The DOJ's Bizarre Subpoena Over An Emoji Highlights Its Ridiculous Vendetta Against A Security Researcher

Failures

from the lawlessness-under-the-guise-of-law-enforcement dept

Yesterday we broke the crazy story of how the DOJ issued a subpoena to Twitter attempting to identify five Twitter users, not because of anything they had done, but because someone else the DOJ disliked — a security researcher named Justin Shafer — had tweeted an emoji at them in response to a discussion about a different case. You can read all the details in that original post, in case you missed it yesterday. There was so much craziness in that story that I didn’t even get to cover all of it. Some of those named in the subpoena have posted their thoughts — including Ken “Popehat” White and Keith Lee. I suggest reading both, as the subpoena directed at each of them was particularly silly, given that both freely make their identities public. The DOJ didn’t seem to do even the slightest research into the accounts it was demanding info on, or it would have known just how easy it was to “unmask” White and Lee.

As for the other three Twitter accountholders — all of them are anonymous. But the DOJ certainly has zero legal basis for unmasking them. As we’ve discussed repeatedly in the past, anonymous speech is also protected by the First Amendment, and there’s a very high bar for law enforcement to get past to unmask anonymous speakers. EFF’s Kurt Opsahl pointed to a concise statement on this in a recent ruling in the Awtry v. Glassdoor case, which Lee also reposts in his blog:

The Supreme Court has recognized that “an author’s decision to remain anonymous, like other decisions concerning omissions or additions to the content of a publication, is an aspect of the freedom of speech protected by the First Amendment.” McIntyre v. Ohio Elections Comm’n, 514 U.S. 334, 342 (1995). Indeed, “[t]he right to speak anonymously was of fundamental importance to the establishment of our Constitution.” Doe v. 2TheMart.com Inc., 140 F. Supp. 2d 1088, 1092 (W.D. Wash. 2001) (citing McIntyre, 514 U.S. at 341-42). In particular, “Justice Black . . . reminded us that even the arguments favoring the ratification of the Constitution advanced in the Federalist Papers were published under fictitious names.” McIntyre, 514 U.S. at 342 (citing Talley v. California, 362 U.S. 60, 64 (1960)). So too were the responses of the anti-federalists, which were published by authors who used such fictitious names as “Centinel,” “Brutus” and “The Federal Farmer.” In re Anonymous Online Speakers, 661 F.3d 1168, 1172-73 (9th Cir. 2011).

Further, it is well-established that anonymous speech on the Internet, like other types of anonymous speech, enjoys First Amendment protection. In re Anonymous Online Speakers, 661 F.3d 1168, 1173 (9th Cir. 2011)(“online speech stands on the same footing as other speech—there is `no basis for qualifying the level of First Amendment scrutiny that should be applied’ to online speech”) (quoting Reno v. Am. Civil Liberties Union, 521 U.S. 844, 870 (1997)). As the Ninth Circuit has explained, “the ability to speak anonymously on the Internet promotes the robust exchange of ideas and allows individuals to express themselves freely without `fear of economic or official retaliation . . . [or] concern about social ostracism.’” Id.(quoting McIntyre, 514 U.S. at 341-42).

First Amendment protection of anonymous speech “is not unlimited, however, and the degree of scrutiny varies depending on the circumstances and the type of speech at issue.” Id. Political speech is considered to be “core” speech and is afforded the highest level of First Amendment protection. McIntyre, 514 U.S. at 346. Online messages such as the ones at issue here are also entitled to some level of First Amendment protection, even if the hurdle for overcoming that protection is less stringent than it is for political speech. See In re Anonymous Online Speakers, 661 F.3d 1168 at 1177; see also Highfields Capital Mgmt., L.P. v. Doe, 385 F. Supp. 2d 969 (N.D. Cal. 2005) (finding that identity of individual who anonymously posted derogatory comments about a company on an online message board was protected from disclosure under the First Amendment); Art of Living Foundation v. Does 1-10, No. 10-cv-5022 LHK, 2011 WL 5444622, at *5 (N.D. Cal. Nov. 9, 2011) (finding the standard articulated in Highfields applied to anonymously posted online commentary criticizing the plaintiff’s organization).

That the Assistant US Attoreny, Douglas Gardner, who signed off on the subpoena, either didn’t know this or didn’t care is hugely troubling and problematic. As Scott Greenfield colorfully summarizes of the federal agents involved in this case, looking at the details, “this situation is so utterly idiotic as to make one wonder how they can get out of bed without hurting themselves.”

Of course, for White and Lee, this is mostly amusing. For the other three, it’s likely that the DOJ will backdown, though it may cause them something of a headache in the meantime.

But the really crazy story is what’s going on with Justin Shafer, the security researcher at the heart of all of this. As we explained yesterday, Shafer had exposed some bad technology practices by various dental software companies — including fake encryption that resulted in an FTC fine — and a wide open FTP server revealing private info on customers. The latter resulted in the FBI raiding his home and taking all of his electronics. That, of course, set things off on the crazy course leading to the emoji subpoena, because Shafer got interested in finding out more about FBI Special Agent Nathan Hopp (who Shafer initially thought was Nathan “Hawk”). As mentioned yesterday, I don’t agree with Shafer’s decisions and actions in trying to track down Hopp, but to argue that it was, in anyway, criminal Cyber Stalking seemed nuts.

