Security Researchers Sued For Exposing Internet Filtering Company's Sale Of Censorship Software To Blacklisted Country
from the 'you're-making-us-look-bad'-said-company-caught-looking-bad dept
Nothing says "Please stop keep talking about the bad stuff we do" quite like a bogus defamation lawsuit. Citizen Lab, which has reported on a great number of tech companies that are less than discriminating in their selection of customers (think Hacking Team), has been served with a lawsuit by a purveyor of internet censorship software.
On January 20, 2016, Netsweeper Inc., a Canadian Internet filtering technology service provider, filed a defamation suit with the Ontario Superior Court of Justice. The University of Toronto and myself were named as the defendants. The lawsuit in question pertained to an October 2015 report of the Citizen Lab, “Information Controls during Military Operations: The case of Yemen during the 2015 political and armed conflict,” and related comments to the media. Netsweeper sought $3,000,000.00 in general damages; $500,000.00 in aggravated damages; and an “unascertained” amount for “special damages.”
Netsweeper apparently was less than amused by Citizen Lab's insistence on reporting facts, including the nasty one about it supplying internet filtering software to a country whose government has been blacklisted by the United Nations. You know, things like this:
The research confirms that Internet filtering products sold by the Canadian company Netsweeper have been installed on and are presently in operation in the state-owned and operated ISP YemenNet, the most utilized ISP in the country.
Netsweeper products are being used to filter critical political content, independent media websites, and all URLs belonging to the Israeli (.il) top-level domain.
These new categories of censorship are being implemented by YemenNet, which is presently under the control of the Houthis (an armed rebel group, certain leaders and allies of which are targeted by United Nations Security Council sanctions).
Netsweeper was given a chance to defend itself against Citizen Lab's allegations before the report was made public.
We sent a letter by email directly to Netsweeper on October 9, 2015. In that letter we informed Netsweeper of our findings, and presented a list of questions. We noted: “We plan to publish a report reflecting our research on October 20, 2015. We would appreciate a response to this letter from your company as soon as possible, which we commit to publish in full alongside our research report.”
Netsweeper never replied.
Rather than meet the situation head on, Netsweeper chose to hang back and lob a lawsuit at Citizen Lab after it published its report. Fortunately for the security researchers, Netsweeper has chosen to drop its lawsuit entirely, possibly because pursuing the questionable defamation claims would have put it up against Ontarios's version of anti-SLAPP laws: the Protection of Public Participation Act.
The world of security research is still a dangerous place. When researchers aren't being arrested for reporting on their findings, they're being sued for exposing security flaws and highly-questionable behavior. It's a shame there aren't more built-in protections for researchers, who tend to receive a lot of legal heat just for doing their job.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: canada, censorship, citizen lab, filtering, software, yemen
Companies: citizen lab, netsweeper
Reader Comments
Subscribe: RSS
View by: Time | Thread
Perhaps they hired a better lawyer who told them how badly their first lawyer had screwed them by drawing much more attention to their income from selling to rebels and repressive regimes that most Canadians would balk at.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Typical behavior by Netsweeper
The Booming Business of Internet Censorship
and
Sweeping Rights Aside: Ottawa, Pakistan and Netsweeper
and
When a Canadian company decides what citizens in the Middle East can access online
among others
[ link to this | view in chronology ]
An as-yet unsolved problem is everyone, including black-hat hackers, can say they are "security researchers" entitled to exceed reasonable and authorized levels of access to Internet-connected systems.
The law does not distinguish between researchers who have incorporated as businesses and are ostensibly working for the public good, those independent "researchers" who offer zero-days for ransom, hostile nations, pranksters, and others up to no good. Regardless of what moral high ground the white-hats and some grey-hats may be on, no one has the legal right to harm businesses by poking around and disclosing vulnerabilities. From the point of view of the hacked companies, these people are all uninvited burglars who keep trying all the windows and doors, moving in shadows and seeing what items of value might be left lying about and seeing what trouble they can stir up.
