Buster Hernandez has been sentenced to 75 years in federal prison. Better known by his online alias of “BrianKil,” Hernandez spent years harassing and terrorizing hundreds of girls, some as young as 12-years-old. He would extort them for nude pictures and videos, threatening to rape and kill them if they didn’t comply with his demands. In all, he eventually had to answer for 41 separate allegations, including charges related to the distribution of child pornography. The world is a less ugly place with Hernandez behind bars, but the story of how the FBI was eventually able to track him down also raises some hard ethical questions.
Hernandez used a combination of Tor and Tails, a privacy-focused operating system, to hide his identity and location. Initially, those measures stymied the FBI until the agency sent Hernandez a booby-trapped video that took advantage of a vulnerability in Tails’ video player to relay his real IP address. Last June, Motherboard found that Facebook had paid a cybersecurity firm to develop the exploit and that it had handed it over to the FBI through an intermediary. It’s not clear if the agency knew the source of the exploit until after Motherboard published its report. For its part, Facebook claims that was the only time in its history that it had helped law enforcement hack one of its users.
The only acceptable outcome to us was Buster Hernandez facing accountability for his abuse of young girls, the company said at the time. This was a unique case, because he was using such sophisticated methods to hide his identity, that we took the extraordinary steps of working with security experts to help the FBI bring him to justice.
The problem is that Tails is used by a lot of different people, including activists, journalists and government officials. As of last year, no one involved in developing and using the exploit had disclosed the vulnerability that had enabled it to the Tails development team. There’s no evidence the FBI has used it against anyone else, but the door for abuse is open.