Dissent Doe, one of the anonymous users whose info was subpoenaed by the DOJ, and who has worked with Shafer in the past to (ethically) expose breaches has a longer post detailing just how totally fucked up the DOJ’s claims are against Shafer. It’s even worse that we initially thought. In the criminal complaint we posted yesterday, we didn’t even get into the earlier parts, where FBI Special Agent Ronnie Buentello tries to connect Shafer to a fairly well known black hat hacking group that deals in vulnerabilities and illegally accessed information, called The Dark Overlord. The Dark Overlord actually was in the press this week for accessing private info from a plastic surgeon who works with many famous people, and promising to release the info.

In the Buentello’s affidavit with the criminal complaint against Shafer, the FBI agent tries to connect Shafer to The Dark Overlord, claiming that the dental database he had discovered available online was also found in The Dark Overlord’s possession, and also presenting evidence of communications between Shafer and The Dark Overlord. It’s not at all clear what that has to do with with Shafer’s alleged “Cyber Harassment” of Nathan Hopp, but it’s certainly presented to the grand jury in a way to make Shafer out to be a bad dude:

On June 29, 2016, FBI Atlanta (NDGA) opened a criminal computer intrusion investigation on an individual using the online moniker, “TheDarkOverlord,” who claimed to have stolen 655,000 patient medical records and attempted to extort medical facilities he victimized. As part of their case, FBI Atlanta is investigating JUSTIN SHAFER as a co-conspirator of “TheDarkOverlord.” Subsequent media reports confirmed “TheDarkOverlord” had posted the records for sales where he was seeking 60 Bitcoins ($39,782.00) for a Farmington, Missouri database of 47,864 records, which was found on JUSTIN SHAFER’s computer during a search warrant executed on January 29, 2017; 170 Bitcoins ($112,200.00) for a Central/Midwest database containing 207,572 records; and 300 Bitcoins ($197,940.00) for a Blue Cross/Blue Shield (BC/BS) database containinng 396,458 records. Since his appearance in June 2016, “TheDarkOverlord” has claimed approximately 15 major computer breaches and the sale of one million customer PII records, and engaged in extortion of the victims across the United States, targeting medical providers, financial companies, large U.S corporations, and even a provider of cancer servcies in Indiana. In most cases, “TheDarkOverlord” extorted his victims with verbose, condescending, and abusive language, and taunted victim companies, their employees, and (in at least one case) the children of victim employees. “TheDarkOverlord” has carried out threats to release data when victims declined to pay, and has made implied threats to FBI Agents in Atlanta and New Orleans.

Collaboration between multiple FBI Divisions has subsequently identified significant links (IP addresses, emails, social media ccounts) between “TheDarkOverlord” and JUSTIN SHAFER. On January 29, 2017, FBI Dallas, FBI Atlanta, FBI Saint Louis, FBI New Orleans, and FBI Newark executed a search warrant at JUSTIN SHAFER’s residence, located in North Richland Hills, Texas. At time of entry, JUSTIN SHAFER was logged into at least two different workstations in his home office and garage. During the execution of the search warrant, the FBI seized approximately 29 evidence items, including desktops, laptops, hard drives, router, several cell phones, numerous universal serial bus (USB) drives, CD’s, and an Xbox game console. A chat session appearing to be with “TheDarkOverlord” was observed on a computer during the execution of the search warrant. In the months following the initial search warrant on May 25, 2016, several online media outlets published articles defending Shafer as a “security researcher” and admonished the FBI for executing a search warrant at his residence. SA Nathan Hopp was present for both search warrants that were executed on May 25, 2016 and on January 29, 2017.

Sounds pretty nefarious, right? Right. Except… as Dissent Doe points out, this leaves out a ridiculous amount of context that suggests that rather than collaborating with “TheDarkOverlord” (or maybe even being TheDarkOverlord as some might read the Buentello’s account to suggest, Shafer had a long history of trying to expose TheDarkOverlord — and, specifically to share the details of what he learned with the FBI.

What the FBI did not tell the court was that Shafer had emailed that very database to the FBI in July, 2016, telling the FBI that TheDarkOverlord gave it to him, unsolicited, duing a chat on Twitter.

So here’s “Exhibit A” for you: the email Justin Shafer sent on July 1, 2016 to this blogger and the Dallas FBI with the database the FBI would later claim supported a suspicion that he was a “co-conspirator:”

On July 1, 2016, Shafer emailed the Dallas FBI a copy of a database TheDarkOverlord had given him via Twitter. On March 31, 2017, the FBI claimed they found it during a raid of his home in January and never mentioned that he had provided it to them voluntarily in July, 2016.

Okay. But how about that supposed “chat session” that Shafer was having with The Dark Overlord when the FBI raided his house?

