In May 2016, the Dallas FBI raided dental integrator and independent researcher Justin Shafer because of allegations that he had accessed an FTP server without authorization. Shafer was subsequently raided twice more, and in March 2017, he was arrested and charged with stalking a federal employee – not hacking or any criminal conduct related to hacking, but stalking a federal employee. Over the next year, the prosecution would pile on more stalking counts in superseding indictments so that Shafer wound up facing five felony charges. But today, the government’s attempt to prosecute Shafer as a dangerous FBI-stalking villain ended with a whimper instead of the bang the prosecutor hoped for. This morning, Shafer pleaded guilty in federal court in Dallas to one misdemeanor count of retaliating against a federal official by threatening a family member. As part of the plea deal, Shafer was sentenced to time served. Shafer had spent almost eight months in jail when his pre-trial release was revoked by Magistrate Judge Toliver for blogging, which was deemed a violation of his conditions of release. Shafer’s defense team, consisting of Tor Ekeland and Fred Jennings at Tor Ekeland Law and Jay Cohen at Blass Law in Texas, had appealed the revocation, writing, in part: The factual bases of the government’s bare bones indictment are a handful of public tweets; a Facebook friend request and message sent to a public Facebook account; the following of a public Twitter account;1 and two emails to an FBI Agent – one with a “?” emoji and another inquiring about the status of a report of a patient privacy violation. The Defendant made no attempt to mask his identity, and the FBI never contacted the Defendant to express any concern or to ask him to stop his communications. Instead they arrested him. And any claim that he engaged in a sustained course of conduct with a continuity of purpose to cyberstalk or threaten are ludicrous when compared to facts embodied in the case law regarding these statutes. These accusations led to a pretrial release order so broad it functioned as a prior restraint on Mr. Shafer’s constitutional right to speak about the accusations made against him. When he sought to do so – through a post on his work-related blog – the magistrate judge revoked release, broadly interpreting the release condition terms and finding a violation of those conditions. An innocent man — who the government has not charged, and cannot charge, with any violent crime, nor with any history of violent crime — is now in jail on the basis of protected speech. Judge David Godbey firmly agreed with the defense that Shafer had had a right to blog, and Shafer was re-released in December, 2017 to await trial. And the case probably would have gone to trial had it not been for Judge Janis Graham Jack letting the prosecution know that she saw no evidence of any threat to support the felony charges and that she might rule on the defense’s motion to dismiss if the prosecution didn’t come up with some reasonable plea deal. Today’s plea deal was partly the result of Shafer holding firm that he would not just plead guilty to any felony. After a plea agreement was reached, Shafer’s defense team issued the following statement: Mr. Shafer first contacted us after he [was] raided by armed federal law enforcement for alleged computer crimes the government has never charged him for. When he complained to the government about it, he was arrested and thrown in jail for his criticism. He was freed after the defense filed a motion arguing his pre-trial detention violated the First Amendment. Fortunately, when presented with the facts of this case, the Court understood the magnitude of the issues here and helped us resolve this case without the hassle, expense, and stress of a jury trial. We are grateful to the Northern District of Texas for recognizing this case for what it was: an attack on internet free speech and a citizen’s right to criticize the government. Under the terms of today’s plea deal, Shafer has agreed to have no contact, either personally or through any associates whatsoever, with Special Agent Nathan Hopp of the Dallas FBI or any of his immediate or extended family members. The no-contact agreement also applies to Judge Jeffrey Cureton, his staff or any of his immediate or extended family members. There never was any evidence that Shafer had ever physically approached or physically assaulted anyone. Nor was there ever any clear evidence that he had even threatened to approach anyone physically. Even the misdemeanor charge appeared to be a stretch far beyond the available evidence. For its part, in addition to moving to dismiss all the remaining charges against Shafer, the government agreed it will not criminally prosecute Shafer for any charges relating to the investigation of the alleged unauthorized FTP server access in the Patterson matter that led to the May 2016 raid. What Now or Next? Prior to today’s hearing, DataBreaches.net had asked Shafer if he felt that justice had been served in the anticipated plea deal. Shafer responded that after his ordeal, he now believes that justice is just “an illusion.” His experience has also chilled his willingness to try to protect patient data. When asked in email if he would resume his efforts to find leaks and notify entities so they could secure the data, he replied: I think the next time someone finds social security numbers that is considered protected health information under HIPAA they should just turn a blind eye. Nobody is going to call you a hero (except the enlightened), and you run the risk of being harassed by the FBI. Doctors responsible for alerting patients will now have yet another reason not to. Already, only about 10% of doctors notified patients that their patient information was publicly available. Law enforcement or the Office of Civil Rights won’t care, and will most likely ignore it. Punishing health information researchers for reporting these issues only puts patients at greater risk. I think it would benefit society greatly if people who find publicly accessible data were […]
