In what has become an increasingly bizarre case, researcher Justin Shafer was arrested Friday evening, detained in Dallas County Jail over the weekend on a “hold” request from the FBI, and then transferred to federal court today, where he was charged with cyberstalking.
For the benefit of those who haven’t followed this story from the beginning: Shafer is a Dental IT integrator in Texas who’s knowledgeable about patient management software in the dental sector. He’s uncovered and reported a number of vulnerabilities that he discusses on his blog. Some of his research and advocacy resulted in enforcement action by the FTC to protect consumers and patients.
In addition to identifying and reporting vulnerabilities in software, Shafer finds patient data leaks by using search engines such as FileMare for certain keywords and then searching the results for FTP servers that are configured to allow “anonymous” login – i.e., anyone can access the files. When Shafer finds exposed protected health information (PHI), he generally contacts the covered entity or database owner to alert them and then discloses it publicly, contacts the media, and/or files a complaint with the U.S. Department of Health & Human Services (HHS), alleging violations of HIPAA’s security requirements.
In May, 2016, Shafer was raided by the FBI, as I reported on The Daily Dot at the time. It appeared, based on what Shafer was allegedly told by an FBI agent, that Patterson Dental might have complained that Shafer hacked them (see this incident that this site reported in February, 2016).
The complaint filed in today’s arrest makes clear that the May, 2016 raid was, in fact, because Patterson accused Shafer of accessing their files “without permission.” Shooting the messenger instead of just owning responsibility for a security mistake is neither appropriate nor helpful in improving cybersecurity, as such accusations tend to chill other researchers from reporting what they find, leaving entities in the dark and criminals with more vulnerable sites to attack.
No charges were filed against Shafer following the May, 2016 raid.
In January, 2017, Shafer was raided again, but there were still no federal charges or state charges filed.
On March 22, the FBI issued a Private Industry Notice (PIN). That PIN said that the FBI was aware of some criminals accessing data from public FTP servers to harass, intimidate, and/or blackmail site owners. Could they have been talking about Shafer? The PIN appeared to have some possible connection to Shafer because he’s well-known for investigating open FTP servers, but the connection was not clear. Shafer’s style may be obsessive-compulsive, impulsive, and/or abrasive/obnoxious at times, but this site was not aware of anyone ever accusing him of blackmail or intimidation.
On March 31, the FBI raided Shafer for a third time, and arrested him for cyberstalking. Not hacking, not anything to do with FTP servers, but cyberstalking under 18 U.S. Code § 2261A(2)(B).
The complaint describes conduct Shafer allegedly engaged in with respect to one of the FBI agents involved in his case and that FBI agent’s spouse and family. While some of the behavior cited as evidence of cyberstalking occurred on Twitter, a lot of it occurred on Facebook. Sadly, and assuming for now that they can prove those tweets and posts were really by him, Shafer appears to have focused his outrage and frustration over the May, 2016 raid on one particular FBI agent and by extension, that agent’s family.
DataBreaches.net is not naming the FBI agent or uploading the complaint at this time. But if you’re thinking this story couldn’t get any more bizarre or unfortunate, let me assure you that it does get more bizarre. Apparently one region of the FBI was (and may still be?) investigating Shafer as a possible co-conspirator of TheDarkOverlord (TDO).
You can’t make this stuff up, folks. Well, maybe our President could or FoxNews could, but I can’t.
DataBreaches.net was unable to reach Shafer or his wife for a comment by the time of this publication, but will update this story as more information becomes available.