unlike those citizens, law enforcement and privacy advocates debate when dealing with the FBI’s use of informants, undercover agents, wiretapping and other specialized law enforcement tools.
Bringing it all together
To privacy and security experts, the answers to these questions are very straightforward: Facebook should not have been involved in developing and distributing a zero-day exploit that could reveal private information about one of their customers. In the case of the San Bernardino terrorists, as Apple argued, there is no way to make their platforms or zero-days identified against them only effective against “bad guys” — so they should not be used at all, in case they end up in the wrong hands. Finally, the fact that the vulnerability was not disclosed via the usual channels further scares privacy advocates.
However, does the fact that Facebook was targeting an extremely bad criminal that was using its platform using a zero-day exploit that they understood to be imminently patched qualify as enough of a unique set of circumstances to allow for common security practices to be broken? And does this situation, combined with the fact that the zero-day exploit was not paid for by the FBI, but was provided through an intermediary with the knowledge of Facebook, save the FBI from any blame given their use of a lawful warrant?
Where do you stand on these issues?
Tech rivals join Apple’s legal fight against FBI, Business Standard
The CERT® Guide to Coordinated Vulnerability Disclosure, Carnegie Mellon University
Cybersecurity Tech Accord, cybertechaccord.org
Facebook Hires Firm in Hack to Help FBI Find Child Predator, Digital Privacy News
Trainee on Military Base Mounts Deadly Attack, The New York Times
Does the F.B.I. Need Apple to Hack Into iPhones?, The New York Times
Americans’ complicated feelings about social media in an era of privacy concerns, Pew Research Center
Statement from Tim Cook, Twitter