As anticipated, federal prosecutors have filed a superseding indictment in their case against dental integrator and vulnerability researcher Justin Shafer. For those in a rush, the TL;DR version is that they have basically transformed a bullshit two-count indictment into a bullshit three-count indictment. [For the benefit of law enforcement in Texas, that preceding sentence is considered opinion and protected speech, as much as you may dislike it.] The superseding indictment adds one more count of stalking to the previously filed two counts: From on or about November 2016, the exact date being unknown, until on or about February, 2017, in the Dallas Division of the Northern District of Texas and elsewhere, the defendant, Justin Mark Shafer, with the intent to harass and intimidate a person and more than one person, used and attempted to use, interactive computer services, electronic communications systems of interstate commerce; internet websites, telephone and other facilities of interstate or foreign commerce, to engage in a course of conduct that caused and attempted to cause and was reasonably expected to cause substantial emotional distress to JC and MK. In violation of 18 U.S.C. § 2261A(2)(B) & 2261(b). Based on available information, “JC” appears to refer to Magistrate Judge Jeffrey L. Cureton, while “MK” likely refers to his judicial assistant, Margarita Koye. So when you have a weak case where someone engaged in protected speech, just double down – throw more protected speech into the mix and claim that that protected speech was also an attempt to cause distress, right? Surely the more people who are upset by your speech, the more “victims” there are of “stalking,” right? If I’m upset with you for months and email you for months, multiple times, to convey my distress and disgust with your behavior because your behavior is ongoing and continues to trouble me, isn’t that (still) protected speech? I am not aware of any clause in the First Amendment that would suggest that speech is only protected if you say it less than X times. So what, exactly, is Shafer alleged to have done that crossed the line from protected speech to “stalking” court personnel? And are we now going to rewrite the Constitution so that any time someone sends an angry or upset communication, we claim that they are attempting to cause distress and could reasonably expect to cause distress and are therefore stalking? Has this country become a bunch of snowflakes? Shafer’s attorney, Tor Ekeland, was not available for comment by the time of publication.
On Friday, December 1, lawyers for an infosec researcher who has been in jail since April will argue that U.S. District Judge David C. Godbey should release Justin Shafer from jail while he awaits trial. For those who are not familiar with the case, Shafer, a dental integrator technician and independent infosecurity researcher, faces federal charges of cyberstalking an FBI agent and the agent’s family. And those are the only charges he currently faces, although you might have been misled by others’ headlines into believing that he is an alleged hacker or an alleged co-conspirator of the blackhats known as TheDarkOverlord. Shafer has not been charged with any hacking-related activity at all. In fact, the case against Shafer initially had nothing to do with blackhat hackers at all and everything to do with the fact that Shafer was uncovering and disclosing leaking databases and the entities who he was reporting upon did not always take kindly to being embarrassed publicly for their poor data security. Shafer would also file complaints with HHS/OCR and the FTC over sloppy or failed data security. And it was one of those entities who apparently tried to accuse Shafer of hacking them after he found patient data on a public FTP server that did not require any login. Once the FBI started investigating Shafer as if he was some blackhat criminal for finding and disclosing leaky databases, Shafer’s relationship with one Dallas FBI agent started to deteriorate. And it was only against the backdrop of that already somewhat adversarial relationship that when one month later, Shafer started investigating TheDarkOverlord and trying to help the FBI, that the FBI started treating him as a possible co-conspirator instead of as an asset. To be clear: while Shafer repeatedly and demonstrably attempted to help the FBI catch TheDarkOverlord, Shafer did make negative public comments to and about a Dallas FBI agent, Nathan Hopp, whom Shafer felt harassed by over a period of years. Those comments were made on Shafer’s blog and on his Twitter account. But was there really anything criminal about those