In what has become an increasingly bizarre case, researcher Justin Shafer was arrested Friday evening, detained in Dallas County Jail over the weekend on a “hold” request from the FBI, and then transferred to federal court today, where he was charged with cyberstalking.
For the benefit of those who haven’t followed this story from the beginning: Shafer is a Dental IT integrator in Texas who’s knowledgeable about patient management software in the dental sector. He’s uncovered and reported a number of vulnerabilities that he discusses on his blog. Some of his research and advocacy resulted in enforcement action by the FTC to protect consumers and patients.
In addition to identifying and reporting vulnerabilities in software, Shafer finds patient data leaks by using search engines such as FileMare for certain keywords and then searching the results for FTP servers that are configured to allow “anonymous” login – i.e., anyone can access the files. When Shafer finds exposed protected health information (PHI), he generally contacts the covered entity or database owner to alert them and then discloses it publicly, contacts the media, and/or files a complaint with the U.S. Department of Health & Human Services (HHS), alleging violations of HIPAA’s security requirements.
In May, 2016, Shafer was raided by the FBI, as I reported on The Daily Dot at the time. It appeared, based on what Shafer was allegedly told by an FBI agent, that Patterson Dental might have complained that Shafer hacked them (see this incident that this site reported in February, 2016).
The complaint filed in today’s arrest makes clear that the May, 2016 raid was, in fact, because Patterson accused Shafer of accessing their files “without permission.” Shooting the messenger instead of just owning responsibility for a security mistake is neither appropriate nor helpful in improving cybersecurity, as such accusations tend to chill other researchers from reporting what they find, leaving entities in the dark and criminals with more vulnerable sites to attack.
No charges were filed against Shafer following the May, 2016 raid.
In January, 2017, Shafer was raided again, but there were still no federal charges or state charges filed.
On March 22, the FBI issued a Private Industry Notice (PIN). That PIN said that the FBI was aware of some criminals accessing data from public FTP servers to harass, intimidate, and/or blackmail site owners. Could they have been talking about Shafer? The PIN appeared to have some possible connection to Shafer because he’s well-known for investigating open FTP servers, but the connection was not clear. Shafer’s style may be obsessive-compulsive, impulsive, and/or abrasive/obnoxious at times, but this site was not aware of anyone ever accusing him of blackmail or intimidation.
On March 31, the FBI raided Shafer for a third time, and arrested him for cyberstalking. Not hacking, not anything to do with FTP servers, but cyberstalking under 18 U.S. Code § 2261A(2)(B).
The complaint describes conduct Shafer allegedly engaged in with respect to one of the FBI agents involved in his case and that FBI agent’s spouse and family. While some of the behavior cited as evidence of cyberstalking occurred on Twitter, a lot of it occurred on Facebook. Sadly, and assuming for now that they can prove those tweets and posts were really by him, Shafer appears to have focused his outrage and frustration over the May, 2016 raid on one particular FBI agent and by extension, that agent’s family.
DataBreaches.net is not naming the FBI agent or uploading the complaint at this time. But if you’re thinking this story couldn’t get any more bizarre or unfortunate, let me assure you that it does get more bizarre. Apparently one region of the FBI was (and may still be?) investigating Shafer as a possible co-conspirator of TheDarkOverlord (TDO).
You can’t make this stuff up, folks. Well, maybe our President could or FoxNews could, but I can’t.
DataBreaches.net was unable to reach Shafer or his wife for a comment by the time of this publication, but will update this story as more information becomes available.
Just had to say something stupid about President Trump, didn’t you?
When you say words, what do they mean?
That is funny. Ditto to what me said
Agreed. Petty and unprofessional of him.
The USG does not make many errors when arresting people. Currently the arrest to conviction rate is 99.3%.
Interesting stat, thanks. In this case, I think the legal issue may be whether what USG is saying is “cyberstalking” is speech that is protected under the First Amendment. Are we going to say that using publicly available tools to research people or to “dox” them is “cyberstalking?” If I just name your family members, am I “cyberstalking” you? I think we’re getting onto a bit of a slippery slope. That said, I am not unsympathetic to the FBI agent or his family. But I also know how harassed Shafer has felt at the hands of the FBI and how he obsessed over something this particular agent allegedly said during one raid.
