Security Researcher At The Center Of Emoji-Gate Heading Home After Feds Drop Five Felony Charges

Legal Issues

from the good-news-for-one-of-the-actual-good-guys dept

Fri, Mar 23rd 2018 10:40am — Tim Cushing

The security researcher who was at the center of an audacious and disturbing government demand to unmask several Twitter accounts on the basis of an apparently menacing smiley emoji contained in one of them is now facing zero prison time for his supposed harassment of an FBI agent. Justin Shafer, who was originally facing five felony charges, has agreed to plead guilty to a single misdemeanor charge. Shafer, who spent eight months in jail for blogging about the FBI raiding his residence repeatedly, is finally going home.

Here are the details of plea agreement [PDF] Shafer has agreed to. (h/t DissentDoe]

Mr. Shafer is pleading to a single misdemeanor of simple assault, based on his sending a Facebook direct message to an FBI Agent’s immediate relative's public Facebook account. There is no allegation of any physical contact.

The government agrees to recommend a sentence of time served. Mr. Shafer already served 8 months in jail before trial for criticizing the government's prosecution in a blog post. He was released after the defense filed a motion arguing his pre-trial detention violated First Amendment free speech rights and the statute governing pre-trial detention.

The government is not seeking for any restitution.

The United States Attorney's Office has agreed not to prosecute Mr. Shafer for the events leading to the initial armed FBI raid of his family’s home.

Mr. Shafer has agreed to a no contact order with the FBI agent, the agent’s family, and the company involved in the initial investigation.

What started out as normal security research soon became a nightmare for Shafer. His uncovering of poor security practices in the dental industry -- particularly the lack of attention paid to keeping HIPAA information secured -- led to his house being raided by FBI agents. The FBI raided his house again after he blogged about the first raid. The FBI justified its harassment of Shafer with vague theories about his connection to infamous black hat hacker TheDarkOverlord. To do this, the FBI had to gloss over -- if not outright omit -- the warnings Shafer had sent to victims of TheDarkOverlord, as well as the information on the hacker Shafer had sent to law enforcement agencies including the FBI.

Blogging about his interactions with the FBI led to the judge presiding over his criminal trial to revoke his release and jail him for exercising his First Amendment rights. This was ultimately reversed by a federal judge who agreed Shafer was allowed to call FBI agents "stupid" and blog about his treatment by the federal agency. (He was not to reveal personal info about FBI agents, however.)

This trial has come to a swift end because the presiding judge sees zero merit in the government's case.

[T]he case probably would have gone to trial had it not been for Judge Janis Graham Jack letting the prosecution know that she saw no evidence of any threat to support the felony charges and that she might rule on the defense’s motion to dismiss if the prosecution didn’t come up with some reasonable plea deal.

This case comes to an end, but it does not absolve the government of its abusive behavior. Here's what Shafer's defense team (Tor Ekeland, Fred Jennings, and Jay Cohen) had to say about their client's treatment by federal law enforcement.

Mr. Shafer first contacted us after he [was] raided by armed federal law enforcement for alleged computer crimes the government has never charged him for. When he complained to the government about it, he was arrested and thrown in jail for his criticism. He was freed after the defense filed a motion arguing his pre-trial detention violated the First Amendment. Fortunately, when presented with the facts of this case, the Court understood the magnitude of the issues here and helped us resolve this case without the hassle, expense, and stress of a jury trial. We are grateful to the Northern District of Texas for recognizing this case for what it was: an attack on internet free speech and a citizen’s right to criticize the government.

And what can we learn from this debacle? Here's what Shafer has learned: never help anybody.

I think the next time someone finds social security numbers that is considered protected health information under HIPAA they should just turn a blind eye. Nobody is going to call you a hero (except the enlightened), and you run the risk of being harassed by the FBI. Doctors responsible for alerting patients will now have yet another reason not to. Already, only about 10% of doctors notified patients that their patient information was publicly available. Law enforcement or the Office of Civil Rights won’t care, and will most likely ignore it. Punishing health information researchers for reporting these issues only puts patients at greater risk. I think it would benefit society greatly if people who find publicly accessible data were not threatened by the people who put it there.

Thank god the FBI was there to help ensure ~~public safety~~ no one publicly badmouthed one of its agents. Shooting the messenger is the expected response when security breaches are discovered. If it's not those leaving personal info exposed threatening researchers with lawsuits or criminal charges, it's the government itself stepping in to "protect" entities that can't even protect the data of paying customers.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: disclosure, fbi, hacking, justin shafer, security, security research

33 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 23 Mar 2018 @ 10:54am

The keyboard is mightier than the sword ?
Gee, wouldn't most people assume that the FBI had more important things to do -- oh, I don't know, perhaps following up on real threats that have already been reported to the FBI?

How many kids in FL might have been saved?
[ link to this | view in chronology ]
- Anonymous Coward, 23 Mar 2018 @ 3:51pm
  
  Re: The keyboard is mightier than the sword ?
  Too true. And unacceptable.
  
  Need to create a new LEO agency whose sole purpose is to investigate the FBI for abuse of power and get away with criminal harassment of this type free from justice. If this happened in this case, how many other cases have hostile agents railroaded innocent people? Investigate top to bottom. Terminate and cage the agents who have run wild in recent decades.
  
  Parse out the remaining agents who served honorably to other LEO agencies. Publicly reward them with promotion and recognition for the higher standard they held themselves to in a job well done. Then simply close shop and disband the FBI to end a dark chapter of American government.
  
  This has gone on too long.
  [ link to this | view in chronology ]
freedomfan (profile), 23 Mar 2018 @ 11:09am

Justice still has not prevailed here.

Shafer, who spent eight months in jail for blogging about the FBI raiding his residence repeatedly, is finally going home.

How much time will be spent in prison by those who raided his home on trumped-up allegations that were so incredibly weak that the judge had to warn prosecutors not to pursue them?

Is the previous judge who violated Shafer's first amendment rights still on the bench?

Is the prosecutor whose prosecutorial descretion led him or her to take this case to court still employed? Sanctioned by the bar?

Yeah, pretty much what I thought. So, what incentive do any of those wrong-doers have for not doing this again?
[ link to this | view in chronology ]
- Anonymous Coward, 23 Mar 2018 @ 11:26am
  
  Re: Justice still has not prevailed here.
  Sometimes some of the assholes might be punished, I mean with a slap on their wrist and of course years after they have committed the crime. Maybe that's why you're wondering why they aren't punished yet. But that hope is futile, because it's all assholes down there. You might stamp out one assholes or another and all you've achieved is absolutely nothing
  [ link to this | view in chronology ]
  - Anonymous Coward, 23 Mar 2018 @ 11:57am
    
    Re: Re: Justice still has not prevailed here.
    Justice is NOT the goal of the Justice System.
    
    There seems to be some magical inverse correlation with how humans name things.
    
    Call it the Justice System and it will soon become an engine of injustice.
    
    Call it a bank, and it will soon become a tax.
    
    Call it a service, and it will soon become your master!
    [ link to this | view in chronology ]
    - Anonymous Coward, 24 Mar 2018 @ 11:03am
      
      Re: Re: Re: Justice still has not prevailed here.
      They renamed the war department the defense department.
      
      It's not the fall that kills you, it is the rapid deceleration.
      
      Double speak - lying with a straight face.
      [ link to this | view in chronology ]
- That Anonymous Coward (profile), 23 Mar 2018 @ 7:37pm
  
  Re: Justice still has not prevailed here.
  The system protects its cogs.
  [ link to this | view in chronology ]
Anonymous Coward, 23 Mar 2018 @ 12:06pm

Different Standard
"good-news-for-one-of-the-actual-good-guys"

My bar for "good news" appears to be set at a very different height than yours. The simple fact that the feds didn't rape him harder than they already had does not meet my "good" standard.
[ link to this | view in chronology ]
- An Ominous Cow Herd, 24 Mar 2018 @ 9:47am
  
  Re: Different Standard
  No kidding. Eight months in prison is insane given what happened. I used to have the utmost respect for those in law enforcement and have always been a law abiding citizen to the best of my ability, but after a few fairly negative run ins with them (like nearly being shot by one just because she was having a bad day), I now rarely leave the house unless I absolutely have to and I never ever get involved, even when I could be of assistance. It's just too dangerous, as this story aptly shows.
  [ link to this | view in chronology ]
Darrell Pruitt, 23 Mar 2018 @ 12:13pm

