Security Researchers Sued For Exposing Internet Filtering Company's Sale Of Censorship Software To Blacklisted Country

from the 'you're-making-us-look-bad'-said-company-caught-looking-bad dept

Nothing says “Please stop keep talking about the bad stuff we do” quite like a bogus defamation lawsuit. Citizen Lab, which has reported on a great number of tech companies that are less than discriminating in their selection of customers (think Hacking Team), has been served with a lawsuit by a purveyor of internet censorship software.

On January 20, 2016, Netsweeper Inc., a Canadian Internet filtering technology service provider, filed a defamation suit with the Ontario Superior Court of Justice. The University of Toronto and myself were named as the defendants. The lawsuit in question pertained to an October 2015 report of the Citizen Lab, “Information Controls during Military Operations: The case of Yemen during the 2015 political and armed conflict,” and related comments to the media. Netsweeper sought $3,000,000.00 in general damages; $500,000.00 in aggravated damages; and an “unascertained” amount for “special damages.”

Netsweeper apparently was less than amused by Citizen Lab’s insistence on reporting facts, including the nasty one about it supplying internet filtering software to a country whose government has been blacklisted by the United Nations. You know, things like this:

The research confirms that Internet filtering products sold by the Canadian company Netsweeper have been installed on and are presently in operation in the state-owned and operated ISP YemenNet, the most utilized ISP in the country.

Netsweeper products are being used to filter critical political content, independent media websites, and all URLs belonging to the Israeli (.il) top-level domain.

These new categories of censorship are being implemented by YemenNet, which is presently under the control of the Houthis (an armed rebel group, certain leaders and allies of which are targeted by United Nations Security Council sanctions).

Netsweeper was given a chance to defend itself against Citizen Lab’s allegations before the report was made public.

We sent a letter by email directly to Netsweeper on October 9, 2015. In that letter we informed Netsweeper of our findings, and presented a list of questions. We noted: “We plan to publish a report reflecting our research on October 20, 2015. We would appreciate a response to this letter from your company as soon as possible, which we commit to publish in full alongside our research report.”

Netsweeper never replied.

Rather than meet the situation head on, Netsweeper chose to hang back and lob a lawsuit at Citizen Lab after it published its report. Fortunately for the security researchers, Netsweeper has chosen to drop its lawsuit entirely, possibly because pursuing the questionable defamation claims would have put it up against Ontarios’s version of anti-SLAPP laws: the Protection of Public Participation Act.

The world of security research is still a dangerous place. When researchers aren’t being arrested for reporting on their findings, they’re being sued for exposing security flaws and highly-questionable behavior. It’s a shame there aren’t more built-in protections for researchers, who tend to receive a lot of legal heat just for doing their job.

Filed Under: , , , , ,
Companies: citizen lab, netsweeper

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Security Researchers Sued For Exposing Internet Filtering Company's Sale Of Censorship Software To Blacklisted Country”

Subscribe: RSS Leave a comment
25 Comments
Anonymous Coward says:

Typical behavior by Netsweeper

Keep in mind that there’s no money too dirty for the sociopaths at Netsweeper. They’ve been peddling their censorware to dictators and thugs for years:

The Booming Business of Internet Censorship
and
Sweeping Rights Aside: Ottawa, Pakistan and Netsweeper
and
When a Canadian company decides what citizens in the Middle East can access online
among others

Anonymous Coward says:

“It’s a shame there aren’t more built-in protections for researchers, who tend to receive a lot of legal heat just for doing their job.”

An as-yet unsolved problem is everyone, including black-hat hackers, can say they are “security researchers” entitled to exceed reasonable and authorized levels of access to Internet-connected systems.

The law does not distinguish between researchers who have incorporated as businesses and are ostensibly working for the public good, those independent “researchers” who offer zero-days for ransom, hostile nations, pranksters, and others up to no good. Regardless of what moral high ground the white-hats and some grey-hats may be on, no one has the legal right to harm businesses by poking around and disclosing vulnerabilities. From the point of view of the hacked companies, these people are all uninvited burglars who keep trying all the windows and doors, moving in shadows and seeing what items of value might be left lying about and seeing what trouble they can stir up.