In any event, getting raided and having your car(s) and/or devices seized all because you exposed the fact that a firm was leaking PHI on an anonymous FTP server, well, tbh, I’d be royally pissed, too…. and angry at the FBI for being used by a company that may be trying to deflect blame for their infosecurity failure. That’s not to excuse Shafer’s conduct with respect to the FBI agent and his family, but anyone judging Shafer’s conduct should see it in context of what has been done to him.
And claiming that he is being investigated as a conspirator to TheDarkOverlord just strikes me as an attempt to pad the complaint to make him appear to be some evil criminal. There is no way Shafer was or is in cahoots with TDO. Heck, Shafer has repeatedly tried to thwart TDO, and TDO knows that. The FBI should know that too, as Shafer’s been very open about trying to thwart TDO. He’s even contacted MI5 and the FBI himself to report some of TDO’s activities to try to help stop him/them. And while TDO has tried to turn Shafer to the dark side, Shafer was trying to get them to take a more moral path. So as far as I’m concerned, any claim that he’s a co-conspirator is likely to be a total fabrication or b.s. – or someone not understanding what Shafer was doing. As Shafer’s wife said to me after she read that part of the complaint, “he wouldn’t do anything like that – that’s just insane.” I agree. If the USG has any solid evidence showing him conspiring with TDO, I’d like to see it.
I’m sorry, but who the hell gets raided for cyberstalking like this? First time I’ve ever heard someone get raided and arrested for asking someone’s wife for his kid’s videos and posting a link to a public website with an old address…
They swat him for digging through facebook profiles and public records to find out how to directly contact a person who keeps dodging their calls? It’s basically the sort of thing ex-girlfriends, skip tracers and debt collectors do day in, day out! Lock ’em all up then! Seriously though, where’s the malicious intent they say is behind this charge?
He didn’t post anything that wasn’t already publicly accessible information and his “broadcast” of all this information was to a significantly limited number of facebook users and twitter followers, most of whom probably weren’t even paying attention. Since they’re subpoenaing the records from facebook, perhaps they’ll also discover how many people actually clicked on or viewed all this threatening/harassing content. Yeah, I’m aware the law doesn’t care about that, but context is important isn’t it?
It’s pretty clear that Justin didn’t even know the actual name of the agent handling his case, calling him “Hawk” for months and months in his tweets. What is up there? The FBI doesn’t have enough money to give their agents business cards to hand out to the folks whose lives and homes they turn upside down looking for something to charge them with? The agent raided him three times, right? Surely he could have had the courtesy of leaving a direct number or an email address where he could be reached if Justin ever wanted to reach out.
I saw Justin’s posts on twitter, but I don’t facebook. I see via the complaint/affidavit that his messages to the agent, his cousin and his wife were not threatening at all. He’s been harping for months on twitter about the stuff they took from him, and the damage they did to his car. They ignored all those tweets when they considered his intent in all this and concentrated on the ones where he calls out the agent for being a dick and not responding to him. Seems obvious to me that he’s just a very frustrated man wanting to know who at the FBI was going to bring some resolution to all of it and a return of their property. You want to REALLY leave an entire family under a dark cloud of emotional stress for over a year? One way is to send them an unsolicited, completely benign, milquetoast message on facebook with smiley face on the end. Another way is to bring in an armed team and raid their home, 3 times, also refusing to reveal any probable cause, lay any charges, or provide any indication when they can get their life and property back for over a year. The complaint says the agent and his wife suffered substantial emotional distress over all this facebooking and tweeting over the span of a couple of hours on March 21, so they must totally understand what Justin’s family are going through too. Seriously, I wonder if the agent who reported this to the complainant ever considered the level of emotional distress Justin’s family has gone through. Justin’s kids got to wake up to assault rifles pointed at daddy’s face, all their computers taken away, daddy hauled away in handcuffs. Stuff like this can ruin a person’s life, wind up in divorce, a loss of business, loss of home when the mortgage can no longer be paid… It takes quite a special person to equate what Justin did on twitter and facebook to what his family’s been put through.
What I don’t understand is why the hell they had to take anything in any of the raids to begin with. You can do a block level copy of large drives quite quickly at 6Gb/s, very fast! Do it, then head back to the office to examine the clone for crimes until the cows come home. When you find something naughty, THEN you get indict. Clearly they had nothing on him in raids 1 and 2, and I’ll assume 3 too, other than what they have from facebook and twitter or they would have indicted and arrested him by now for other stuff. Why the hell do you have to put a gun in a guys face and take away his ability to earn a living?
What did he do that chilled them to the bone so deeply that they had to raid him a third time and arrest him?
He discovered the lead agent’s wife on facebook, then PM’d her to politely ask how she was, asked her to say hello to the agent and asked her to pass on a message to him requesting the return of the videos of his children. Finally, he says she should use her real last name on facebook. Each line was followed by a smiley emoticon.
Yeah, I can see how that could tear you apart emotionally, definitely on par with the shitstorm the Shafer family has been put through… All in an effort to gather evidence for, thus far, what appears to be imaginary crimes. I think it would have been a lot less stressful for all involved if the agent just took the time to return his contact attempts and corrected the errant contact information that Justin had for him. Sometimes it’s those small touches that mean a lot.
It’s also interesting to see how the affidavit reads entirely slanted in the background history the author(s) writes. It’s definitely padded with plenty of negative information regarding Justin’s possible connections to TDO and what happened with Patterson’s public FTP server. The background history fails to mention all the work he’s done to responsibly report on and fix the HIPAA security holes at dozens and dozens of health facilities across the country and even in other countries. Not a peep about all of his submissions to HHS/OCR, the work he’s done to pressure stakeholders to secure their software, the research he did to uncover lies told to doctors by the biggest software provider in dental resulting in a huge FTC fine, the contributions he’s made to Homeland Security by reporting on holes in EHR software to CERT. It also doesn’t mention the investigation he did himself to clear his name of any involvement with a patient breach in Williamsport, PA, a summary of findings that kinda makes the feds look like they don’t know how to do their jobs. I see on his blog that they closed that case and the covered entity didn’t have to report to HHS. Why wasn’t any of that mentioned in the background history in the complaint? I get the sinking feeling they are going to say that everything positive he’s done was all just subterfuge to mask his true intent as a co-conspirator of TDO… If that’s the direction they’re headed, they better have some AMAZING evidence to support that, because I would have a very hard time believing it at all. Before/if they indict, they’d better take a long hard look at that evidence to make sure it’s legit too. If Patterson is capable of making Shafer out to be some mastermind hacker in the eyes of the feds for accessing an open FTP server, then it stands to reason these investigators might be fooled into believing digitally planted evidence as well. Innocent until proven guilty. people. Prove it, beyond doubt.
To think that all of this started because some big corporation cried wolf about getting hacked which was absolute bullshit. Instead of bucking up and taking the blame, they point the finger at the guy who reported the problem to them, who tried to responsibly help that company fix their security hole AND help the 22,000 people the company put at risk. He didn’t ask for money, favors or tried to extort them in any way. Did the company offices get raided? Did the FBI demand a warrant to reveal their FTP server logs? I’d love to see the investigation work they did on that end before they decided they needed to raid his house. The affidavit states that they ALREADY knew that Justin accessed the open/public FTP server and had found this patient information and downloaded it to verify it was what he thought it was. What additional evidence did they need to constitute probable cause on the issue of that initial warrant? They state in this complaint that was the purpose, to find evidence for something they ALREADY had proof of. Justin documented, with detail, how he handled this situation on his blog and the steps he took to make sure the data hole was closed and the patient info destroyed once he knew Patterson fixed it up. Did they read any of that? Why didn’t they include that little nugget in their background? They also had Patterson telling them that Justin’s IP address was confirmed by their logs. I’m curious, how did Patterson “confirm” that IP address anyway? Wouldn’t that have been something under the domain of the cops? Were those logs forensically examined? Are they sure the logs were not tampered? I guess it doesn’t matter, the point is, they already knew what they say they needed to get the warrant for the initial raid.
To me, that means ALL of this DIDN’T need to happen.
Oh, and how about those comments the authors mistakenly left in the affidavit? I say authors because despite being signed by a single agent, it’s clearly some sort of collaborative effort. How did a judge even sign off on all that? Did the judge not see those comments on the side and ask “wtf is this?”