comments or are they protected speech under the First Amendment? And who wouldn’t be angry if you’d been raided three times by the FBI and you had never done anything illegal? Maybe it was imprudent to shoot off his mouth at an FBI agent or his family, but Shafer and his family have been through a lot of harassment from their perspective. I recently reported what Shafer’s wife told me about how all these raids have affected their children, but here’s a snippet of Shafer’s description of one of the raids, and his concern for his child’s safety because of it. On February 2, he wrote about the second (January) raid: … I heard some boots making noise outside the house. I went outside, and there was a guy with an AK-47 pointing it at me, freaking out because my hands are not up. That is when I saw 5 or 6 guys buy my garage, and I think everyone had an AK-47 it seemed. These dudes were TWICE the size of the guys who raided me the first time. They told me they were not part of the first people who raided me, because I asked if Nathan Hawk was around. =) [Note: at the time of this raid, Shafer still mistakenly thought Agent Hopp’s name was “Hawk”]. I remember what [a lawyer] said, and decided I would take his friendly advice. He told me if he was raided, he would decline all interviews and just leave. You don’t need to be present during a raid, really. The FBI Agent who had a gun on me, told me we could go inside after they “cleared” the house (make sure nobody else is inside). I told him I “respectfully decline the interview”.. I then told him I wanted to leave, and they said okay but didn’t let me leave. Then he told me again, they would let me leave after I talked, and reminded him that I “respectfully decline this interview”. So they put me into a NRH cop car, and then told me they were taking me to jail […] I was upset when my 3 year old daughter handed me a CR-2032 battery. Any kid who eats one of those, dies. Horrific. I am very careful to keep shit off the floor. If she had of eaten it, I would be losing my mind….. Might you be upset with the FBI under similar circumstances? But wait, you say – didn’t the FBI find actual evidence during that January raid that Shafer was conspiring with the blackhat hackers known as TheDarkOverlord? Didn’t you see something about a stolen database and a chat log? No, the FBI did not find evidence of any conspiracy nor any criminal activity on Shafer’s part. What they found was that TheDarkOverlord gave Shafer information in 2016 which Shafer had then promptly passed along to the Dallas FBI via e-mail and phone to help them. What they found in January, 2017 was what Shafer had already given them and other law enforcement agencies in 2016 to help them catch TheDarkOverlord. And if you haven’t seen the evidence I posted showing that Shafer was trying to help the FBI – see this post for screenshots. So Shafer was charged on charges of cyberstalking that were padded by references to claims that he was being investigated as a co-conspirator of TheDarkOverlord when the factual history shows that Shafer was passing along information on TheDarkOverlord to law enforcement in both this country and the U.K. When Shafer was arrested, he was released with pre-trial conditions. Those conditions included what many First Amendment experts might consider prior restraint of speech. Shafer has every right to complain about an FBI agent whom he feels is harassing him or his family. He has every right to complain loudly and publicly about an agency repeatedly raiding him even though there is no evidence of wrongdoing on his part. Criticizing an FBI agent publicly doesn’t seem exactly prudent, but that doesn’t make it criminal speech or conduct. So why has it cost Shafer his freedom for all […]
In what has become an increasingly bizarre case, researcher Justin Shafer was arrested Friday evening, detained in Dallas County Jail over the weekend on a “hold” request from the FBI, and then transferred to federal court today, where he was charged with cyberstalking. For the benefit of those who haven’t followed this story from the beginning: Shafer is a Dental IT integrator in Texas who’s knowledgeable about patient management software in the dental sector. He’s uncovered and reported a number of vulnerabilities that he discusses on his blog. Some of his research and advocacy resulted in enforcement action by the FTC to protect consumers and patients. In addition to identifying and reporting vulnerabilities in software, Shafer finds patient data leaks by using search engines such as FileMare for certain keywords and then searching the results for FTP servers that are configured to allow “anonymous” login – i.e., anyone can access the files. When Shafer finds exposed protected health information (PHI), he generally contacts the covered entity or database owner to alert them and then discloses it publicly, contacts the media, and/or files a complaint with the U.S. Department of Health & Human Services (HHS), alleging violations of HIPAA’s security requirements. In May, 2016, Shafer was raided by the FBI, as I reported on The Daily Dot at the time. It appeared, based on what Shafer was allegedly told by an FBI agent, that Patterson Dental might have complained that Shafer hacked them (see this incident that this site reported in February, 2016). The complaint filed in today’s arrest makes clear that the May, 