Adventures in Notification, Ethical Dilemma Edition
Long-time readers know that this blogger has encountered some interesting situations over the years in response to trying to engage in responsible disclosure of leaks or incidents. As just a few examples (apart from all the lawsuit threats for exposing leaks or incidents), this blogger was:
— threatened with being infected with HIV by angry app users if I reported on a leak involving a dating app for people with HIV;
— charged criminally in India for reporting on a leak there; and
— contacted by two researchers who anonymously handed me 400 vulnerabilities they had found because they were afraid of being prosecuted; they left me to try to figure out what to do with all their findings and how to make 400 notifications.
Also as a reminder, my About page cautions people who are thinking of threatening me, because I have been threatened with more lawsuits than I can even remember by now:
If you want to send me legal threats about my reporting or comments, knock yourself out, but don’t be surprised to see me report on your threat, any confidentiality sig blocks you may attach notwithstanding. I have been threatened with lawsuits many times, and to be blunt: there is NOTHING you can threaten me with that will scare me even 1/10th as much as the day both my kids got their driver’s licenses within 15 minutes of each other.
So keeping all that in mind, today’s saga starts with a contact I received on or about September 10. The individual did not give me any name or alias. Nor did they give me any affiliation, but from some of their statements, it appeared that I was likely dealing with someone who was part of a foreign ransomware group.
An Unusual Story Begins
That they didn’t really know me well became evident a few minutes later when they threatened me that if I told anyone what they were about to say, they would …. well, to be honest, I’m not sure I understood what they were even threatening, and the message disappeared so there’s no copy for me to review at this point. In any event, threats are not the way to win my heart or mind — or cooperation.
But this story was so different than what I expected that even though I agreed to keep what they were going to tell me all off the record, the individual and I have since agreed that I could tell the story, although I still have to omit certain details.
So now put yourself in my shoes (which are usually sneakers if you need to visualize): you are a blogger and a privacy advocate and activist. Someone — likely a criminal — contacts you out of the blue and asks if you will help them *return* data that someone hacked. The individual does not want any money or anything — they just want to return data to a non-profit who never should have been hacked and who had never paid any ransom.
“Don’t they have a backup?” I asked (all quotes are approximate as there are no recorded messages for me to consult at this point).
The backup had been wiped out by the attacker, I was told.
So there’s a non-profit that had all their data exfiltrated, their files were encrypted, and their backup was destroyed. And you are asked to let them know that someone wants to get their data back to them — for no fee and and with no publicity about the breach at all.
“Why can’t you call them yourself?” I asked.
They couldn’t call because they are not in this country, I was told, and because they were concerned that the FBI would get involved.
They would upload the non-profit’s data somewhere and give me the links to give them, if I would help get the message to the non-profit.
Ethics? Law? What Do I Do?
All kinds of thoughts went through my head, especially whether the data could have malware in it (but that could be checked by the FBI or someone, right?) and whether I would be violating any ethics code or actual laws.
If I made the call to the non-profit to tell them that I’m a blogger who was contacted by threat actors who wanted to give them back their data, and it was available to them at a link I would give them, could and would law enforcement charge me with aiding and abetting criminals?
And would I be aiding and abetting criminals? They obviously wanted to return the data, so wouldn’t I be aiding them? But they weren’t asking for money and were allegedly just trying to right a wrong. If you aid a criminal in righting a wrong, are you a criminal, too? I would be trying to aid a victim of a crime. If somehow the criminal got something out of it that they wanted, does the balance still favor helping the victim?
And if I didn’t make the call, could the non-profit be left in a mess that I could have remedied?
Did my ethical obligations lead to the same decision as any legal duties or did they conflict?
My head was spinning, and I was reminded once more how much I miss Kurt Wimmer and how helpful he was to me for more than a decade.
I finally decided that I would make the call in the hopes that a victim would get their data back.
So I called and left a detailed voicemail on the non-profit’s system. I gave them my real name, phone number, info on this site, and told them that I knew this would sound crazy, but they could call me and I would explain more about how someone was trying to return their hacked data if they needed it back because they had no backup.