The affidavit referred to a chat session, but did not indicate whether it was a file copy of an old chat session or a new one in progress at the time of the raid. In fact, Shafer did have a number of private (DM) conversations on Twitter with TheDarkOverlord that Shafer logged. He often reviewed the logs afterwards, looking for additional clues in the material. Shafer generally shared his logs of the chats with this blogger and with others – including the FBI.

So now view “Exhibit B:” an email Shafer sent on July 3, 2016 to an NHS unit in the U.K. to warn them that they had been hacked by TheDarkOverlord. Shafer had been told about the hack in a private conversation with TheDarkOverlord and then tried to contact the NHS so that they could secure their data and warn patients. Shafer also cc:d Dallas FBI on that email, and included part of the chat log between him and TheDarkOverlord:

When Shafer learned that TheDarkOverlord hacked the NHS, he tried to notify the NHS and cc:d the Dallas FBI.
Part of the chat log between Shafer and TheDarkOverlord that was emailed to the Dallas FBI to alert them. The FBI would later suggest that finding chat logs on Shafer’s computers was somehow evidence that he was a co-conspirator.

As Doe points out, Shafer was even continuing to share information on The Dark Overlord with the FBi after the FBI had raided his house. Doe points out, a la Scott Greenfield’s observations, that these FBI and DOJ folks don’t seem to have the slightest clue what they’re doing:

It seems the FBI couldn’t tell a white hat from a black hat. Or perhaps the Dallas FBI failed to share the information he was providing to them with the Atlanta and Missouri regions of the FBI and other regions investigating TheDarkOverlord. Despite TheDarkOverlord’s bizarre attempts to implicate Shafer or tease him, Shafer had always helpfully provided information to the FBI. What co-conspirator does that?

And do note that Shafer offered this help to the Dallas FBI in July, 2016 – even after they had raided him in May, 2016 and upset his children and damaged his property (he claims). He was still being a whitehat. What a shame that the Dallas FBI did not respond to him that way.

Now consider “Exhibit C:” If Shafer was a co-conspirator, why was he running around the internet trying to get TheDarkOverlord patient data dumps removed? Here’s an email from Mega.nz in February, 2017 thanking Shafer for notifying them and saying they suspended TDO’s account. It was not the first time Shafer had contacted them. And once again, Dallas FBI was cc:d.

File-sharing site Mega.nz thanked Shafer for alerting them to a data dump of sensitive information.

So beginning in July, 2016 and thereafter, Dallas FBI received evidence that Shafer provided to try to help them catch TheDarkOverlord. Does any of the evidence above look like someone conspiring with TheDarkOverlord or does it look like someone trying to help law enforcement catch TheDarkOverlord?

As Doe further points out, the FBI has all of this evidence. It chose to selectively present it to a grand jury in a manner that totally misrepresents Shafer’s relationship to The Dark Overlord (and to the FBI, for that matter). It really looks as if the somewhat clueless FBI was just so focused on protecting one of its own — Special Agent Nathan Hopp — that it appears to have practically framed Shafer to the grand jury to lead to his eventual arrest and indictment.

And, on that note, in April of this year, Shafer was indicted (though, somewhat oddly, in a different district…) for the supposed Cyber Stalking of Hopp. The indictment, somewhat ridiculously, claims that Shafer “with intent to injure, harass, and cause substantial emotional distress” had “used and attempted to use, facilities in interstate and foreign commerce, including electronic mail and internet websites, to engage in a course of conduct that caused and attempted to cause substantial emotional distress to the victims.”

Again, I think that Shafer probably went overboard in venting his anger about Hopp and posting some publicly available info about Hopp and his family. He also did reach out to Hopp’s wife via Facebook — which, again, seems dumb. But to argue that his messages were harassing seems like a stretch. The conversation was Shafer asking Hopp’s wife to ask Hopp to return the videos of his kids that had been seized in an earlier raid. Again, this is a dumb thing to do, but it seems like a stretch to call it cyber stalking.

Meanwhile, another thing found in the original affidavit was a chat between Shafer and a friend of his, Darrell Pruitt, in which Pruitt responded “What an asshole” following Shafer’s sharing some info on Hopp. Pruitt commented on our story, noting that his involvement meant that the FBI showed up at his office:

As a friend of Justin, he shared with me his suspicion of FBI Special Agent Nathan Hopp’s (or Hawk’s) perceived vendetta as it was happening. I responded, “What an asshole.” And that was enough to warrant an unannounced visit to my dental office by two agents, whose questions indicated to me that they really didn’t have a clue about the case they were prosecuting. I think they were disappointed that I actually didn’t assist Justin in identifying Hopp, that I have nothing to do with TheDarkOverlord, and that no money had been exchanged between Justin and me… Thus went an hour of my life which I’ll never regain – Not to mention that my first patient waited in my dental chair for an hour while I was asked pointless questions. I was even warned by one of the agents that “‘I don’t know’ will only go so far.” But it is the damn truth.

This whole story is crazy and bizarre — but really raises serious questions about a DOJ and FBI totally out of control.

Filed Under: dissent doe, doj, fbi, justin shafer, keith lee, ken white, nathan hopp, popehat, security research, the dark overlord