2016 raid was, in fact, because Patterson accused Shafer of accessing their files “without permission.” Shooting the messenger instead of just owning responsibility for a security mistake is neither appropriate nor helpful in improving cybersecurity, as such accusations tend to chill other researchers from reporting what they find, leaving entities in the dark and criminals with more vulnerable sites to attack. No charges were filed against Shafer following the May, 2016 raid. In January, 2017, Shafer was raided again, but there were still no federal charges or state charges filed. On March 22, the FBI issued a Private Industry Notice (PIN). That PIN said that the FBI was aware of some criminals accessing data from public FTP servers to harass, intimidate, and/or blackmail site owners. Could they have been talking about Shafer? The PIN appeared to have some possible connection to Shafer because he’s well-known for investigating open FTP servers, but the connection was not clear. Shafer’s style may be obsessive-compulsive, impulsive, and/or abrasive/obnoxious at times, but this site was not aware of anyone ever accusing him of blackmail or intimidation. On March 31, the FBI raided Shafer for a third time, and arrested him for cyberstalking. Not hacking, not anything to do with FTP servers, but cyberstalking under 18 U.S. Code § 2261A(2)(B). The complaint describes conduct Shafer allegedly engaged in with respect to one of the FBI agents involved in his case and that FBI agent’s spouse and family. While some of the behavior cited as evidence of cyberstalking occurred on Twitter, a lot of it occurred on Facebook. Sadly, and assuming for now that they can prove those tweets and posts were really by him, Shafer appears to have focused his outrage and frustration over the May, 2016 raid on one particular FBI agent and by extension, that agent’s family. DataBreaches.net is not naming the FBI agent or uploading the complaint at this time. But if you’re thinking this story couldn’t get any more bizarre or unfortunate, let me assure you that it does get more bizarre. Apparently one region of the FBI was (and may still be?) investigating Shafer as a possible co-conspirator of TheDarkOverlord (TDO). You can’t make this stuff up, folks. Well, maybe our President could or FoxNews could, but I can’t. DataBreaches.net was unable to reach Shafer or his wife for a comment by the time of this publication, but will update this story as more information becomes available.
Attorneys for Justin Shafer have appealed the revocation of his pretrial release. As regular readers of this site likely know already, Shafer has been in jail since April on charges of cyberstalking an FBI agent and the agent’s family. Those cyberstalking charges have nothing to do with three FBI raids conducted on Shafer prior to his tweets complaining about the FBI agent. Yes, you read that correctly: the FBI had conducted THREE raids on Shafer and had not charged him criminally with anything. The only thing he has been charged with is unkind words after he and his family were repeatedly harassed. Well, that’s how I’d describe it. Here’s how his lawyers described it: The government accuses Justin Mark Shafer of putting an FBI agent and his wife in substantial emotional distress and publishing restricted information about that FBI agent with the intent to incite violence against him. But nowhere in the record, or in the discovery in this case, is there any true threat of violence against anyone. There is no explicit language articulating any kind of threat. The “restricted” information in question was a prior home address for the FBI agent, publicly available on the internet. This entire case is built on innuendo and speculation that withstands neither constitutional nor statutory scrutiny. It is a chilling example of federal law enforcement overreach, and has serious ramifications for constitutional free speech and due process in relation to the internet and computer law. If the government’s accusations in this case are a crime, then millions of social media using Americans are subject to the prosecutorial whim of the Department of Justice. You can read the entire motion here (pdf). As you read the motion, note not only the constitutional issues raised by counsel, but how Shafer’s wife and children were treated – and traumatized by these experiences. DataBreaches.net spoke with Shafer’s wife several days ago. She informed this blogger that she and their three children have all been seriously impacted psychologically by the FBI’s raids. “We’re okay,” she said, but “any time the doorbell rings, I point my finger and the kids run to the back of the house. My heart starts racing any time the doorbell rings. I can’t handle it… I am having panic attacks.” According to Mrs. Shafer, their daughter is only first beginning to sleep in her own bed again since being traumatized by the May, 2016 raid. “These were full-blown raids,” Shafer’s wife told me. “You would have thought someone murdered someone.” The motion notes that at least one of the raids was totally unnecessary and the FBI could have simply called Shafer’s lawyer and asked him to have his client turn himself in. Had the FBI done that, Shafer’s young children would not have been exposed to yet more stress and trauma. Why didn’t the FBI do that? Update: I have uploaded Jennifer Shafer’s declaration, here (pdf).