From the you-really-should-have-read-my-About-page dept:
In today’s episode of “Shoot the Messenger,” a company in India that apparently didn’t want me reporting on their data leak got a court there to issue an injunction barring me from publishing. They also filed a criminal complaint against me and this blog based on what appears to be a litany of false accusations and misunderstandings.
The Injunction
The injunction was issued by a civil court in Bangaluru on August 6th — five days after I published my report on the leak. The plaintiffs are seeking a permanent injunction that would bar me and my site:
from disclosing, publishing or broadcasting the schedule data or any part thereof; and
from publishing or broadcasting any report or article on the breach of the schedule data as threatened (sic) in their emails dated 11/06/2019, 14/07/2019 and 30/07/2019 addressed to the plaintiff;
The suit also seeks to direct Domain People to block the website of DataBreaches.net.
Importantly, it appears that the firm’s lawyers never informed the court that my article had already been published prior to the issuance of any injunction, thereby depriving the court of the opportunity to review the reporting to determine whether there was anything in it that would have warranted an injunction.
In looking at 1to1Help.net’s court filings, their lawyer’s filings are filled with errors of omission and commission.
As but one example: their lawyer falsely claims that my site is a rogue site and has no name, address, or phone number on it. Yet their very own screencap shows my Contact page which has my site’s phone number right there in how to contact me. Maybe they don’t know what Signal is or they don’t recognize a U.S. phone number?
And “rogue” site? I’m pseudoanonymous (not anonymous), and this site has been in existence for 10 years. It is respected by a lot of infosecurity professionals. It is also read and read by law enforcement when they are trying to build cases against hackers and want to see what I’ve found in my investigations. “Rogue site?” Hardly.
In any event, if I understand their filings, they are apparently trying to claim that I was trying to blackmail the company by asking for information that the company had no obligation to give me and by giving them deadlines to respond to my inquiries.
Journalists often include deadlines in email inquiries. Those are not “or else” deadlines, but merely deadlines by which we need the answers to include in our report. It seems that I may have criminal charges against me for committing journalism and letting a respondent know my deadline for including their answers in my reporting.
Maybe the Plaintiff Should Be the Defendant?
Rather than futilely trying to censor me, maybe the court should crack down on Indian companies that do not secure sensitive data adequately and that ask the court for help in covering up a leak.
Maybe the court should ask 1to1Help.net why years-old unencrypted sensitive and identifiable information from former clients’ employees was even in that bucket? Some of the companies reported that they had not used 1to1Help.net in years. So why was their employees’ sensitive unencrypted counseling logs stored this way?
This leak was not the fault of databreaches.net or the researcher who found it and provided data to this site. This leak was the responsibility of the entity responsible for securing the data properly but who did not encrypt it, who failed to detect their own error, and who then ignored multiple attempts to notify them that they had a leak.
What if I hadn’t persisted in trying to notify them? Their filing notes that they were contacted by a client on June 27. Whom do you think notified that client? It was this blogger and this site — still trying to get 1to1Help.net to address the leak. Not to toot our own horn, but if it wasn’t for this site’s persistence, they’d still be exposing sensitive data that the whole world could be downloading. And yet the company wants me charged criminally and got an injunction to try to censor me from reporting on their security incident?
India doesn’t get to dictate what we get to report on in the U.S. I genuinely mean no disrespect to the court, but that injunction is meaningless and I am ignoring it.
The First Amendment is still a thing here.
As to 1to1Help.net: well, they didn’t want me reporting on their data leak, but I don’t think their attempt at censorship is working out too well for them so far.
If you want to see my report on 1to1Help.net’s leak, you can read it here.