I haven’t had time to really read this carefully yet, but Tor Ekeland has filed a motion to dismiss U.S. v. Shafer, a case that may leave you scratching your head and wondering why the government is devoting so many precious resources to persecuting and harassing one of the good guys.
And for all this time, while they kept Shafer in pre-trial detention because he exercised his First Amendment rights, how many FTP servers have been serving up patient data to criminals but no one has been trying to warn the server owners to secure their data? How many vulnerabilities in software are being exploited by criminals because Shafer isn’t busy identifying and reporting vulnerabilities to CERT?
MoTD_US_v_ShaferShafer’s trial is still scheduled to begin January 22, but the court has not yet ruled on a motion to continue.
Update: The trial is now scheduled for March 26, 2018. Maybe the MOtD will make that unnecessary? One can hope.
Gave it the once over, the transcript reads as if an FBI agent is covering his butt and his buddies butt.
That cross exam tho!! Damn!
Q. You can’t identify a single instance where anyone has
threatened any of these people.
A. Correct. And that’s why we took the actions that we did
and stopped the actions of Mr. Shafer before it did go to that
point, and that’s why we took the necessary actions of issuing
— getting a complaint so we can stop him from doing those
things. If he did go so far — through searches and through
reviewing the searches of his Google account, we did find that
he was aware of Ms. Hopp’s employment, so it wasn’t going to
be long before — if he starts posting information about her.
And so, of course, that wasn’t known at the time, but we
wanted to do — we did what we did to stop him before he did
escalate it to the point where somebody would get hurt.
Q. Okay. He did Google searches of public information.
A. Correct.
Q. And you just said you had to stop him from doing stuff
based on his public searches of information. Is that correct?
Did I hear that right?
A. We had to stop him before he posted — before somebody
did get hurt, yes. That was our intent. Before somebody did
get hurt, that was our intent.
Q. Before somebody got hurt.
A. Yes, sir.
Q. But that address is public. Was public. Correct?
A. I’m aware — I believe so. I’m not sure, though.
(Maybe he should check the margin comments on his complaint. he seems to know better there. )
Q. Based on what? What makes you think that somebody was
going to get hurt here? The tweets on March 21st?
A. Whenever he shares his address, his intent is let everybody know where they live.
(Or maybe he’s just keeping a public record of his discovery as he goes along searching for Hopp? Maybe?)
Q. After the 21st he had no contact with her.
A. No. Not that I’m aware of, no
Q. He never talked about her again, did he?
A. I’m not aware, no
Q. And like you testified earlier, he never showed up at her
house or anywhere where she was.
A. Not that I’m aware, no
So let me get this straight… The guy just testified that they arrested him 10 days after the fact out of the fear that he was going to threaten the wife, or hurt the wife, and to stop him from going further as if there was some sort of imminent danger.
Given his high level of concern for Ms. Hopp’s safety, should this agent not have been acutely aware of what Justin was doing, saying, texting, messaging, etc. for the entire 10 days he was free prior to arrest? Did they put her in protective custody? A Net Nanny Jusitn’s Internet connection? Did they assign agents or cruisers to keep an eye on her house or her social media feed or to keep an eye on him? Goodness!! How irresponsible of them to just leave her out there unprotected on social media, with Justin on the loose and with full access to the Internet. God forbid, could you imagine? He might have done something really crazy, like paid for the premium version of a linkedin account to send her a message there too.
I’m sure the prosecution deeply regrets putting him on the stand. What lunacy.
It took me awhile to catch up on this. I didn’t get a chance to fully read the motion yet. Thank you for providing related links to the blog posts. It helps readers stay better apprised and more informed on other related issues.
I have a few questions that are perplexing. mAybe you can answer, since you’re knowledgeable and I guess a colleague/blogger buddy.
What did he Exactly do that was so extreme to this agent’s family that he is being accused as an alleged cyber stalker. This is all very vague in the reports. Did he violently threaten, or Actually get violent? And does the prosecution have more evidence that no one is privy to?
That part is vague and it does not make sense. Let me see if I get this straight. You can help me clarify if I am missing something. Justin is a security researcher who looks unsecured databases. He found a few as well as the culprits and sends information to FBI. FBI apparently doing nothing and blowing smoke, decide to raid him like he is the bad guy. The supposed agents apparently stepped over the line and abuse their power.
Justin and his family feel violated. Something apparently snapped where Justin wants to protects his family, makes some poor and impulsive choices towards 1 agent.
