PHI Data Breach Warrior in Hot Water – Big Government Over Reach?

Justin Shafer & Family

“A friend of mine was released from unlawful confinement today. I’m a happy man” – Darrell Pruitt

Riskmanagers.us: This article was sent to us by Darrell Pruitt:

Security researcher released; had been jailed 8 months while awaiting trial on charges of cyberstalking an FBI agent

Posted by Dissent at 6:57 pm Commentaries and AnalysesOf Note Add comments

Dec 01 2017

After almost eight months in pre-trial detention on charges of cyberstalking a Dallas FBI agent, Texas dental integrator and independent security researcher Justin Shafer got to go home tonight after a federal judge agreed with Shafer’s lawyer who appealed the revocation of Shafer’s pre-trial release.

Shafer had been jailed since earlier this year on charges that he allegedly cyberstalked an FBI agent and the agent’s family. A grand jury had indicted him on charges of violating 18 U.S. Code § 119 and 18 U.S. Code § 2261. Although he had originally been released with conditions to await trial, when he blogged about the matter despite a ban on using social media, his release was revoked.

But as U.S. District Judge David Godbey explained during today’s hearing in Dallas, Shafer can blog while awaiting trial. He can even criticize the FBI agent or the government, and he can even call a judge “stupid.” What he can’t do is reveal personally identifiable information about the FBI agent or their family members or encourage others to contact or harass the FBI agent, their family, a judge, and court personnel. And so Judge Godbey released Shafer, with revised conditions. The conditions of Shafer’s release can be found here.

The conditions document appears a bit confusing as it seems to both prohibit and allow access to a computer. According to Shafer’s attorney, Tor Ekeland, Shafer can use a computer for work and he can blog. He must meet the conditions for using – and not using – the computer as indicated in part (u) of the document.

But why was Shafer arrested and charged with cyberstalking?  As DataBreaches.net has explained in previous articles, Shafer’s trouble with the FBI appears to have stemmed from the fact that he uncovered and exposed inadequate security in dental patient management software and he uncovered and exposed firms that were leaking patients’ protected health information (PHI) on public FTP servers.  Rather than owning up to their failures, some entities attempted to blame Shafer for their failures or data leaks. And to that end, at least one seems to have tried to get the FBI to charge Shafer as a hacker under the federal Computer Fraud and Abuse Act (CFAA).

The FBI never found any evidence that resulted in hacking charges against Shafer.

So what do you do if you want to charge someone criminally but there’s just no evidence to support criminal charges?  Well, maybe you keep raiding your target. But if you expect your target to just docilely accept repeated raids, removal of their property and alleged damage to their property, you don’t know Shafer.

Shafer complained vocally online about those involved in what he perceived as harassment. And there’s absolutely nothing illegal about him complaining, especially when you consider that when you’re criticizing a federal agent in the performance of their federal duties, you are talking about a public figure.

But when the case goes to trial in January, there may be some additional charges that Shafer will face. The prosecution reportedly will be filing a superseding indictment next week that includes charges that Shafer allegedly also cyberstalked a judge and court personnel. And if those charges are filed, then Judge Godbey may have to recuse himself and the case may have to be moved to a different district.

If you’re a tad confused by the sudden addition of these charges after so many months, you are not alone. Is it really any kind of “stalking” if you send someone a few messages during one – and only one – 24-hour period? And even if it is, why are federal prosecutors first adding on these charges that could have been filed back in March or April? Are they piling on now because they hope to intimidate Shafer into taking a plea deal?

Shafer’s attorney declined to speculate as to the prosecution’s motives for the superceding charges, but there has been no evidence that Shafer has engaged in any physical assault or violence.

So what line did his speech cross – exactly where – that turned his speech from protected speech into criminal conduct? Can you show me that line? Was it posting someone’s name and address — information that’s freely available online in whitepages? What exactly did Shafer write or tweet that constitutes criminal conduct? Is “doxing” equivalent to cyberstalking, or is doxing only a crime if you are revealed a protected address for a law enforcement official, etc.?

DataBreaches.net realizes that the views expressed above will not endear this site to the Dallas FBI. I’m sure there are many fine agents in the Dallas FBI, but on this matter, I firmly oppose the agency’s actions. This site and this blogger have collaborated with Shafer since 2013. Over the past four years, I have had multiple opportunities to observe how Shafer behaves when he’s frustrated by regulators’ failure to protect patient data or to hold entities accountable for protecting patient data. I have seen him become verbally obnoxious to employees of federal agencies.  I have seen him become verbally abusive to me and keep hammering me with caustic emails or direct messages until I either mute him or block him for a while.

And I have seen him get so angry at me that he actually outed me publicly on Twitter. He subsequently regretted his actions and deleted the tweets, but still, if he could get so angry and obsessive in attacking one person who had helped him expose data leaks and who had helped him successfully get the Federal Trade Commission to take action against one business, what does that tell you about his passion for protecting patient data?

The Dallas FBI went after someone who was donating his time and energy to protect patient data  and to improve the security of software for patient management.  What the DOJ has done to Shafer is just flat out wrong.  And Shafer’s case should concern every individual and every organization that cares about protecting the First Amendment from erosion.

It’s time for libertarians and conservatives to remember that a strong First Amendment is one of our most powerful weapons against government overreach. And a strong First Amendment is one of our most powerful weapons against feel-good liberals who are increasingly trying to quash speech that they do not agree with or that results in “hurt feelz.”

Today, in Dallas, Judge Godbey protected the First Amendment by releasing Shafer and properly acknowledging that Shafer has the right to express his opinions on his blog. Between now and Shafer’s trial, I hope the ACLU, EFF, and other organizations who purport to care about the First Amendment get involved send a clear message that the First Amendment protects vigorous – even obnoxious speech.

If we do not defend Shafer when the government and businesses try to shoot the messenger, who will be left to defend you when you speak up to expose breaches or vulnerabilities?

Related Posts: