DHS Subpoenas Twitter For New Zealand Security Researcher's Info

from the instead-of-addressing-the-problem,-we'll-go-after-the-people-talking-about-i dept

Fri, Jul 6th 2018 3:25am — Tim Cushing

Over the weekend, Zack Whittaker of ZDNet reported a New Zealand security researcher has somehow earned the unwanted attention of DHS and ICE.

Homeland Security has served Twitter with a subpoena, demanding the account information of a data breach finder, credited with finding several large caches of exposed and leaking data.

The New Zealand national, whose name isn't known but goes by the handle Flash Gordon, revealed the subpoena in a tweet last month.

Flash Gordon secured the assistance of the EFF to challenge the subpoena, but apparently that effort failed. This leaves everyone with the unanswered question as to why DHS/ICE are seeking the researcher's identifying info.

As Whittaker notes, the researcher has discovered and reported several data breaches. One in particular might have drawn the attention of the feds: the exposure of a law enforcement training database.

The cache of data contained identifiable information on local and state police officers, and federal agents, who sought out or underwent active shooter response training in the past few years. The backend database powers the website of Advanced Law Enforcement Rapid Response Training -- known as ALERRT -- at Texas State University.

The database dates back to April 2017 and was uploaded a year later to a web server, believed to be owned by the organization, with no password protection.

This would be the sort of thing the US government notices, even if it's only interested in prosecuting the messenger. PII belonging to law enforcement officers is considered to be the most sacrosanct of data, and anyone exposing a government contractor's careless handling of it is likely to find themselves targeted by federal agents.

But this is all conjecture at this point. Flash Gordon only knows the government as demanded his info and is likely to receive it soon, if it hasn't already. The involvement of DHS and ICE is still strange, as a breach involving US law enforcement personnel would normally be handled by the FBI.

As Dissent Doe points out in her coverage at Databreaches.net, it could have something to do with the expansive definition of "export," which covers information as well as physical goods. That's actual ICE territory -- its less-controversial export control function. It's illegal to export "controlled" info and tech, so the researcher's New Zealand locale could provide a nexus for criminal charges, but only if you're willing to suspend reality during the charging process. Doe asks:

But how would that apply to this situation? There is no U.S. individual here who is exporting information to a non-U.S. person, is there?

If this has anything to do with the multiple US-based breaches Flash Gordon has reported, the information has traveled from US companies to US journalists via a New Zealand intermediary. If Gordon has downloaded a copy of the breach's contents, the same thing applies: the info shared with US journalists was "exported" from New Zealand to the US. The only possibility left is this: the government wants to consider a New Zealand researcher's acquisition of breach data from US companies to be considered an illegal "export" of controlled info.

Unfortunately for the researcher, the DOJ has engaged in some highly-questionable prosecutions based on highly-questionable interpretations of US law. It seems when tech/data is involved, common sense is the first victim. It hasn't always been successful in its novel interpretations of these laws, but every federal prosecution has the potential to completely destroy the target's life -- even if it ends in a dismissal or verdict in the defendant's favor.

The last possibility is this: it's just a fishing operation meant to deter Gordon and others like him from searching for breaches and turning this data over to journalists. If the US government obtains identifying info, it can simply retain the info indefinitely as an implicit threat, pushing Gordon to pursue "safer" careers and hobbies. This won't make anyone else any safer, but it will at least spare the government and its contractors further embarrassment.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: dhs, flash gordon, security breach, security research, subpoean
Companies: twitter

20 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 6 Jul 2018 @ 3:54am

going underground
Someone ("Flash") is doing the feds a public service by pointing out sensitive data is there for anyone to steal.
They are lucky "Flash" got there first and not a terrorist group or someone who just wanted to sell the data on the dark web ... though of course who knows if "Flash" was the first finder, someone of more evil intent may have grabbed the data - finding unsecured data on the web is not that difficult.
If ICE try to indict "Flash" all it will do is make whistleblowers not reveal what they have found - so the data has more chance of being found by "bad guys" - or in worst case a security researcher realising they will be prosecuted for finding the data (and so no chance to monetize via increasing their security reputation (& thus chargeable rates) / getting bug bounties) will themselves be tempted to sell the data on the dark web to help pay their bills.