Am I missing something here? The reports by you make it sound like he didn’t do anything so illegal. When has it been a crime to arrest Someone for ridiculing and bothering people on social media?
Is there more that meets the eye here?
Also you mentioned he outed your identity on Twitter which is horrid. For a security researcher who tries to protect data, it’s shocking 1 can do that. Do you ever question if there is more to this than you are not aware of?.
If someone revealed my identity, I would be really cheesed and question a lot.
I will try to answer your questions, but it will take time to write everything out. I’ll see if I can find time tomorrow, although I’m also in the middle of reading Fire and Fury.
OK, so I’ve tried to answer your questions below. Snipping a bit where I can….
I’ve been interviewing Shafer and reporting on his research since 2013. He and I collaborated on filing an FTC complaint about a firm advertising encryption when there was no encryption, but none of that makes me his friend or buddy. As a blogger/journalist, I’m friendly in my conduct to a lot of sources or people I interview. In Shafer’s case, though, I have written opinion pieces because I think his civil rights have been violated and his case threatens all of us who engage in security research and disclosure.
You can see the evidence/tweets they are basing the complaint on in the affidavit that is attached to the complaint: https://assets.documentcloud.org/documents/3535241/Shafer-Complaint.pdf
And keep in mind that that is ALL that there is in the way of evidence that Shafer allegedly cyberstalked SA Hopp and SA Hopp’s family.
To be clear: there was no violence. There was no physical contact at all. He never approached SA Hopp or SA Hopp’s family offline at all. He didn’t threaten anyone physically. There was one tweet (out of more than 5,000 tweets) that they tried to claim was threatening and I suppose if you take it out of context, you could try to make that case, but there were no threats made or presented to the court as evidence of actual threats.
So in the absence of actual, demonstrable threats, they took the position that the tweets were harassing and caused great emotional distress. And – according to SA Buentello – they arrested him because they were trying to PREVENT it getting to the point where harm/injury would be done. As in, if they didn’t stop him, he might contact Mrs. Hopp or family members or her employer, even though there was no evidence he had or would do any of that in all the time that had passed.
Sounds like prior restraint of speech to me, but then, I am not a lawyer.
Almost, but not quite. Shafer researched exposed FTP servers and found unprotected databases with protected health information (PHI). Shafer generally (1) notified the covered entities or server owners, and in some cases, (2) filed complaints with HHS/OCR, and/or (3) notified the FBI of the exposed databases. HHS generally did nothing in response to the complaints Shafer filed, and the FBI didn’t answer him at all.
In May, 2016, Shafer was raided by the FBI because one entity (Patterson Dental) allegedly tried to cover their asses by claiming that Shafer had HACKED them. I reported on the raid here: https://www.dailydot.com/layer8/justin-shafer-fbi-raid/ (Later I learned that Shafer was inaccurate in telling me that the baby’s crib was right by the door, so if you read that report, ignore that claim as it was wrong).
Shafer was never charged with anything after the May, 2016 raid.
In an unrelated matter, and beginning in July 2016, Shafer helpfully sent info to the Dallas FBI about blackhats known as TheDarkOverlord. In addition to emailing the Dallas FBI with info about the criminals and providing files/data, he also called the St. Louis branch of the FBI (where some of TheDarkOverlord’s victims were).
Note that he was trying to help them in July 2016 and thereafter, despite the fact that they had raided him and treated him like a criminal because Patterson allegedly tried to claim that he had hacked them when they left PHI exposed.
Shafer was raided again in January, 2017. Months later, we learned that that raid was presumably related to the Atlanta FBI believing Shafer might be conspiring with TheDarkOverlord. Apparently the Dallas FBI never read Shafer’s helpful emails and did not share them with other regions who were investigating TheDarkOverlord.
Once again, Shafer’s devices were seized (he still hadn’t gotten devices back from the May, 2016 raid). And once again, his family was upset and his life thrown into upheaval.
Oddly, in February 2017, the FBI issued a warning to entities about securing FTP servers. Their PIN made it sound like evil hackers were finding unsecured data and then trying to extort CEs. But they provided no evidence that that had happened, and it wasn’t clear to me if they were somehow believing that Shafer had done anything like that.
I think that’s probably true, but you’d have to ask him how he and his family feel.
