Mar 222018

In May 2016, the Dallas FBI raided dental integrator and independent researcher Justin Shafer because of allegations that he had accessed an FTP server without authorization. Shafer was subsequently raided twice more, and in March 2017, he was arrested  and charged with stalking a federal employee – not hacking or any criminal conduct related to hacking, but stalking a federal employee. Over the next year, the prosecution would pile on more stalking counts in superseding indictments so that Shafer wound up facing five felony charges.

But today, the government’s attempt to prosecute Shafer as a dangerous FBI-stalking villain ended with a whimper instead of the bang the prosecutor hoped for.

Justin Shafer with his family, earlier this week. Submitted.

This morning, Shafer pleaded guilty in federal court in Dallas to one misdemeanor count of retaliating against a federal official by threatening a family member.

As part of the plea deal, Shafer was sentenced to time served. Shafer had spent almost eight months in jail when his pre-trial release was revoked by Magistrate Judge Toliver for blogging, which was deemed a violation of his conditions of release.

Shafer’s defense team, consisting of Tor Ekeland and Fred Jennings at Tor Ekeland Law and Jay Cohen at Blass Law in Texas, had appealed the revocation, writing, in part:

The factual bases of the government’s bare bones indictment are a handful of public tweets; a Facebook friend request and message sent to a public Facebook account; the following of a public Twitter account;1 and two emails to an FBI Agent – one with a “🙂” emoji and another inquiring about the status of a report of a patient privacy violation. The Defendant made no attempt to mask his identity, and the FBI never contacted the Defendant to express any concern or to ask him to stop his communications. Instead they arrested him. And any claim that he engaged in a sustained course of conduct with a continuity of purpose to cyberstalk or threaten are ludicrous when compared to facts embodied in the case law regarding these statutes.

These accusations led to a pretrial release order so broad it functioned as a prior restraint on Mr. Shafer’s constitutional right to speak about the accusations made against him. When he sought to do so – through a post on his work-related blog – the magistrate judge revoked release, broadly interpreting the release condition terms and finding a violation of those conditions.

An innocent man — who the government has not charged, and cannot charge, with any violent crime, nor with any history of violent crime — is now in jail on the basis of protected speech.

Judge David Godbey firmly agreed with the defense that Shafer had had a right to blog, and Shafer was re-released in December, 2017 to await trial.  And the case probably would have gone to trial had it not been for Judge Janis Graham Jack letting the prosecution know that she saw no evidence of any threat to support the felony charges and that she might rule on the defense’s motion to dismiss if the prosecution didn’t come up with some reasonable plea deal.  Today’s plea deal was partly the result of Shafer holding firm that he would not just plead guilty to any felony.

After a plea agreement was reached, Shafer’s defense team issued the following statement:

Mr. Shafer first contacted us after he [was] raided by armed federal law enforcement for alleged computer crimes the government has never charged him for. When he complained to the government about it, he was arrested and thrown in jail for his criticism. He was freed after the defense filed a motion arguing his pre-trial detention violated the First Amendment. Fortunately, when presented with the facts of this case, the Court understood the magnitude of the issues here and helped us resolve this case without the hassle, expense, and stress of a jury trial. We are grateful to the Northern District of Texas for recognizing this case for what it was: an attack on internet free speech and a citizen’s right to criticize the government.

Tor Ekeland. Submitted.

Under the terms of today’s plea deal, Shafer has agreed to have no contact, either personally or through any associates whatsoever, with Special Agent Nathan Hopp of the Dallas FBI or any of his immediate or extended family members. The no-contact agreement also applies to Judge Jeffrey Cureton, his staff or any of his immediate or extended family members.

There never was any evidence that Shafer had ever physically approached or physically assaulted anyone. Nor was there ever any clear evidence that he had even threatened to approach anyone physically. Even the misdemeanor charge appeared to be a stretch far beyond the available evidence.

For its part, in addition to moving to dismiss all the remaining charges against Shafer, the government agreed it will not criminally prosecute Shafer for any charges relating to the investigation of the alleged unauthorized FTP server access in the Patterson matter that led to the May 2016 raid.

What Now or Next?

Prior to today’s hearing, had asked Shafer if he felt that justice had been served in the anticipated plea deal. Shafer responded that after his ordeal, he now believes that justice is just “an illusion.” His experience has also chilled his willingness to try to protect patient data. When asked in email if he would resume his efforts to find leaks and notify entities so they could secure the data, he replied:

I think the next time someone finds social security numbers that is considered protected health information under HIPAA they should just turn a blind eye. Nobody is going to call you a hero (except the enlightened), and you run the risk of being harassed by the FBI. Doctors responsible for alerting patients will now have yet another reason not to. Already, only about 10% of doctors notified patients that their patient information was publicly available. Law enforcement or the Office of Civil Rights won’t care, and will most likely ignore it. Punishing health information researchers for reporting these issues only puts patients at greater risk.  I think it would benefit society greatly if people who find publicly accessible data were not threatened by the people who put it there.

