Buster Hernandez was sentenced to 75 years in federal prison. Better known by his online pseudonym of “BrianKil,” Hernandez has spent years harassing and terrorizing hundreds of girls, some as young as 12 years old. He would extort nude photos and videos from them, threatening to rape and kill them if they did not comply with his demands. In all, he ultimately faced 41 separate allegations, including charges related to the distribution of child pornography. The world is a less ugly place with Hernandez behind bars, but the story of how the FBI ultimately found him raises tough ethical questions as well.
Hernandez used a combination of Tor and Tails, an operating system focused on confidentiality, to hide its identity and location. Initially, these measures hampered the FBI until the agency sent Hernandez a trapped video which took advantage of a vulnerability in Tails’ video player to relay its real IP address. Last June, Motherboard found that Facebook had paid cybersecurity company develop the exploit and that he handed it over to the FBI through an intermediary. It is not clear if the agency knew the source of the exploit before Motherboard published its report. For its part, Facebook says it was the only time in its history that it had helped the police to hack one of its users.
“The only acceptable result for us was that Buster Hernandez was convicted for his mistreatment of young girls,” the company said at the time. “It was a unique case, because he used such sophisticated methods to hide his identity, that we took the extraordinary steps of working with security experts to help the FBI bring him to justice.
The problem is, Tails is used by a lot of different people, including activists, journalists, and government officials. As of last year, no one involved in the development and use of the exploit had disclosed the vulnerability that allowed it to the Tails development team. There is no evidence the FBI used it against anyone else, but the door to abuse is open.