Nothing snapped and Shafer didn’t snap. Shafer was repeatedly ignored when he made requests to the FBI and courts to find out what was going on and why he hadn’t gotten his devices back, etc. So he got frustrated and angry and tweeted and emailed his frustration and anger. That didn’t change, though. The only thing that changed was that in March, he learned the correct name of the agent and tweeted out info about the agent and the agent’s family that he found in public info. When he was tweeting out the wrong name, the government did nothing. This only happened after Shafer tweeted and posted the agent’s name, the wife’s name, and some minimal info he found in a google search.
He didn’t. He is basically being charged with three felony counts for doing google searches, and posting publicly available information and for dissing the FBI.
I doubt it.
The FBI are trying to protect their own and court personnel from harassment. Shafer sent hundreds of emails to the the FBI and court because no one ever acknowledged his inquiries or answered him. And no one in the FBI ever gave him a name and phone number he could contact – whether to ask questions or to provide helpful info. Had they had the courtesy to answer him – even a “thanks for the tip/info,” the outcome might have been significantly different. But they just kept raiding him, and ignoring his inquiries without ever charging him with anything related to the first two raids. So here’s a white/greyhat trying to helping them and they keep treating him like a blackhat and ignoring his reasonable inquiries and his attempts to help them.
Shafer was upset, impulsive, compulsive, and a tad paranoid at the time that he did that on Twitter. He regretted his conduct afterwards and apologized repeatedly and genuinely. Even if he hadn’t apologized, though, I still think more people need to stand up and defend Shafer because his case is rife with important First Amendment issues for us all. If public searches and posting public info is cyberstalking, we are all at risk of being criminally charged. And if the FBI is going to raid researchers because companies want to cover up their mistakes by accusing researchers of “Hacking,” then researchers will no longer disclose what they find – is that what we really want?
Ok. No problem.
Also, my friend just sent me Fire and Fury so I get it. I need to keep a list of many of the vocab words….heavy reading but not sure how to describe it
Thank you for summarizing and clearing up points that are a bit confusing, for those who need a cliff notes version. It sounds like the most knowledgeable on this case, are scratching their heads on this one too. It also took me some time to read through your replies, as well to gather my thoughts and notes. I have a few more questions and responses, if that is okay to share.
This sounds like originally began as a databreach and leak situation, but has turned into a privacy and civil liberties issue instead. Perhaps you want to take your responses and cross link this to your Pogo site.
“I’ve been interviewing Shafer and reporting on his research since 2013. He and I collaborated on filing an FTC complaint about a firm advertising encryption when there was no encryption, but none of that makes me his friend or buddy. As a blogger/journalist, I’m friendly in my conduct to a lot of sources or people I interview. In Shafer’s case, though, I have written opinion pieces because I think his civil rights have been violated and his case threatens all of us who engage in security research and disclosure.”
There may be confusion or more needs to be clarified here. I didnt actually call him “your friend.” “Blogger Buddy” is a coined up, unofficial term to describe ‘bloggers who not just read followers blogs, but engage, invite to do blog posts, collaborate, share thoughts, in the blogosphere world. It doesnt necessarily mean that blogger buddies are friends and socialize outside of blogger life, (although some have) its just a polite term to describe bloggers who constantly read and communicate with each other. I read your about section on the blog. It didnt seem appropriate to call you two business or work associates since you are not in the same field, and this seems to be more of an interest for you as an extremely passionate advocate. Blogger cohorts just sounds weird but a little amusing, so I just said ‘blogger buddy’ in that case. I didnt actually mean to imply that you two were friends off blogosphere.
“You can see the evidence/tweets they are basing the complaint on in the affidavit that is attached to the complaint: https://assets.documentcloud.org/documents/3535241/Shafer-Complaint.pdf”
Thank you, this is helpful. I am still taking time to read it.
“To be clear: there was no violence.”
I am sorry that I implied I thought there was violence. I never actually thought he provoked harm on this agent or the agent’s family. I just dont understand why the govt is wasting all of their resources and taxpayers money on prosecuting a man who has very little to no evidence against him. I asked, to question if there was more that no one is aware of.
“So in the absence of actual, demonstrable threats, they took the position that the tweets were harassing and caused great emotional distress. And – according to SA Buentello – they arrested him because they were trying to PREVENT it getting to the point where harm/injury would be done. As in, if they didn’t stop him, he might contact Mrs. Hopp or family members or her employer, even though there was no evidence he had or would do any of that in all the time that had passed.”
Didnt he contact his wife on FB that was a bit off putting?
