Dissent

Nov 192017
 

Rohit KVN reports:

Even though the government has framed stringent rules to curb illegal access and displaying of Aadhaar details in public domain, a new report has emerged that the central and state-run websites have themselves blatantly leaked the private details of the Indian citizens who enrolled for Aadhaar.

In a Right to Information (RTI) query, Aadhaar generator body Unique Identification Authority of India (UIDAI) has admitted that around 210 state and central government websites, in their bid to showcase benefits of owning Aadhaar ID, have revealed personal details of the beneficiaries. It is not known when these lapses took place, but those web-pages have been blocked.

Read more on IBT.

Nov 182017
 

Harriet Alexander reports:

Ambulance staff whose medical records were sold to solicitors will launch a class action against NSW Ambulance in the Supreme Court on Monday in an action that will test privacy law.

NSW Ambulance contractor Waqar Malik was convicted of unlawfully disclosing personal information last year after he sold the worker’s compensation files of 130 former and current employees to personal injury lawyers.

The files included medical records such as psychiatric assessments and details of injuries.

Read more on The Herald.

Nov 182017
 

Nino Bucci reports:

Police are investigating the hacking of a gun club database that may have exposed where more than 1500 semi-automatic handguns are stored.

The private details of 540 members from the Port Melbourne club, including the types of weapons they owned, is believed to have been compromised this month, potentially exposing them to the theft of guns worth at least $5000 each on the black market.

Read more on The Courier.

Nov 182017
 

Guy Boulton reports:

Confidential medical information or other personal data of 9,500 patients at the Medical College of Wisconsin was compromised by a targeted attack on the school’s email system in July, the Medical College said Friday.

The compromised email accounts contained one or more of the following types of information: patients’ names, home addresses, dates of birth, medical record numbers, health insurance information, dates of service, surgical information, diagnosis or medical condition, and treatment information.

Read more on Journal Sentinel.

 

Nov 182017
 

On Friday, December 1, lawyers for an infosec researcher who has been in jail since April will  argue that U.S. District Judge David C. Godbey should release Justin Shafer from jail while he awaits trial.

Justin Shafer

For those who are not familiar with the case, Shafer, a dental integrator technician and independent infosecurity researcher, faces federal charges of  cyberstalking an FBI agent and the agent’s family. And those are the only charges he currently faces, although you might have been misled by others’ headlines into believing that he is an alleged hacker or an alleged co-conspirator of the blackhats known as TheDarkOverlord.  Shafer has not been charged with any hacking-related activity at all.

In fact, the case against Shafer initially had nothing to do with blackhat hackers at all and everything to do with the fact that Shafer was uncovering and disclosing leaking databases and the entities who he was reporting upon did not always take kindly to being embarrassed publicly for their poor data security. Shafer would also file complaints with HHS/OCR and the FTC over sloppy or failed data security.  And it was one of those entities who apparently tried to accuse Shafer of hacking them after he found patient data on a public FTP server that did not require any login.

Once the FBI started investigating Shafer as if he was some blackhat criminal for finding and disclosing leaky databases, Shafer’s relationship with one Dallas FBI agent started to deteriorate. And it was only against the backdrop of that already somewhat adversarial relationship that when one month later, Shafer started investigating TheDarkOverlord and trying to help the FBI, that the FBI started treating him as a possible co-conspirator instead of as an asset.

To be clear: while Shafer repeatedly and demonstrably attempted to help the FBI catch TheDarkOverlord, Shafer did make negative public comments to and about a Dallas FBI agent, Nathan Hopp, whom Shafer felt harassed by over a period of years. Those comments were made on Shafer’s blog and on his Twitter account.  But was there really anything criminal about those comments or are they protected speech under the First Amendment?

And who wouldn’t be angry if you’d been raided three times by the FBI and you had never done anything illegal? Maybe it was imprudent to shoot off his mouth at an FBI agent or his family, but Shafer and his family have been through a lot of harassment from their perspective. I recently reported what Shafer’s wife told me about how all these raids have affected their children, but here’s a snippet of Shafer’s description of one of the raids, and his concern for his child’s safety because of it.  On February 2, he wrote about the second (January) raid:

… I heard some boots making noise outside the house. I went outside, and there was a guy with an AK-47 pointing it at me, freaking out because my hands are not up.

