from the our-tax-dollars-at-work dept
So, here's a fun one. Back in May, the Justice Department -- apparently lacking anything better to do with its time -- sent a subpoena to Twitter, demanding a whole bunch of information on a five Twitter users, including a few names that regular Techdirt readers may be familiar with:
If you can't see that, it's a subpoena asking for information on the following five Twitter users: @dawg8u ("Mike Honcho"), @abtnatural ("Virgil"), @Popehat (Ken White), @associatesmind (Keith Lee) and @PogoWasRight (Dissent Doe). I'm pretty sure we've talked about three of those five in previous Techdirt posts. Either way, they're folks who are quite active in legal/privacy issues on Twitter.
And what info does the DOJ want on them? Well, basically everything:
- Names (including subscriber names, user names, and screen names);
- Addresses (including mailing addresses, residential addresses, business addresses, and e-mail addresses);
- Records of session times and durations, and the temporarily assigned network addresses (such as Internet Protocol ("IP") addresses) associated with those sessions;
- Length of service (including start date) and types of service utilized;
- Telephone or instrument numbers (including MAC addresses, Electronic Serial Numbers ("ESN"), Mobile Electronic Identity Numbers ("MEIN"), Mobile Equipment Identifier ("MEID"), Mobile Identification Numbers ("MIN"), Subscriber Identity Modules ("SIM"), Mobile Subscriber Integrated Services Digital Network Numbers ("MSISDND"), International Mobile Subscriber Identifier ("IMSI"), or International Mobile Equipment Identities ("IMEI"));
- Other subscriber numbers or identities, or associated accounts (including the registration Internet Protocol ("IP") address);
- Means and source of payment for such service (including any credit card or bank account number) and billing records.
That's a fair bit of information. Why the hell would the DOJ want all that? Would you believe it appears to be over a single tweet from someone to each of those five individuals that consists entirely of a smiley face? I
wish I was kidding. Here's
the tweet and then I'll get into the somewhat convoluted back story. The tweet is up as I write this, but here's a screenshot in case it disappears:
And, just to make it clear, here are all the users "in the conversation" on that tweet (since Twitter now buries at least some of that information):
You'll note that all of the names are the same names as listed in the subpoena above (as a point of clarification, the four users listed below were already in the conversation, so their metadata gets swept along, and then the tweeter, Justin Shafer, is also adding in @PogoWasRight to the conversation).
So, who is Justin Shafer, and what the hell is all of this about? Buckle up, because it'll take a bit of background to get around to this tweet (and, yes, it will still feel very, very, stupid that this subpoena was ever issued). First up: Justin Shafer is a security researcher, who has some history spotting bad encryption. Go back to 2013 and he had spotted a weak not really "encryption" standard put out by Faircom. Once it was called out as weak, vulnerable and not really encryption, Faircom rebranded it from the "Faircom Standard Encryption" to "Data Camouflage" since the reporting by Shafer showed that it wasn't really encryption at all -- but just a weak attempt at obfuscation.
Fast forward to late 2013, when a dentist named Rob Meaglia alerted some of his patients that a computer was stolen from his offices with "medical records and dental insurance information." But, Dr. Meaglia told his patients that the records system they were using, Dentrix, made by a company called Henry Schein, Inc., had all of that data encrypted. Except it appeared that Dentrix was actually using Faircom's "Data Camouflage" and not actual encryption. And, as that link notes, Henry Schein, Inc. had been informed of this problem months earlier, around the time Faircom admitted it wasn't actual encryption.
In May of 2016, the FTC announced a settlement with Henry Schein, Inc. over the claim that it "falsely advertised the level of encryption it provided to protect patient data." Kudos to Justin Shafer.
But, literally days later, the FBI was raiding Justin Shafer's home and taking all of his computers. This was not specifically about the Harry Schein case, but since Shafer had continued to investigate poor data security practices involving dentists, he'd come across an FTP server operated by another dental software company, Patterson Dental, which makes "Eaglesoft," a dental practice management software product. Shafer had discovered an openly available anonymous FTP server with patient data. Shafer did the right thing as a security researcher, and alerted Patterson. However, rather than thanking Shafer for discovering the server they had left with patient data exposed, Patterson Dental argued that Shafer had violated the CFAA in accessing the open anonymous FTP server. Hence the FBI raid.
Not surprisingly, Shafer was none too pleased with the FBI's decision to raid his home and take all of his electronics. In particular, it appears he was especially annoyed with FBI Special Agent Nathan Hopp (who he initially believed was actually Nathan "Hawk.")
Fast forward to March of this year, to an entirely different story: the FBI arresting John Rivello for "assaulting" journalist Kurt Eichenwald with a tweet. If you follow Techdirt related stuff, you probably remember that whole story. Lots of people, including us, posted the criminal complaint that was put together by one Nathan Hopp, a special agent at the FBI.
It appears that the Rivello arrest and subsequent news coverage suddenly alerted Shafer to the fact that "Nathan Hawk" was actually "Nathan Hopp" and Shafer began a bit of an open source "investigation" on Twitter. I wouldn't necessarily call the following tweets "smart," but Shafer, finally aware of the FBI agent who lead the raid on his house, started trying to find any public info on Hopp -- and his family. Now, searching out his family isn't great. But it does appear that he was just looking up publicly available information:
At this point, the FBI decided to start protecting its own. Seeing as the guy whose home the FBI had ridiculously raided a year earlier was now tweeting some info about one of its special agents, the FBI started putting together a new criminal complaint arguing that all of the tweets above amounted to "Cyber Stalking" under 18 USC 2216A. This seems like a huge stretch, because that law requires "intent to kill, injure, harass, intimidate, or place under surveillance...."
Either way, about the time all of this was happening, Ken "Popehat" White had started another Twitter thread about the Rivello arrest, leading Virgil and Keith Lee to respond about the criminal complaint, eventually leading Mike Honcho to note "Nathan Hopp is the least busy FBI agent of all time." It is to that tweet that Shafer replies with his smiley emoji and adds or cc's, Dissent Doe to the conversation:
And that takes us to 10 days later, when a new criminal complaint against Shafer is issued*, arguing that those tweets were criminal Cyber Stalking. And because part of that included his smiley emoji in response to the Popehat thread/Honcho tweet, the DOJ felt it necessary to issue a subpoena demanding basically all info on those 5 Twitter users (including Popehat, a former Assistant US Attorney whose info is pretty easy to find on Google). Perhaps the FBI somehow thinks that Shafer was really behind those other accounts or something -- but anyone with even the slightest level of competence should realize that's unlikely -- and that's got nothing to do with anything here anyway.
* As an aside, look closely at that criminal complaint against Shafer. I have no idea why but it appears that the FBI/DOJ is so clueless that rather than submitting the final complaint, they actually submitted the copy showing the "comments" on the Word doc they were using to prepare the complaint -- which shows two comments that both suggest the FBI is well aware that this complaint is weak sauce and probably doesn't meet the standard under the law... but this story is crazy enough without spending too much time on that.
Twitter is apparently fighting back against this subpoena. And even though it was issued back in May, a few days ago, the company alerted the individuals that the DOJ was demanding info on. Dissent Doe has already stated publicly a plan to move to quash the subpoena as well, and I wouldn't be surprised to see the others named take similar steps.
But, really, take a step back and everything about this situation is crazy. Going after Shafer the first time was crazy. Going after him again for supposed "Cyber Stalking" over a few harmless tweets was clearly just the FBI trying to protect its own from being embarrassed online. Then, to subpoena a ton of info on 5 totally unrelated Twitter users... just because Shafer tweeted a smiley face emoticon at them? What the fuck is the DOJ up to? Doesn't Assistant US Attorney Douglas Gardner, who signed the subpoena, have better things to do with his time, like going after actual criminals, rather than harassing people for tweeting?
Filed Under: cfaa, cyberstalking, dissent doe, doj, douglas gardner, emoji, encryption, fbi, fbi raid, justin shafer, keith lee, ken white, nathan hopp, pogowasright, popehat, subpoena, tweets
Companies: henry schein, patterson dental, twitter