“Almost, but not quite. Shafer researched exposed FTP servers and found unprotected databases with protected health information (PHI). Shafer generally (1) notified the covered entities or server owners, and in some cases, (2) filed complaints with HHS/OCR, and/or (3) notified the FBI of the exposed databases. HHS generally did nothing in response to the complaints Shafer filed, and the FBI didn’t answer him at all.”
Is there anyone else who could have been contacted besides the FBI? Before reading about this case, I never had high regards for the FBI. I wonder if more contacts and resources could have been contacted to help.
“Shafer was raided again in January, 2017. Months later, we learned that that raid was presumably related to the Atlanta FBI believing Shafer might be conspiring with TheDarkOverlord. Apparently the Dallas FBI never read Shafer’s helpful emails and did not share them with other regions who were investigating TheDarkOverlord.”
Is it possible thedarkoverlord sent info in regards to this raid? I dont want to assume here, either Dallas FBI gets too many emails to read everything or they just didnt care.
“Justin and his family feel violated.
I think that’s probably true, but you’d have to ask him how he and his family feel.”
I could ask him. However, I never met a parent who did nothing when they thought their child or family was in harm’s way or violated in any capacity.
“Nothing snapped and Shafer didn’t snap. Shafer was repeatedly ignored when he made requests to the FBI and courts to find out what was going on and why he hadn’t gotten his devices back, etc. So he got frustrated and angry and tweeted and emailed his frustration and anger. That didn’t change, though. The only thing that changed was that in March, he learned the correct name of the agent and tweeted out info about the agent and the agent’s family that he found in public info. When he was tweeting out the wrong name, the government did nothing. This only happened after Shafer tweeted and posted the agent’s name, the wife’s name, and some minimal info he found in a google search.”
You are claiming he didn’t snap. Yet, its this behavior, regardless if it is perfectly legal or illegal that got him into this hot water mess in the first place. I am an advocate like you to get stuff out there. At the same time, I think there is a line that needs to be remembered when tweeting out or leaving comments on fB publicly about people where anyone can see it. I mean damaging info. In the digital world,. I think people are forgetting how written words can eventually come back to haunt you later on.
“Shafer was upset, impulsive, compulsive, and a tad paranoid at the time that he did that on Twitter. He regretted his conduct afterwards and apologized repeatedly and genuinely. Even if he hadn’t apologized, though, I still think more people need to stand up and defend Shafer because his case is rife with important First Amendment issues for us all. If public searches and posting public info is cyberstalking, we are all at risk of being criminally charged. And if the FBI is going to raid researchers because companies want to cover up their mistakes by accusing researchers of “Hacking,” then researchers will no longer disclose what they find – is that what we really want?”
I didnt think the outing was intentional, yet rather compulsive and impulsive as you stated in your response to me. I took that situation, as when you are back is against the wall and you are not sure where to turn to, you starting out acting out, and compulsively and self destruct a bit. That is why I asked, if he did more that no one was aware of. In regards to the first amendment issue, I am going to suggest again about maybe posting this to the Pogo blog. In regards to the first amendment issue, how come EFF, ACLU, civil liberty lawyers, etc, stepped up their game to help him? This case has strikingly some similarities to the Malware Tech/Marcus Hutchins case. His case is being treated much more differently by first amendment lawyers, blogger and independent journalists (besides you and Techdirt).
I think I covered everything. Thank you for answering my questions. Very helpful.
This will have to be my last reply in this thread as although your questions are fine, I’m finding it difficult to make time to answer them all.
I’m going to snip to get to your new questions. As a reminder to any readers: the government’s probable cause evidence was contained in their affidavit attached to: https://assets.documentcloud.org/documents/3535241/Shafer-Complaint.pdf
I had written:
“… according to SA Buentello – they arrested him because they were trying to PREVENT it getting to the point where harm/injury would be done. As in, if they didn’t stop him, he might contact Mrs. Hopp or family members or her employer, even though there was no evidence he had or would do any of that in all the time that had passed.”
You asked: “Didnt he contact his wife on FB that was a bit off putting?”
Ugh. Sloppy writing/error on my part. It should have read “contact Mrs. Hopp offline or contact her or her family members’ employers.” Sorry about that. Shafer did send one message to Mrs. Hopp on FB messenger and it is contained in that documentation file I linked to. The message wasn’t a threat.
