CFAA overreach: FBI raids home of security researcher
From the stop-me-if-you’ve-heard-this-one-before dept:
Over on Daily Dot this morning, I reported that the FBI executed a search warrant at the home of researcher Justin Shafer. Shafer’s name will be familiar to regular readers of DataBreaches.net because he exposed a long-standing security vulnerability in Dentrix software and challenged Henry Schein’s claims that their product provided “encryption.” Our combined efforts resulted in the recent consent order announced by the FTC.
The raid Tuesday is concerning, as there are significant similarities to Andrew “weev” Auernheimer’s federal hacking case where the government charged – and a jury convicted – Auernheimer for scraping/slurping users’ iPAD data from a publicly available AT&T server. Auernheimer’s conviction was overturned by the Third Circuit after a successful appeal, but the appeals court never got to the critical issue of whether accessing a publicly available server is a violation under the Computer Fraud and Abuse Act (CFAA).
So here we go again on the risk researchers face of criminal prosecution as felons for accessing and reporting on what they find on publicly available servers. Can the government not realize that these researchers are providing a valuable service and we want to encourage responsible disclosure? How many hundreds of millions of people whose personal information was exposed would still be at risk if researchers like Chris Vickery and Justin Shafer didn’t research and didn’t disclose responsibly?
According to Shafer, the FBI agent reportedly told him the search and seizure were because Patterson Dental claimed he “exceeded authorized access” to their FTP server in an incident reported on DataBreaches.net in February.
But – and as Shafer said he pointed out to the FBI agent – this was an anonymous FTP server with no login (user/pass) required. According to Shafer, the FBI agent responded, “But you shared it with <this site>.” To which this blogger would respond, “So what if he did? There’s nothing wrong with going to the media to disclose a breach, and no individuals were put at risk of harm if a sample of data were provided for verification, notification, and reporting purposes.”
Shafer did nothing wrong in investigating what he found on the server or in contacting DataBreaches.net to help disclose it and report on it. Do the FBI and the software manufacturer wish to chill a free press, too, or is it just researchers?
If Shafer did nothing wrong, how did a prosecutor convince a magistrate judge to issue a search warrant based on probable cause when there was no code bypassed, no login required, no evidence that any data downloaded had been used in furtherance of a crime, and no personal data disclosed publicly in Shafer’s reporting on the incident or this site’s reporting on it? Unfortunately, the probable cause affidavit is under seal, but this blogger wonders if the magistrate judge really understood the nature of an anonymous FTP server.
For more details on the raid, read my article on Daily Dot. For other vulnerabilities and breaches Shafer has shared with this site, search here and see his blog.
Instead of pointing fingers at Shafer, if any fingers are to be pointed, they should probably be pointed at Patterson Dental.
The bottom line is that I don’t know why Patterson Dental would have filed a criminal complaint against him, if they did. Maybe they are trying to portray themselves as victims of a “hack” when the real victims are their clients and the clients’ patients. Maybe they are trying to chill researchers’ and journalists’ reporting of security lapses. I really don’t know, but as a matter of public policy, the government should not be declaring war on security researchers who do no harm to data or data subjects and who disclose responsibly.
Worryingly, the raid on Shafer may well be just the prelude to another overzealous government prosecution under CFAA, and that should concern us all.