DHS Subpoenas Twitter For New Zealand Security Researcher's Info
from the instead-of-addressing-the-problem,-we'll-go-after-the-people-talking-about-i dept
Over the weekend, Zack Whittaker of ZDNet reported a New Zealand security researcher has somehow earned the unwanted attention of DHS and ICE.
Homeland Security has served Twitter with a subpoena, demanding the account information of a data breach finder, credited with finding several large caches of exposed and leaking data.
The New Zealand national, whose name isn't known but goes by the handle Flash Gordon, revealed the subpoena in a tweet last month.
Flash Gordon secured the assistance of the EFF to challenge the subpoena, but apparently that effort failed. This leaves everyone with the unanswered question as to why DHS/ICE are seeking the researcher's identifying info.
As Whittaker notes, the researcher has discovered and reported several data breaches. One in particular might have drawn the attention of the feds: the exposure of a law enforcement training database.
The cache of data contained identifiable information on local and state police officers, and federal agents, who sought out or underwent active shooter response training in the past few years. The backend database powers the website of Advanced Law Enforcement Rapid Response Training -- known as ALERRT -- at Texas State University.
The database dates back to April 2017 and was uploaded a year later to a web server, believed to be owned by the organization, with no password protection.
This would be the sort of thing the US government notices, even if it's only interested in prosecuting the messenger. PII belonging to law enforcement officers is considered to be the most sacrosanct of data, and anyone exposing a government contractor's careless handling of it is likely to find themselves targeted by federal agents.
But this is all conjecture at this point. Flash Gordon only knows the government as demanded his info and is likely to receive it soon, if it hasn't already. The involvement of DHS and ICE is still strange, as a breach involving US law enforcement personnel would normally be handled by the FBI.
As Dissent Doe points out in her coverage at Databreaches.net, it could have something to do with the expansive definition of "export," which covers information as well as physical goods. That's actual ICE territory -- its less-controversial export control function. It's illegal to export "controlled" info and tech, so the researcher's New Zealand locale could provide a nexus for criminal charges, but only if you're willing to suspend reality during the charging process. Doe asks:
But how would that apply to this situation? There is no U.S. individual here who is exporting information to a non-U.S. person, is there?
If this has anything to do with the multiple US-based breaches Flash Gordon has reported, the information has traveled from US companies to US journalists via a New Zealand intermediary. If Gordon has downloaded a copy of the breach's contents, the same thing applies: the info shared with US journalists was "exported" from New Zealand to the US. The only possibility left is this: the government wants to consider a New Zealand researcher's acquisition of breach data from US companies to be considered an illegal "export" of controlled info.
Unfortunately for the researcher, the DOJ has engaged in some highly-questionable prosecutions based on highly-questionable interpretations of US law. It seems when tech/data is involved, common sense is the first victim. It hasn't always been successful in its novel interpretations of these laws, but every federal prosecution has the potential to completely destroy the target's life -- even if it ends in a dismissal or verdict in the defendant's favor.
The last possibility is this: it's just a fishing operation meant to deter Gordon and others like him from searching for breaches and turning this data over to journalists. If the US government obtains identifying info, it can simply retain the info indefinitely as an implicit threat, pushing Gordon to pursue "safer" careers and hobbies. This won't make anyone else any safer, but it will at least spare the government and its contractors further embarrassment.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: dhs, flash gordon, security breach, security research, subpoean
Companies: twitter
Reader Comments
Subscribe: RSS
View by: Time | Thread
going underground
They are lucky "Flash" got there first and not a terrorist group or someone who just wanted to sell the data on the dark web ... though of course who knows if "Flash" was the first finder, someone of more evil intent may have grabbed the data - finding unsecured data on the web is not that difficult.
If ICE try to indict "Flash" all it will do is make whistleblowers not reveal what they have found - so the data has more chance of being found by "bad guys" - or in worst case a security researcher realising they will be prosecuted for finding the data (and so no chance to monetize via increasing their security reputation (& thus chargeable rates) / getting bug bounties) will themselves be tempted to sell the data on the dark web to help pay their bills.
There is a good reason "don't shoot the messenger" is an old but important cliche.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
...Twitter has no private info on him. Can you sign up and use Twitter over Tor, without giving a phone number or email address? (If not, they're putting people at risk, including from worse governments than the USA's.)
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Also considering that the US government claims world wide legal jurisdiction (so does Spain and the complete EU) under the psychology of universal justice that makes any exposure of these procedures a US crime regardless of the citizenship or location of the individual performing the action.
The only conclusion is that anybody dumb enough to expose such information in a form that can be in any way tracer back to them (and on the internet that is anyway at all) is a DAMN FOOL.
[ link to this | view in chronology ]
Import/export of info
In other words, it's illegal to speak certain things across an international border. Cryptographers had some success claming this as a 1st-amendment violation in Crypto Wars 1.0, when they printed their "controlled info" in a book and mailed the book; the government didn't and still don't fully recognize digital info as speech.
We should expect this view to be harmful in the future, especially once ICE realizes they can control the import of info and decides to set up a Great Firewall of America (perhaps Mexico will pay for it). You've gotta stop illegal transmission of copyrighted stuff, right?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Maybe someone in the U.S. govt thinks that Flash didn't discover the data breach on his own, but that rather a whistleblower tipped him off? A U.S. whistleblower telling someone outside the U.S. could be considered to be "exporting" the information.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re: power
Subpoena is a judicial authority only... and all judicial powers reside only in the Federal Judicial Branch.
DHS/ICE "Administrative Subpoenas" are absolutely non-constitutional, but nobody cares.
Recipients of administrative subpoenas can file a motion in federal court to throw out the subpoena, but the "accepted" standard for court review is highly biased to the government side. Basically, a Federal executive agency only has to show that the information sought is necessary for the performance of the agency’s official duties. This court standard is so lax that one US Supreme Court decision said administrative subpoenas can be issued based merely on “official curiosity”. Of course this vaporizes the 4th Amendment.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Doesn't sound like a good outcome for anybody. We should instead be protecting these guys.
[ link to this | view in chronology ]
Reward
[ link to this | view in chronology ]
the DOJ has engaged in some highly-questionable prosecutions based on highly-questionable interpretations of US law. It seems when tech/data is involved, common sense is the first victim.
Common Sense has the worst luck. Avoids law enforcement like the plague, and still gets its ass kicked on a regular basis.
[ link to this | view in chronology ]
“Flash Gordon”
[ link to this | view in chronology ]
the CGIS database under the radar
The FBIs CGIS database, now controlled by a French company, and formerly in the hands of 3M- Was compromised by a racist sectarian Obama cultist who utilized DHS connections to attempt to subvert the presidential election.
Oooops....inside information alert: Pasadena, CA police were quick to frame it as anything but insider trading, and DHS quickly ran a behind the scenes narrative, framing the whistle blower in clasdic ADL terms: racist, liar, undependable~despite a service record of total company loyalty and dilligence.
The good news? It took a year, but those responsible are all now fired.
Sadly, no federal charges, because FBI/DHS snitch culture protects its own......rats.
[ link to this | view in chronology ]
oh, alright...CJIS...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Perhaps, but going after them would take work. Much easier to go after the obvious target and chill anyone who might air the dirty laundry of their betters in the process.
[ link to this | view in chronology ]