Nov 182017
 

On Friday, December 1, lawyers for an infosec researcher who has been in jail since April will  argue that U.S. District Judge David C. Godbey should release Justin Shafer from jail while he awaits trial.

Justin Shafer

For those who are not familiar with the case, Shafer, a dental integrator technician and independent infosecurity researcher, faces federal charges of  cyberstalking an FBI agent and the agent’s family. And those are the only charges he currently faces, although you might have been misled by others’ headlines into believing that he is an alleged hacker or an alleged co-conspirator of the blackhats known as TheDarkOverlord.  Shafer has not been charged with any hacking-related activity at all.

In fact, the case against Shafer initially had nothing to do with blackhat hackers at all and everything to do with the fact that Shafer was uncovering and disclosing leaking databases and the entities who he was reporting upon did not always take kindly to being embarrassed publicly for their poor data security. Shafer would also file complaints with HHS/OCR and the FTC over sloppy or failed data security.  And it was one of those entities who apparently tried to accuse Shafer of hacking them after he found patient data on a public FTP server that did not require any login.

Once the FBI started investigating Shafer as if he was some blackhat criminal for finding and disclosing leaky databases, Shafer’s relationship with one Dallas FBI agent started to deteriorate. And it was only against the backdrop of that already somewhat adversarial relationship that when one month later, Shafer started investigating TheDarkOverlord and trying to help the FBI, that the FBI started treating him as a possible co-conspirator instead of as an asset.

To be clear: while Shafer repeatedly and demonstrably attempted to help the FBI catch TheDarkOverlord, Shafer did make negative public comments to and about a Dallas FBI agent, Nathan Hopp, whom Shafer felt harassed by over a period of years. Those comments were made on Shafer’s blog and on his Twitter account.  But was there really anything criminal about those comments or are they protected speech under the First Amendment?

And who wouldn’t be angry if you’d been raided three times by the FBI and you had never done anything illegal? Maybe it was imprudent to shoot off his mouth at an FBI agent or his family, but Shafer and his family have been through a lot of harassment from their perspective. I recently reported what Shafer’s wife told me about how all these raids have affected their children, but here’s a snippet of Shafer’s description of one of the raids, and his concern for his child’s safety because of it.  On February 2, he wrote about the second (January) raid:

… I heard some boots making noise outside the house. I went outside, and there was a guy with an AK-47 pointing it at me, freaking out because my hands are not up.

That is when I saw 5 or 6 guys buy my garage, and I think everyone had an AK-47 it seemed. These dudes were TWICE the size of the guys who raided me the first time. They told me they were not part of the first people who raided me, because I asked if Nathan Hawk was around. =)

[Note: at the time of this raid, Shafer still mistakenly thought Agent Hopp’s name was “Hawk”].

I remember what [a lawyer] said, and decided I would take his friendly advice. He told me if he was raided, he would decline all interviews and just leave. You don’t need to be present during a raid, really.

The FBI Agent who had a gun on me, told me we could go inside after they “cleared” the house (make sure nobody else is inside). I told him I “respectfully decline the interview”.. I then told him I wanted to leave, and they said okay but didn’t let me leave. Then he told me again, they would let me leave after I talked, and reminded him that I “respectfully decline this interview”. So they put me into a NRH cop car, and then told me they were taking me to jail

[…]

I was upset when my 3  year old daughter handed me a CR-2032 battery. Any kid who eats one of those, dies. Horrific. I am very careful to keep shit off the floor. If she had of eaten it, I would be losing my mind…..

Might you be upset with the FBI under similar circumstances?

But wait, you say – didn’t the FBI find actual evidence during that January raid that Shafer was conspiring with the blackhat hackers known as TheDarkOverlord? Didn’t you see something about a stolen database and a chat log?

No, the FBI did not find evidence of any conspiracy nor any criminal activity on Shafer’s part.

What they found was that TheDarkOverlord gave Shafer information in 2016 which Shafer had then promptly passed along to the Dallas FBI via e-mail and phone to help them. What they found in January, 2017 was what Shafer had already given them and other law enforcement agencies in 2016 to help them catch TheDarkOverlord.

And if you haven’t seen the evidence I posted showing that Shafer was trying to help the FBI  – see this post for screenshots.

So Shafer was charged on charges of cyberstalking that were padded by references to claims that he was being investigated as a co-conspirator of TheDarkOverlord when the factual history shows that Shafer was passing along information on TheDarkOverlord to law enforcement in both this country and the U.K.

When Shafer was arrested, he was released with pre-trial conditions. Those conditions included what many First Amendment experts might consider prior restraint of speech.  Shafer has every right to complain about an FBI agent whom he feels is harassing him or his family. He has every right to complain loudly and publicly about an agency repeatedly raiding him even though there is no evidence of wrongdoing on his part.