There’s a lot of good points in that statement. Shooting the messenger and/or prosecuting those who find and try to remedy leaks is just not in society’s best interests.

For now, though, Shafer remains focused on spending more time with his family. And in that respect, today was a good day for Shafer because Judge Janis Graham Jack approved the plea deal and he got to go home to his family.

“I was nervous when she started telling me my rights and that she wasn’t obligated to accept the deal,” Shafer told by phone after the hearing.  But now, he said, he’s, “Happy. I’m happy that it’s over.” He added, “I shook hands with the prosecutor after the meeting and we both hoped that I would never see them again. And he told me that I am lucky to have a wife that puts up with me. I left the hearing on good terms.”  Shafer hopes that now that this is over, the prosecution will return his wife’s videos of their children that had been seized in one of the raids.

Attorneys from the  U.S. Attorney’s Office for the Western District of Texas did not respond immediately to an inquiry sent earlier asking them for a comment on the outcome of this case.

Feb 102018

There’s an update to an insider-wrongdoing lawsuit that I first noted back in September, 2013, after some employees at Rensselaer County Jail filed suit against their employer for snooping in their medical records.

As I’ve reported in the past, the breaches occurred against a backdrop where the county jail uses Samaritan Hospital to provide services to inmates and employees, but the jail also has its own medical personnel. In this case, a nurse left her login information conveniently handy for others who did not have access to the medical database and some unauthorized employees allegedly used those login credentials to snoop on inmates and coworkers. As my previous digging into this case indicated, the breaches began in 2008, were discovered in 2011 by Samaritan Hospital, but were not disclosed to those affected until 2013 – allegedly because the Sheriff, who became a defendant in the litigation, asked the hospital to delay notification. The Sheriff’s role also became significant in the litigation because employees claimed that he was misusing access to see if they were complying with his policies about not taking excessive medical leave from work.

In any event, in 2016, the lawsuits were dismissed, with prejudice, in part because the court held that the employees had not demonstrated that anything in their medical records was sensitive enough that if viewed by an employer, would expose them to discrimination. The claims under CFAA were dismissed for failure to state a claim.

The plaintiffs appealed, and now the Second Circuit Court of Appeals has affirmed in part and reversed in part.

Of special note, the court held that even individuals with non‐stigmatizing medical conditions have a right to privacy in their medical records, even if their interest in privacy might be less (than someone with a stigmatizing condition).  So the court has remanded the case back to the district court, but instructed the lower court to also consider whether qualified immunity might apply.

Continue to stay tuned.

h/t, who reported on this update first.


Jul 132016

Orin Kerr writes:

The U.S. Court of Appeals for the 9th Circuit has handed down a very important decision on the Computer Fraud and Abuse Act, Facebook v. Vachani, which I flagged just last week. For those of us worried about broad readings of the Computer Fraud and Abuse Act, the decision is quite troubling. Its reasoning appears to be very broad. If I’m reading it correctly, it says that if you tell people not to visit your website, and they do it anyway knowing you disapprove, they’re committing a federal crime of accessing your computer without authorization.

Read more on Washington Post. As always, Orin provides a lot of food for thought.

By now, I’ve only read the opinion once, and oddly, perhaps, what caught my eye was fn4:

 Simply bypassing an IP address, without more, would not constitute unauthorized use. Because a blocked user does not receive notice that he has been blocked, he may never realize that the block was imposed and that authorization was revoked. Or, even if he does discover the block, he could conclude that it was triggered by misconduct by someone else who shares the same IP address, such as the user’s roommate or co-worker.

So someone going directly to a file on a server from search results – without going through the site’s or server’s front door – is not necessarily engaging in “unauthorized use” under CFAA without more? But what more would be needed in that situation to make criminal application of CFAA appropriate?  And if that’s the case, think of the raid on Justin Shafer who accessed files on a Patterson FTP server when there was nothing he saw that would have suggested he didn’t have authorization.

Jan 252016

Daniel Cooper reports:

Eric Springer is not happy, mostly because he believes that Amazon let a nefarious type get at his account. In a blog over at Medium, Springer revealed that he was the victim of a “social engineering” hack that exposed his details to an unnamed third party. With just a rough idea of Springer’s location and his email address, the attacker tricked a customer services rep to give up almost all of his personal information. The attacker was subsequently able to use this data to trick Springer’s bank into sending out a copy of his credit card.

Read more on engadget. Then read Eric’s entire post on Medium. I don’t know about you, but it has made me very nervous about Amazon.

Sep 252015

Ellen Nakashima and Steven Mufson report:

The United States and China have agreed that neither country will conduct economic espionage in cyberspace in a deal that addresses a major source of tension in the bilateral relationship.

The pact also calls for a process aimed at helping to ensure compliance.

Read more on Washington Post.

Now if they’d just give back all the non-economic but personally identifiable information they’ve acquired, right?