That call was after close of business on Friday. The following Monday morning, having gotten no call back by a few hours after their office opened, I called again, and got a person. She told me that they had gotten my voicemail and referred it to the FBI. I laughed and said I didn’t blame her as I knew it would sound screwy and I would do the same thing. She asked me to confirm my number, and I did if she wanted to call me back at any point.
And then I waited.
I wasn’t sure if the FBI would just call me or if I’d get raided. I had no idea what to expect at that point, and it was not an FBI region that I had ever dealt with who might know of my work.
Ring, Ring. Hello, FBI?
That afternoon, I called the FBI regional office for the non-profit’s area. I did not know what agent might have been assigned to the case, so I just stayed on the line until I got someone who in a recorded call, got my real details, and I explained the whole wild story. “Mike” seemed to understand that I was just trying to help a ransomware victim recover their data — without any fee or publicity — and that my goal was not to aid criminals but to aid the victim. I told him that I had the links of where the data had been uploaded for the victim to download, and that I hoped the FBI would help the victim to ensure that there was no malware or trackers or anything in it.
Mike seemed to understand and asked me to complete the IC3 form and put the links in there. He promised someone would look at it. I asked him to please have someone follow up and let me know what happened. It was all very cordial.
And so I completed the form and included the links to the data.
And never heard another thing.
Maybe I’m naïve to expect the FBI to try to recover data quickly if it’s made available. Or maybe they are busy investigating me or trying to get another court order or something. I don’t know.
All I do know is that it feels hypocritical to help threat actors in any way at all, but it feels just as wrong to not help a victim when I can.
As far as I know, the victim did not get their data back, but maybe they did and nobody bothered to tell me. In either event, I will not be calling the victim or the FBI again. I’ve done what I could to help the victim and I’m done.
The Source Comments
I asked the source their reaction to this whole incident. Their answers, given in English, are unedited, below:
Q: What did you think would happen in response to me calling the victim and then calling the FBI?
A: I thought that the victim would be thanking the reporter because they are very known in this field, and they are getting data back for free. Even when they could have paid with 1 million cyber liability insurance policy ? and ask you for the data back but no they did not do this instead they say we have contacted fbi…………..
Q: Were you surprised that neither the FBI nor the victim has gotten back to me to follow up?
A: Yes I am . I think the americans, instead of trying to help the victim and put some sense into the victim head is probably going to subpoena the site where the data was uploaded , instead of helping victim. Maybe they just want credit for taking down people like us but no this will not happen. ? Maybe they are busy who knows but doubt it 🙂
Or maybe they are getting search warrant for reporters home….
Q: If this ever happened again — where you want to return data to a victim — how would this affect what you do or try?
A: This will not happen again….because there is no way we will do this kind of thing again after this. It is: You either pay or you can see data get leaked and system stay encrypted. No desh for free, no data back for free nothing. I dont care if you are charity, hospital or whatever. Don’t be stupid like this dumb victim and not even use insurance policy. This is just insulting us. Also dont threaten messenger, they are trying to help and you just say “we told fbi” like ……… these people who act smart and make threat (unless these people pay because there is smartass and threat makers during negotiating who end up paying) deserve to be attacked. And ok….not everyone is like this, just some :)”
? “we told fbi” ………….. funny americans
nearly every company who pays ransom will contact fbi because this is normal..we dont care for these. , but you have no right to contact fbi when you have not even paid.
Your Turn to Comment
So what would you have done in my shoes? Make the call to the non-profit or not make the call? Call the FBI or not call them? And why?
I expect that there may be some journalists who will be critical of my actions. Just tell me how or why you think I have erred ethically as a journalist or as a person — and then tell me how you justify NOT helping a victim when you have an opportunity to.
And if you are a lawyer who has an opinion on whether I may have broken any laws or not, let me know. It won’t make you my lawyer, don’t worry about that, but I’d be interested in your analysis.
And if the FBI is reading this: no, I do NOT know which group of threat actors contacted me.