I don't sympathize with those who sue or prosecute instead of rewarding the white-hats who really are just doing security research, but I also don't see the "security research" industry doing anything to legitimize and distinguish itself in a way that protects it from CFAA abuse, SLAPP, and so on. If you want to make progress on this issue, come up with a code of ethics, a list of things you can and can't do in the course of "research", and discuss how the law can be changed to protect those researchers who work for the public good, without giving a free pass to the malicious ones.
[ link to this | view in chronology ]
Re:
You sure could have fooled me.
I also don't see the "security research" industry doing anything to legitimize and distinguish itself in a way that protects it from CFAA abuse, SLAPP, and so on.
Maybe they need to be "regulated" in some way to ensure that they don't step on the wrong toes, huh?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
This is why it's important to allow genuine researchers to continue without fear of prosecution. The bad guys are going to be doing it with or without the help of a handy excuse, and you make everyone less safe by attacking the messengers who inform you of your problem.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
Spectroscope producers would be happy.
[ link to this | view in chronology ]
Re: Re: Re:
The criminals - being, well, criminals - do not care for laws anyway, and the governments will get away with any poking with a straw man or a scapegoat.
Only the poor end user will have hard time sitting from screwing.
Oh, well...
[ link to this | view in chronology ]
Re:
Similarly business do not have a right to make money without regard to the costs they impose on society, which includes exposing customers to data exposures just to make a larger profit by not following best security practices. In any case, this was not revealing a vulnerability, unless you consider doing business with authoritarian dictators and would be authoritarian dictators a vulnerability.
[ link to this | view in chronology ]
Re:
On the other hand, businesses are free to harm hundreds of millions of people by concealing vulnerabilities and lying about them.
[ link to this | view in chronology ]
Re:
...which is why the industry generally has a very good track record of not publicly disclosing any potentially harmful data until after the company in question has had a reasonable amount of time to either a) fix their security issue or b) issue their own response to the issue, depending on whether there has been a breach or not. Normally, the only time disclosure is made before the company has been able to fix their end is if they either ignore the request to do so (or follow the request for a fix up with legal action), or if the breach is so severe that it's in the public interest for immediate disclosure.
Bear in mind that it's often not the law that's the problem here, it's companies who prefer to try and silence researchers rather than publicly admit they have an issue and/or fix the revealed security flaws. I agree that the law has a problem distinguishing between black and white hats, but it's as much a problem with the way the law is attempted to be applied as the letter of the law itself.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
You're shooting the messenger and blaming them for the news.
The vulnerabilities that the businesses allow is what harms them. The exposure of the vulnerabilities is just inevitable and necessary.
In the same manner, Edward Snowden isn't responsible for harming the US intelligence structure by exposing their illegal actions. Their illegal actions did that.
Guccifer 2.0 or the Russians or whoever hacked the DNC emails isn't responsible for harming the DNC's reputation. The DNC did that by sending those emails in the first place.
If you don't have vulnerabilities or take sufficient actions to find and nullify what vulnerabilities you have, then you're fine. If you expect everyone to politely ignore the fact that you're not wearing any clothes, then you must think you're royalty or something and even that won't save you.
[ link to this | view in chronology ]
Re: Re:
Shooting the messenger is a common method used to attempt to suppress news.
[ link to this | view in chronology ]
Re:
Why not, has that right been specifically prohibited? Remember that thing about "all rights not delegated"? Or is that just an old scrap of paper to you?
[ link to this | view in chronology ]
Market outloook for censorware
[ link to this | view in chronology ]
Streisand effect
[ link to this | view in chronology ]
Re: Streisand effect
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Either way, you'd be a much better candidate than that "Make Uranus Great Again!" guy. Definitely not voting for him...
[ link to this | view in chronology ]
[ link to this | view in chronology ]