That is when I saw 5 or 6 guys buy my garage, and I think everyone had an AK-47 it seemed. These dudes were TWICE the size of the guys who raided me the first time. They told me they were not part of the first people who raided me, because I asked if Nathan Hawk was around. =)

[Note: at the time of this raid, Shafer still mistakenly thought Agent Hopp’s name was “Hawk”].

I remember what [a lawyer] said, and decided I would take his friendly advice. He told me if he was raided, he would decline all interviews and just leave. You don’t need to be present during a raid, really.

The FBI Agent who had a gun on me, told me we could go inside after they “cleared” the house (make sure nobody else is inside). I told him I “respectfully decline the interview”.. I then told him I wanted to leave, and they said okay but didn’t let me leave. Then he told me again, they would let me leave after I talked, and reminded him that I “respectfully decline this interview”. So they put me into a NRH cop car, and then told me they were taking me to jail

[…]

I was upset when my 3  year old daughter handed me a CR-2032 battery. Any kid who eats one of those, dies. Horrific. I am very careful to keep shit off the floor. If she had of eaten it, I would be losing my mind…..

Might you be upset with the FBI under similar circumstances?

But wait, you say – didn’t the FBI find actual evidence during that January raid that Shafer was conspiring with the blackhat hackers known as TheDarkOverlord? Didn’t you see something about a stolen database and a chat log?

No, the FBI did not find evidence of any conspiracy nor any criminal activity on Shafer’s part.

What they found was that TheDarkOverlord gave Shafer information in 2016 which Shafer had then promptly passed along to the Dallas FBI via e-mail and phone to help them. What they found in January, 2017 was what Shafer had already given them and other law enforcement agencies in 2016 to help them catch TheDarkOverlord.

And if you haven’t seen the evidence I posted showing that Shafer was trying to help the FBI  – see this post for screenshots.

So Shafer was charged on charges of cyberstalking that were padded by references to claims that he was being investigated as a co-conspirator of TheDarkOverlord when the factual history shows that Shafer was passing along information on TheDarkOverlord to law enforcement in both this country and the U.K.

When Shafer was arrested, he was released with pre-trial conditions. Those conditions included what many First Amendment experts might consider prior restraint of speech.  Shafer has every right to complain about an FBI agent whom he feels is harassing him or his family. He has every right to complain loudly and publicly about an agency repeatedly raiding him even though there is no evidence of wrongdoing on his part.

Criticizing an FBI agent publicly doesn’t seem exactly prudent, but that doesn’t make it  criminal speech or conduct. So why has it cost Shafer his freedom for all these months?

On December 1, Tor Ekeland, Shafer’s attorney, will argue that Shafer should be released from jail while he awaits trial on the cyberstalking charges.  That trial date has now been set to begin January 22, 2018.

I remember the days when EFF and the ACLU would be all over a case like this, forcefully speaking up for and defending someone in Shafer’s position. While EFF did make a few comments to a Dallas reporter about this case, the ACLU of Texas and the national ACLU have remained silent. Why?

Shafer’s speech may have been imprudent, but unpopular speech is exactly what most needs protection and vigorous defense.  If using Google to look up someone’s address or saying “hi” to someone’s wife on Facebook can be construed as evidence of “cyberstalking,” we are all in trouble.

This is one of those cases that has the potential to make bad law on free speech. If you care about the First Amendment and pushing back against government attempts to erode your right to protected speech, maybe you should get to the Dallas federal courthouse on December 1 at 10:00 am and show your support for Shafer and the issue of free speech.

And if you’re an infosec researcher who has ever been falsely accused of hacking or wrongdoing because you tried to do the right thing to improve data security, then perhaps you should speak up and support Shafer, because if they can chill his speech by jailing him for so long, what can they do to your speech and ability to disclose vulnerabilities and leaks you find?