Criticizing an FBI agent publicly doesn’t seem exactly prudent, but that doesn’t make it  criminal speech or conduct. So why has it cost Shafer his freedom for all these months?

On December 1, Tor Ekeland, Shafer’s attorney, will argue that Shafer should be released from jail while he awaits trial on the cyberstalking charges.  That trial date has now been set to begin January 22, 2018.

I remember the days when EFF and the ACLU would be all over a case like this, forcefully speaking up for and defending someone in Shafer’s position. While EFF did make a few comments to a Dallas reporter about this case, the ACLU of Texas and the national ACLU have remained silent. Why?

Shafer’s speech may have been imprudent, but unpopular speech is exactly what most needs protection and vigorous defense.  If using Google to look up someone’s address or saying “hi” to someone’s wife on Facebook can be construed as evidence of “cyberstalking,” we are all in trouble.

This is one of those cases that has the potential to make bad law on free speech. If you care about the First Amendment and pushing back against government attempts to erode your right to protected speech, maybe you should get to the Dallas federal courthouse on December 1 at 10:00 am and show your support for Shafer and the issue of free speech.

And if you’re an infosec researcher who has ever been falsely accused of hacking or wrongdoing because you tried to do the right thing to improve data security, then perhaps you should speak up and support Shafer, because if they can chill his speech by jailing him for so long, what can they do to your speech and ability to disclose vulnerabilities and leaks you find?

 

 

 

  7 Responses to “Court dates set in Justin Shafer case”

  1. Stop dick riding this guy so hard. If he was doing everything legal and reporting these leaks properly the FBI wouldn’t have raided him. And messaging the guys wife and looking up there house addy is getting close to harassment. Its one thing to talk freely but he was crossing the line. Lol hopefully he gets found guilty.

  2. If Shafer had really crossed any line, the government could have charged him with it. He wasn’t charged with anything other than getting up an FBI agent’s nostril. Even after three raids, they had nothing to charge him with?

    I’d say that the three raids are compelling evidence that he has been doing everything legally or they would have charged him otherwise. Even their so-called “evidence” was easily refuted, as I demonstrated in a previous post.

    Someone should file under FOIA to find out how many taxpayer dollars the Dallas FBI and DOJ have wasted investigating Shafer as an alleged co-conspirator of TDO. And how much time and money they’ve wasted investigating Shafer for non-TDO “hacking.”

    And by the way: looking up a house address is not harassment, and the standard for “harassment” is not “close to harassment.” You seem willing to bend the law into a pretzel to try to punish someone just because you don’t like them or like what they did. Not all bad or inappropriate behavior is criminal, nor should it be.

    Protect the First Amendment or there will be no one to protect you when some snowflake wants you criminally prosecuted because your words upset them. Heck, can I have you charged criminally because I felt emotional distress at your comments that I was “dick riding?” That’s very very upsetting to someone from my background and now I am frightened for my safety and think you should be locked away.

    See the risk?

  3. You don’t seem to understand that the initial raid was entirely predicated on a complaint to the FBI by a multi-billion dollar company claiming Justin “hacked” them. He hacked nothing. Patterson left patient data on an FTP server which 1) required no login and 2) had zero read/write restrictions on the file containing the patient data. You also fail to understand Shafer did indeed properly disclose that incident. News of the breach was embargoed until Patterson was informed of the issue and it could be confirmed that the patient data was no longer publicly available. It’s troubling that anyone fails to empathize what Shafer and his family have been put through. It’s deeply troubling to think anyone out there actually thinks the agent’s family has “suffered” to an extent that comes even close to what the Shafer family have been put through. I also have to question your intelligence if you actually think the messages sent to the wife’s profile constitute anything close to what any normal person would consider true harassment.

    “Lol hopefully he gets found guilty”

    What the fuck is wrong with you?

  4. You’re too polite to this douchebag.

  5. Does the fact that he posted as “FBI” and gave an email address at fbi.gov indicate that he has posed as a government agent? Has he committed a crime that he could be prosecuted for?

    If so, he’s already engaged in more criminal conduct than Shafer did.

  6. Lol, good point! Think they’ll go after him for impersonating a federal agent? Hand over that IP address and browser information!

  7. Fbi may just be a potty-mouthed troll, so best to ignore him personally. However his point of view sounds very similar to that of the real FBI in pursuing this case at all.

    If an FBI agent’s personal information is so easily found by a member of the public, they must *not* consider that information sensitive, by definition. Republishing that non-sensitive information therefore cannot, in itself, be a threat.

    Unless there is evidence Shafer pursued a real world physical confrontation or made an explicit physical threat it’s hard to believe the FBI agent was seriously concerned about his family safety (and evidence of that could also be: did they move the family to a safe house?).

    We should expect Federal law enforcement officers to be more than playground bullies with thin skins.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>