I don’t sympathize with those who sue or prosecute instead of rewarding the white-hats who really are just doing security research, but I also don’t see the “security research” industry doing anything to legitimize and distinguish itself in a way that protects it from CFAA abuse, SLAPP, and so on. If you want to make progress on this issue, come up with a code of ethics, a list of things you can and can’t do in the course of “research”, and discuss how the law can be changed to protect those researchers who work for the public good, without giving a free pass to the malicious ones.

Cynosura says:

Re: Re:

I don’t sympathize with those who sue or prosecute instead of rewarding the white-hats who really are just doing security research,

You sure could have fooled me.

I also don’t see the “security research” industry doing anything to legitimize and distinguish itself in a way that protects it from CFAA abuse, SLAPP, and so on.

Maybe they need to be “regulated” in some way to ensure that they don’t step on the wrong toes, huh?

That One Guy (profile) says:

Re: Re: Re:

If the white hats don’t find it the black hats will, and if the white hats are scared off from reporting by threats of what happens to anyone who exposes system/security vulnerabilities then the first a company is likely to learn about a vulnerability is when someone exploits it maliciously, rather than just for research/investigation purposes.

PaulT (profile) says:

Re: Re: Re: Re:

Exactly, which is why this is so problematic. White hat finds a vulnerability = company is notified and given a chance to fix it before the public is notified. Black hat finds it = zero day exploit sold to highest bidder, everyone has an incentive never to advise the company or the public.

This is why it’s important to allow genuine researchers to continue without fear of prosecution. The bad guys are going to be doing it with or without the help of a handy excuse, and you make everyone less safe by attacking the messengers who inform you of your problem.

Anonymous Coward says:

Re: Re:

no one has the legal right to harm businesses by poking around and disclosing vulnerabilities.

Similarly business do not have a right to make money without regard to the costs they impose on society, which includes exposing customers to data exposures just to make a larger profit by not following best security practices. In any case, this was not revealing a vulnerability, unless you consider doing business with authoritarian dictators and would be authoritarian dictators a vulnerability.

PaulT (profile) says:

Re: Re:

“no one has the legal right to harm businesses by poking around and disclosing vulnerabilities”

…which is why the industry generally has a very good track record of not publicly disclosing any potentially harmful data until after the company in question has had a reasonable amount of time to either a) fix their security issue or b) issue their own response to the issue, depending on whether there has been a breach or not. Normally, the only time disclosure is made before the company has been able to fix their end is if they either ignore the request to do so (or follow the request for a fix up with legal action), or if the breach is so severe that it’s in the public interest for immediate disclosure.

Bear in mind that it’s often not the law that’s the problem here, it’s companies who prefer to try and silence researchers rather than publicly admit they have an issue and/or fix the revealed security flaws. I agree that the law has a problem distinguishing between black and white hats, but it’s as much a problem with the way the law is attempted to be applied as the letter of the law itself.

Anonymous Coward says:

Re: Re:

“no one has the legal right to harm businesses by poking around and disclosing vulnerabilities”

You’re shooting the messenger and blaming them for the news.

The vulnerabilities that the businesses allow is what harms them. The exposure of the vulnerabilities is just inevitable and necessary.

In the same manner, Edward Snowden isn’t responsible for harming the US intelligence structure by exposing their illegal actions. Their illegal actions did that.

Guccifer 2.0 or the Russians or whoever hacked the DNC emails isn’t responsible for harming the DNC’s reputation. The DNC did that by sending those emails in the first place.

If you don’t have vulnerabilities or take sufficient actions to find and nullify what vulnerabilities you have, then you’re fine. If you expect everyone to politely ignore the fact that you’re not wearing any clothes, then you must think you’re royalty or something and even that won’t save you.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...