There is a good reason "don't shoot the messenger" is an old but important cliche.
[ link to this | view in chronology ]
Anonymous Coward, 6 Jul 2018 @ 4:04am

If flash has any sense.he has just struck the US and any place that are too friendly with it as places to visit or live. Given what is happening with Kim Dotcom, I wonder where his new home will be.
[ link to this | view in chronology ]
- I.T. Guy, 6 Jul 2018 @ 4:23am
  
  Re:
  I was thinking that too. DotCom needs to lose a pound or a hundred and disappear. This guy should too.
  [ link to this | view in chronology ]
- Anonymous Coward, 6 Jul 2018 @ 4:55am
  
  Re:
  
  If flash has any sense
  
  ...Twitter has no private info on him. Can you sign up and use Twitter over Tor, without giving a phone number or email address? (If not, they're putting people at risk, including from worse governments than the USA's.)
  [ link to this | view in chronology ]
  - Anonymous Coward, 6 Jul 2018 @ 6:18am
    
    Re: Re:
    Have you not been following the effort that the US will put into capturing someone they have taken a dislike to. Twitter will not be the only port of call in the effort to unmask the Flash.
    [ link to this | view in chronology ]
Anonymous Coward, 6 Jul 2018 @ 4:42am

Considering that the biggest baddest generator of internet malfeasance is the US NSA it is very likely what is happening is that these so called security issues are really NSA exploits the person who exposes such faults is really exposing methods and procedures the NSA uses to subvert computers.

Also considering that the US government claims world wide legal jurisdiction (so does Spain and the complete EU) under the psychology of universal justice that makes any exposure of these procedures a US crime regardless of the citizenship or location of the individual performing the action.

The only conclusion is that anybody dumb enough to expose such information in a form that can be in any way tracer back to them (and on the internet that is anyway at all) is a DAMN FOOL.
[ link to this | view in chronology ]
Anonymous Coward, 6 Jul 2018 @ 4:53am

Import/export of info

It's illegal to export "controlled" info

In other words, it's illegal to speak certain things across an international border. Cryptographers had some success claming this as a 1st-amendment violation in Crypto Wars 1.0, when they printed their "controlled info" in a book and mailed the book; the government didn't and still don't fully recognize digital info as speech.

We should expect this view to be harmful in the future, especially once ICE realizes they can control the import of info and decides to set up a Great Firewall of America (perhaps Mexico will pay for it). You've gotta stop illegal transmission of copyrighted stuff, right?
[ link to this | view in chronology ]
Anonymous Coward, 6 Jul 2018 @ 5:03am

Between Dotcom and this, I womder if DHS/ICE is looking to establish an official presence in NZ so they can go somewhere exotic for their duty stations and travels
[ link to this | view in chronology ]
Matthew Cline (profile), 6 Jul 2018 @ 5:05am

But how would that apply to this situation? There is no U.S. individual here who is exporting information to a non-U.S. person, is there?

Maybe someone in the U.S. govt thinks that Flash didn't discover the data breach on his own, but that rather a whistleblower tipped him off? A U.S. whistleblower telling someone outside the U.S. could be considered to be "exporting" the information.
[ link to this | view in chronology ]
Anonymous Coward, 6 Jul 2018 @ 5:22am

no good deed goes unpunished, as they say! obviously, DHS and ICE have been caught not securing their data and now dont like the fact being exposed. in retaliation, in true USA security forces and companies fashion, the person who discovered this fact will be thrown into a USA prison after being found guilty of breaching the defenses himself. we all know that the USA hates to be found guilty of anything, always laying the blame for everything it fucks up on to anyone and everyone possible. as for NZ, it's so shit scared of the USA, it just bends over and grabs ankles at the slightest excuse needed, including trumping up methods of getting Dotcom extradited!! fucking disgraceful!!
[ link to this | view in chronology ]
- 6 Jul 2018, 6 Jul 2018 @ 7:57am
  
  Re: power
  ... the core "legal issue" here is government "subpoena Power" -- the Executive Branch & Congressional branch of US Federal Government have NO subpoena authority at all under the Constitution. DHS/ICE have no subpoena power .
  
