Prosecution drops five felony charges against Justin Shafer, accepts plea to one misdemeanor charge
In May 2016, the Dallas FBI raided dental integrator and independent researcher Justin Shafer because of allegations that he had accessed an FTP server without authorization. Shafer was subsequently raided twice more, and in March 2017, he was arrested and charged with stalking a federal employee – not hacking or any criminal conduct related to hacking, but stalking a federal employee. Over the next year, the prosecution would pile on more stalking counts in superseding indictments so that Shafer wound up facing five felony charges.
But today, the government’s attempt to prosecute Shafer as a dangerous FBI-stalking villain ended with a whimper instead of the bang the prosecutor hoped for.
This morning, Shafer pleaded guilty in federal court in Dallas to one misdemeanor count of retaliating against a federal official by threatening a family member.
As part of the plea deal, Shafer was sentenced to time served. Shafer had spent almost eight months in jail when his pre-trial release was revoked by Magistrate Judge Toliver for blogging, which was deemed a violation of his conditions of release.
Shafer’s defense team, consisting of Tor Ekeland and Fred Jennings at Tor Ekeland Law and Jay Cohen at Blass Law in Texas, had appealed the revocation, writing, in part:
The factual bases of the government’s bare bones indictment are a handful of public tweets; a Facebook friend request and message sent to a public Facebook account; the following of a public Twitter account;1 and two emails to an FBI Agent – one with a “?” emoji and another inquiring about the status of a report of a patient privacy violation. The Defendant made no attempt to mask his identity, and the FBI never contacted the Defendant to express any concern or to ask him to stop his communications. Instead they arrested him. And any claim that he engaged in a sustained course of conduct with a continuity of purpose to cyberstalk or threaten are ludicrous when compared to facts embodied in the case law regarding these statutes.
These accusations led to a pretrial release order so broad it functioned as a prior restraint on Mr. Shafer’s constitutional right to speak about the accusations made against him. When he sought to do so – through a post on his work-related blog – the magistrate judge revoked release, broadly interpreting the release condition terms and finding a violation of those conditions.
An innocent man — who the government has not charged, and cannot charge, with any violent crime, nor with any history of violent crime — is now in jail on the basis of protected speech.
Judge David Godbey firmly agreed with the defense that Shafer had had a right to blog, and Shafer was re-released in December, 2017 to await trial. And the case probably would have gone to trial had it not been for Judge Janis Graham Jack letting the prosecution know that she saw no evidence of any threat to support the felony charges and that she might rule on the defense’s motion to dismiss if the prosecution didn’t come up with some reasonable plea deal. Today’s plea deal was partly the result of Shafer holding firm that he would not just plead guilty to any felony.
After a plea agreement was reached, Shafer’s defense team issued the following statement:
Mr. Shafer first contacted us after he [was] raided by armed federal law enforcement for alleged computer crimes the government has never charged him for. When he complained to the government about it, he was arrested and thrown in jail for his criticism. He was freed after the defense filed a motion arguing his pre-trial detention violated the First Amendment. Fortunately, when presented with the facts of this case, the Court understood the magnitude of the issues here and helped us resolve this case without the hassle, expense, and stress of a jury trial. We are grateful to the Northern District of Texas for recognizing this case for what it was: an attack on internet free speech and a citizen’s right to criticize the government.
Under the terms of today’s plea deal, Shafer has agreed to have no contact, either personally or through any associates whatsoever, with Special Agent Nathan Hopp of the Dallas FBI or any of his immediate or extended family members. The no-contact agreement also applies to Judge Jeffrey Cureton, his staff or any of his immediate or extended family members.
There never was any evidence that Shafer had ever physically approached or physically assaulted anyone. Nor was there ever any clear evidence that he had even threatened to approach anyone physically. Even the misdemeanor charge appeared to be a stretch far beyond the available evidence.
For its part, in addition to moving to dismiss all the remaining charges against Shafer, the government agreed it will not criminally prosecute Shafer for any charges relating to the investigation of the alleged unauthorized FTP server access in the Patterson matter that led to the May 2016 raid.
What Now or Next?
Prior to today’s hearing, DataBreaches.net had asked Shafer if he felt that justice had been served in the anticipated plea deal. Shafer responded that after his ordeal, he now believes that justice is just “an illusion.” His experience has also chilled his willingness to try to protect patient data. When asked in email if he would resume his efforts to find leaks and notify entities so they could secure the data, he replied:
I think the next time someone finds social security numbers that is considered protected health information under HIPAA they should just turn a blind eye. Nobody is going to call you a hero (except the enlightened), and you run the risk of being harassed by the FBI. Doctors responsible for alerting patients will now have yet another reason not to. Already, only about 10% of doctors notified patients that their patient information was publicly available. Law enforcement or the Office of Civil Rights won’t care, and will most likely ignore it. Punishing health information researchers for reporting these issues only puts patients at greater risk. I think it would benefit society greatly if people who find publicly accessible data were not threatened by the people who put it there.
There’s a lot of good points in that statement. Shooting the messenger and/or prosecuting those who find and try to remedy leaks is just not in society’s best interests.
For now, though, Shafer remains focused on spending more time with his family. And in that respect, today was a good day for Shafer because Judge Janis Graham Jack approved the plea deal and he got to go home to his family.
“I was nervous when she started telling me my rights and that she wasn’t obligated to accept the deal,” Shafer told DataBreaches.net by phone after the hearing. But now, he said, he’s, “Happy. I’m happy that it’s over.” He added, “I shook hands with the prosecutor after the meeting and we both hoped that I would never see them again. And he told me that I am lucky to have a wife that puts up with me. I left the hearing on good terms.” Shafer hopes that now that this is over, the prosecution will return his wife’s videos of their children that had been seized in one of the raids.
Attorneys from the U.S. Attorney’s Office for the Western District of Texas did not respond immediately to an inquiry sent earlier asking them for a comment on the outcome of this case.
Trent - March 22, 2018
Cheaper and far less hassle to accept the bullshit plea charges the prosecution pulled out of their ass just to avoid having to put this case in his loss column. I get that, I totally understand, but justice for Justin still eludes him.
The agents who railroaded him for 1.5 years, raided his home thrice, stole all his electronics, kept him in jail away from his family for 8 months, and nearly buried the family financially face zero consequences. That’s what I call grade-A, bona-fide, export-quality BULLSHIT.
Same thing goes for the IT guys and their corporate taskmasters at Patterson who started all this shit by shooting the messenger and crying “Weez bin haxored!” to the FBI and their shareholders instead of owning up to their mistake and admitting they suck at FTP server administration.
I hope this story doesn’t end here.