So what harm was DOJ trying to “prevent” when there was no evidence of threat and no follow up at all from the time of that post until the complaint was filed? Is one non-threatening tweet or one online message on one day sufficient to charge someone with cyberstalking or harassment, both of which generally require a *pattern* of behavior?
I wrote:
“Shafer was raided again in January, 2017. Months later, we learned that that raid was presumably related to the Atlanta FBI believing Shafer might be conspiring with TheDarkOverlord. Apparently the Dallas FBI never read Shafer’s helpful emails and did not share them with other regions who were investigating TheDarkOverlord.”
You asked: “Is it possible thedarkoverlord sent info in regards to this raid? I dont want to assume here, either Dallas FBI gets too many emails to read everything or they just didnt care.”
To the best of my information and belief, TheDarkOverlord did not send info to the FBI that would explain that raid. I think TDO played games in DM chat with Shafer, knowing that the FBI would read the transcripts. I am not at liberty to provide additional details on this.
I wrote: “Nothing snapped and Shafer didn’t snap…..”
You responded: “You are claiming he didn’t snap. Yet, its this behavior, regardless if it is perfectly legal or illegal that got him into this hot water mess in the first place.”
There is no “regardless.” He engaged in protected speech and tweeted publicly available information. They’re trying to find a way to punish him for speaking up and out against the FBI agent and the Dallas FBI.
I am actually quite disappointed in the FBI. This all could have been avoided if THEY had handled themselves differently and responded to him when he tried to help them or asked them questions about his case.
Despite what you claim, it was not his behavior that got him into this mess…. it was the false accusation by a firm that created/started this whole mess.
You wrote: “This case has strikingly some similarities to the Malware Tech/Marcus Hutchins case.” I don’t see that at all. The only 1-A issue I see in Hutchins’ case involved whether writing code can be criminalized. It is a very different 1-A issue than I see in Shafer’s case.
This isn’t on Pogo because this case really isn’t a privacy issue, even though the govt is trying to reframe it as a cyberstalking/privacy issue. It is a speech issue, and Pogo is for privacy issues. Eventually, I may blog about it over there, but not at this time. Thanks.
“This will have to be my last reply in this thread as although your questions are fine, I’m finding it difficult to make time to answer them all.”
Thanks for putting in the time to answer. It is all very confusing.
I am going to add a few more thoughts, no questions need to be answered.
“There is no “regardless.” He engaged in protected speech and tweeted publicly available information. They’re trying to find a way to punish him for speaking up and out against the FBI agent and the Dallas FBI.
It may be protected speech. Just because you can do something, doesnt mean you should d something. Not that it is illegal to do dumb stuff on the internet.
“I am actually quite disappointed in the FBI. This all could have been avoided if THEY had handled themselves differently and responded to him when he tried to help them or asked them questions about his case.”
I am not surprised. For years, I have had no faith in any federal agencies doing their jobs the right way. Either I am a pessimist or a realist or both. I like to think of myself as a realist in the hope that it can change.
“You wrote: “This case has strikingly some similarities to the Malware Tech/Marcus Hutchins case.” I don’t see that at all. The only 1-A issue I see in Hutchins’ case involved whether writing code can be criminalized. It is a very different 1-A issue than I see in Shafer’s case.”
Pardon my error. I neglected to say that both cases began the same but ended up being charged differently. He hasnt had that much luck with other reporters reporting on this case, including Emptywheel which gives regular updates on Malware Tech.
“This isn’t on Pogo because this case really isn’t a privacy issue, even though the govt is trying to reframe it as a cyberstalking/privacy issue. It is a speech issue, and Pogo is for privacy issues.”
I suggested it because it turned into a privacy/stalking issue, based on the charges. Also, security researchers arent the only ones who are getting screwed in bogus charges like this with agencies abusing their power. It is happening in many fields where employees lives are being destroyed based on nothing, trumped up charges (pun not intended). Yes, I do thinks this story needs to get out media wise.
Thanks again, for responding.
He deserves to go to jail. What he did he never should have done.
Why are you defending this person?
The question is not why I defend him.
The question is why aren’t you defending him? Why are you siding with attempts to weaken the First Amendment?
Are you with the FBI or do you have a relative or friend in the FBI?
Dissent, what is with the snark? Why is it necessary to ask/assume/think person above is with FBI, has relative or friend?
Maybe the person just thinks differently than you or is pushing you to get an reaction which succeeded.
You assumed a snarky tone attached to the questions. It was a straight question, seeking clarification as to whether the person’s position might be biased.