  Subpoena is a judicial authority only... and all judicial powers reside only in the Federal Judicial Branch.
  
  DHS/ICE "Administrative Subpoenas" are absolutely non-constitutional, but nobody cares.
  
  Recipients of administrative subpoenas can file a motion in federal court to throw out the subpoena, but the "accepted" standard for court review is highly biased to the government side. Basically, a Federal executive agency only has to show that the information sought is necessary for the performance of the agency’s official duties. This court standard is so lax that one US Supreme Court decision said administrative subpoenas can be issued based merely on “official curiosity”. Of course this vaporizes the 4th Amendment.
  [ link to this | view in chronology ]
Anonymous Coward, 6 Jul 2018 @ 5:58am

Out of curiosity, does a Twitter post disclose, or contain info enabling one to determine, the location from where it originates?
[ link to this | view in chronology ]
Ninja (profile), 6 Jul 2018 @ 6:00am

So the message is: if you are a security researcher, hide behind several layers of anonymity and protection (TOR, VPN, Proxies etc) and just dump everything in the wild to cause as much mayhem as possible so 1- the responsible for the problem will be forced to fix it and 2- you'll be protected.

Doesn't sound like a good outcome for anybody. We should instead be protecting these guys.
[ link to this | view in chronology ]
Capt ICE Enforcer, 6 Jul 2018 @ 6:45am

Reward
I am sure the US is only looking to give Flash a reward. Maybe a 3 month subscription to HBO. Or maybe the complete series of Mr. Robot.
[ link to this | view in chronology ]
stderric (profile), 6 Jul 2018 @ 10:33am

the DOJ has engaged in some highly-questionable prosecutions based on highly-questionable interpretations of US law. It seems when tech/data is involved, common sense is the first victim.

Common Sense has the worst luck. Avoids law enforcement like the plague, and still gets its ass kicked on a regular basis.
[ link to this | view in chronology ]
Ken Martin, 7 Jul 2018 @ 7:58am

“Flash Gordon”
Once DHS and ICE know “Flash’s” identity, he may end up shackled in front of a judge in the US, and sentenced to a lengthy period at the expense of American taxpayers. He has been a tad unwise. Barbaric. Decades later, he may see his homeland. Then again, he may die in prison. Still, it was much the same under Obama. It amazes me people want o immigrate to the US. Right now, I would not even visit. Since 9/11, the US has been an angry and paranoid nation who treat aliens badly.
[ link to this | view in chronology ]
SGOR, 7 Jul 2018 @ 10:26am

the CGIS database under the radar
These databases-all of them- are overseen by partisan morons.

The FBIs CGIS database, now controlled by a French company, and formerly in the hands of 3M- Was compromised by a racist sectarian Obama cultist who utilized DHS connections to attempt to subvert the presidential election.

Oooops....inside information alert: Pasadena, CA police were quick to frame it as anything but insider trading, and DHS quickly ran a behind the scenes narrative, framing the whistle blower in clasdic ADL terms: racist, liar, undependable~despite a service record of total company loyalty and dilligence.

The good news? It took a year, but those responsible are all now fired.

Sadly, no federal charges, because FBI/DHS snitch culture protects its own......rats.
[ link to this | view in chronology ]
SGOR, 7 Jul 2018 @ 11:10am

oh, alright...CJIS...
CJIS, for the win...when playing stupid no longer gets the messsage across.....
[ link to this | view in chronology ]
Anonymous Coward, 8 Jul 2018 @ 11:30pm

So, if "Exporting" this information is the issue, wouldn't the parties that uploaded it to the internet be responsible for the illegal export?
[ link to this | view in chronology ]
- That One Guy (profile), 9 Jul 2018 @ 2:23am
  
  Re:
  Perhaps, but going after them would take work. Much easier to go after the obvious target and chill anyone who might air the dirty laundry of their betters in the process.
  [ link to this | view in chronology ]