Boycott Patterson Dental
Don't do business with Patterson Dental, Doc

“Security Researcher At The Center Of Emoji-Gate Heading Home After Feds Drop Five Felony Charges - from the good-news-for-one-of-the-actual-good-guys dept.” By Tim Cushing for Techdirt, March 23, 2018.
https://www.techdirt.com/articles/20180322/18004339483/security-researcher-center-emoji-gate-he ading-home-after-feds-drop-five-felony-charges.shtml

As part of the plea agreement, Justin Shafer is forbidden to reveal the name of the dental software vendor who chose to turn Shafer in to the FBI for "hacking" rather than risk a HIPAA violation by admitting they carelessly left patients' identities on an anonymous FTP server – allowing access to ANYONE. Justin simply did the right thing. He reported the breach, and then spent 8 months in jail for it.

Nevertheless, I'm not forbidden to tell you that PATTERSON DENTAL COMPANY – a vindictive, sleazy corporation - tried to ruin Justin's life to hide their carelessness with Americans' privacy.

Most importantly, why did the US Department of Justice choose to protect PATTERSON DENTAL COMPANY at the expense of Shafer’s liberty?

Don’t do business with PATTERSON DENTAL COMPANY, Doc. They are assholes.

Darrell Pruitt DDS
CC: spamgroup
[ link to this | view in chronology ]
- Anonymous Coward, 23 Mar 2018 @ 1:02pm
  
  Re: Boycott Patterson Dental
  My guess is that someone who works for the FBI has a spouse working at Patterson Dental and the rights violations just write themselves from there.
  [ link to this | view in chronology ]
  - Madd the Sane (profile), 23 Mar 2018 @ 4:05pm
    
    Re: Re: Boycott Patterson Dental
    Spouse, child, aunt, uncle, nephew, prostitute…
    
    We may never really know.
    [ link to this | view in chronology ]
- Cowardly Lion, 28 Mar 2018 @ 2:54am
  
  Re: Boycott Patterson Dental
  I kind of admire the brazen cheek of Patterson Dental Company's management. In sensible parts of the world, what they did would be regarded as a serious data breach, punishable by substantial fines and/or prison sentences.
  [ link to this | view in chronology ]
Anonymous Coward, 23 Mar 2018 @ 12:26pm

Assault by smiley emoji

Mr. Shafer is pleading to a single misdemeanor of simple assault, based on his sending a Facebook direct message to an FBI Agent’s immediate relative's public Facebook account. There is no allegation of any physical contact.

Presumably (guessing here) this is a plea to simple assault under 18 USC § 115. That section is captioned, “Influencing, impeding, or retaliating against a Federal official by threatening or injuring a family member”.
[ link to this | view in chronology ]
Anonymous Coward, 23 Mar 2018 @ 12:58pm

[The judge] saw no evidence of any threat to support the felony charges and that she might rule on the defense’s motion to dismiss if the prosecution didn’t come up with some reasonable plea deal.

In other words: the judge saw that the government had no case and instead of doing her job and dismissing the case/compensating the defendant for clear constitutional violations, maneuvered said defendant into accepting a plea deal.

Got to protect that government bureaucracy.
[ link to this | view in chronology ]
Anonymous Coward, 23 Mar 2018 @ 2:14pm

Deeply wrong here
There is something deeply wrong with due process if defendants serve their entire sentence pretrial. Especially in this case where the plea-bargin was a face saving/lawsuit undermining measure.
[ link to this | view in chronology ]
- Mel, 24 Mar 2018 @ 4:33am
  
  Re: Deeply wrong here
  Trials aren't needed anymore. The investigation is the punishment.
  [ link to this | view in chronology ]
  - NitroLab (profile), 25 Mar 2018 @ 10:32am
    
    Re: Re: Deeply wrong here
    You can beat the rap, but you can't beat the ride.
    [ link to this | view in chronology ]
Uriel-238 (profile), 23 Mar 2018 @ 2:29pm

Emoji-gate?
I want this to be known as the menacing emoji affair.

☺️
[ link to this | view in chronology ]
- Anonymous Coward, 23 Mar 2018 @ 2:40pm
  
  The smiley emoji assault
  
  I want this to be known as the menacing emoji affair.
  
  From pp.3-4 of the defense press release—
  
  Frederic Jennings (Defense Counsel): “ . . . A smiley emoji, without other threatening context, cannot justify felony cyberstalking charges. . . . ”
  
  No. It's only a federal misdemeanor. Simple assault.
  