The first margin comment discusses how they’ll “frame” the 119 charge to show “intent” to doxx a gov’t employee. The link they based that on was a tweet link to the address of a home they used to live in, not their current one. Am I the only one who can see by the timeline of his tweets that his objective was to find out the name and contact information for the agent and he was simply displaying the chain leading up to that? That’s really a crime? If so, is it really a crime that warrants a raid and arrest by the federal gov’t? Take out the TDO and Patterson taint job and I just can’t understand why any judge would sign this thing.
I also got a kick out of the comment where the authors seem to question themselves over whether the tweet they used as their proof for the 2261A charge was threatening enough. One asks, “Were the communications to the judge more clearly threatening?” WTF is that supposed to mean? Was this not the document the judge reviewed before signing a warrant? What other communications were involved? How many authors does this complaint//affidavit have anyway? Who was the co-author? This is going to be a fun case for a competent defence attorney to rip apart.
Conviction rate? Please. Google “FBI hair analysis” to learn how “errors” change the course of a case as it winds through the system (14 of them wound up with a needle in some dude’s arm). This is not a theory or allegation by some internet quack on a rant–the top hit of your search will take you to an fbi.gov address. Don’t take my word for it.
If the bad hair analysis doesn’t convince you, just look into bite, fiber, arson, or ballistics analysis. Or dna, it doesn’t matter.
If you think 99.3% has anything to do with guilt, I have a bridge to sell you. If you think it has anything to do with reasonable doubt, you already bought it.
If you really want a meaningful number, go look up the percentage of cases that never make it to court–it’s staggering, and it has nothing to do with guilt or innocence. A deal means no jury, no scrutiny, no accountability…but a great conviction rate. This is how they roll.
No matter what he did good or bad, if he is charged with cyberstalking, then he will be convicted of that unless some plea bargain is done. Cyberstalking a FBI agent? Good grief. Just lying to a federal agent carries a 5 year sentence. Cyberstalking a FBI agent’s family? He could be facing 5 to 10 years times the number of people in the family.
I’ve know Justin for a few years now through the dental IT world. We’ve met in person to have coffee and he’s an extremely intelligent guy. The dental software world has benefited from his work for many years and it sucks that he’s facing what he’s facing now. I don’t believe any of the charges of hacking or rumors of it that have floated around him. He’s trying to improve the security of patient data, which everyone should appreciate. I hope this current battle ends well for him.
I’ve heard from a number of people by now. No one who has contacted me believes for even one minute that Shafer would ever conspire with TheDarkOverlord. As you note, he works to improve the security of patient data.
And as to “hacking” a software firm: we all know that b.s. “shoot the messenger” approach. The firm had a security failure. He found it and had me help him notify them. They should have thanked him instead of trying to criminalize downloading data that was left available to the anyone without any login required. And did they really claim they figured out his ID on Feb. 19? I had reported the breach/leak to them on February 6 and reported it publicly on February 15. It was never a secret that Shafer found the exposed data – he reported it and I reported it. Does that sound like a criminal hacker to you? It doesn’t to me. Sheesh.
Everything I know about him tells me he’s not a criminal. I really want to help him and his family, but I know he’s in a difficult place at this moment. I live fairly close to him, so if anyone reading this can communicate with him, let him know I’d love to help.
You and other friends of his may want to think about setting up some legal defense fund for him or a fund to help him family, as he is the sole income earner and with him in jail, his wife tells me it’s very difficult for them right now.
Then you don’t really know him and what he’s done. Ask Dentaltown or the ADA about his activities, they will paint a different picture for you.
Read this:
http://justinshafer.blogspot.com/2016/04/how-i-helped-secure-dental-industry_25.html
Specifically, you should read the parts about how he made dentaltown and the ADA well aware of the security holes they had and the circumstances regarding his ban from the site.
Fun thing about painting pictures is that everyone has their special perspective on things, am I right?
Patterson’s perspective is they didn’t leave patient information freely available to any anonymous user on their public FTP server. No, never! They were “hacked”! You think other dental corporate entities would ever admit that they might have had screen door security issues with their websites? It would look especially bad for them when they were told about those issues by a certain security researcher and they still hadn’t fixed them. No, I don’t think their picture would look any different than Pattersons and I suspect they’d just play victim and shoot the messenger instead.