  The smiley emoji assault.
  [ link to this | view in chronology ]
- Anonymous Coward, 24 Mar 2018 @ 11:05am
  
  Re: Emoji-gate?
  Is there an emoji for that?
  [ link to this | view in chronology ]
  - Uriel-238 (profile), 24 Mar 2018 @ 11:43am
    
    gate emoji
    There's not even an emoji for a toll gateway or a logic gate, dangit!
    [ link to this | view in chronology ]
    - Anonymous Coward, 24 Mar 2018 @ 12:48pm
      
      Re: gate emoji
      I eagerly await the first illegal emoji, wonder what it will be - a dick?
      [ link to this | view in chronology ]
That One Guy (profile), 23 Mar 2018 @ 6:10pm

Thanks guys, really
I think the next time someone finds social security numbers that is considered protected health information under HIPAA they should just turn a blind eye. Nobody is going to call you a hero (except the enlightened), and you run the risk of being harassed by the FBI.

Between trying to cripple encryption, and now sending a crystal clear message that if you see something say nothing, the FBI is really working overtime to ensure the security of the american public.

As the slightly modified saying goes, 'With government agencies like these, who needs enemies?'
[ link to this | view in chronology ]
- Anonymous Coward, 23 Mar 2018 @ 6:39pm
  
  Re: Thanks guys, really
  
  … the FBI is really working overtime…
  
  FBI should have been disbanded after Hoover died in '72. Everything since then is just his ghost working overtime.
  [ link to this | view in chronology ]
tin-foil-hat, 23 Mar 2018 @ 6:12pm

Reporting Security Issues
Rather than reporting problems to the source, security researchers should just publicly release the data on a darkweb security blog.

Tech news sites like Techdirt and Ars Technica can report on the site, maybe once a week in the darkweb security report or whatever. Even if a company doesn't see it directly they will eventually hear it through the grapevine.

Companies and users would be able to address the information with less risk to the researcher.
[ link to this | view in chronology ]
Anonymous Coward, 23 Mar 2018 @ 6:35pm

FBI vs the public good
Remember kiddies, law enforcement is not there to serve the public good. The public is there to serve law enforcement (or be served to it, as the case may be).
[ link to this | view in chronology ]
That Anonymous Coward (profile), 23 Mar 2018 @ 7:43pm

So HIPPA is worthless.
The FBI doesn't give a shit when it is violated.
The other parts of the government won't enforce it, because its not terrorism related & thats the only way to get budget money.

The best part of all is they got a no contact order to protect the company that most likely still hasn't secured their shit. I'm sure they will leverage that to make him never mention them again, even if he see's the CEO murder a puppy.

Can't begin to understand why the eternally clueless FBI can't seem to grasp they declared techies public enemies & won't beat a path to their door to assist them when the thank you is getting your house raided over & over then charged... while the company that CLEARLY violated the law faces no penalties & got to use the FBI to send the message don't look at them.
[ link to this | view in chronology ]
Anonymous Coward, 24 Mar 2018 @ 11:07am

It takes a good guy with an emoji to stop a bad guy with an emoji
[ link to this | view in chronology ]
mik, 25 Mar 2018 @ 1:10am

Where does the FBI recruit people who are willing and able to stand in court and spout the type of rubbish required to mount a case like this. I mean dont these agents have even the smallest amount of professionalism or intelligence. To often you see Americans supporting their law enforcement services like they are paragons of virtue when even the most cursory of glances shows they are groupings of people too fucking stupid to get a real job.
[ link to this | view in chronology ]
- Wolfie0827 (profile), 25 Mar 2018 @ 8:12am
  
  Re:
  It's not just LEO, government offices/employees were started to give the "special" people a place to "work" and feel like they are contributing to society.
  
  Or at least that is the way it seems.
  [ link to this | view in chronology ]
NitroLab (profile), 25 Mar 2018 @ 10:25am

Federal Bureau of Imbeciles. What a bunch of morons in that worthless, corrupt agency.
[ link to this | view in chronology ]
- That One Guy (profile), 26 Mar 2018 @ 1:49am
  
  'Maybe seeing you the next person will keep his/her mouth shut.'
  Oh no, stupidity would have been preferable, this was out and out vindictive maliciousness. 'You dared question us, dared stand up to us, so we're bringing the hammer down to make an example out of you.'
  [ link to this | view in chronology ]