The DOJ's Bizarre Subpoena Over An Emoji Highlights Its Ridiculous Vendetta Against A Security Researcher

from the lawlessness-under-the-guise-of-law-enforcement dept

Yesterday we broke the crazy story of how the DOJ issued a subpoena to Twitter attempting to identify five Twitter users, not because of anything they had done, but because someone else the DOJ disliked — a security researcher named Justin Shafer — had tweeted an emoji at them in response to a discussion about a different case. You can read all the details in that original post, in case you missed it yesterday. There was so much craziness in that story that I didn’t even get to cover all of it. Some of those named in the subpoena have posted their thoughts — including Ken “Popehat” White and Keith Lee. I suggest reading both, as the subpoena directed at each of them was particularly silly, given that both freely make their identities public. The DOJ didn’t seem to do even the slightest research into the accounts it was demanding info on, or it would have known just how easy it was to “unmask” White and Lee.

As for the other three Twitter accountholders — all of them are anonymous. But the DOJ certainly has zero legal basis for unmasking them. As we’ve discussed repeatedly in the past, anonymous speech is also protected by the First Amendment, and there’s a very high bar for law enforcement to get past to unmask anonymous speakers. EFF’s Kurt Opsahl pointed to a concise statement on this in a recent ruling in the Awtry v. Glassdoor case, which Lee also reposts in his blog:

The Supreme Court has recognized that “an author’s decision to remain anonymous, like other decisions concerning omissions or additions to the content of a publication, is an aspect of the freedom of speech protected by the First Amendment.” McIntyre v. Ohio Elections Comm’n, 514 U.S. 334, 342 (1995). Indeed, “[t]he right to speak anonymously was of fundamental importance to the establishment of our Constitution.” Doe v. Inc., 140 F. Supp. 2d 1088, 1092 (W.D. Wash. 2001) (citing McIntyre, 514 U.S. at 341-42). In particular, “Justice Black . . . reminded us that even the arguments favoring the ratification of the Constitution advanced in the Federalist Papers were published under fictitious names.” McIntyre, 514 U.S. at 342 (citing Talley v. California, 362 U.S. 60, 64 (1960)). So too were the responses of the anti-federalists, which were published by authors who used such fictitious names as “Centinel,” “Brutus” and “The Federal Farmer.” In re Anonymous Online Speakers, 661 F.3d 1168, 1172-73 (9th Cir. 2011).

Further, it is well-established that anonymous speech on the Internet, like other types of anonymous speech, enjoys First Amendment protection. In re Anonymous Online Speakers, 661 F.3d 1168, 1173 (9th Cir. 2011)(“online speech stands on the same footing as other speech—there is `no basis for qualifying the level of First Amendment scrutiny that should be applied’ to online speech”) (quoting Reno v. Am. Civil Liberties Union, 521 U.S. 844, 870 (1997)). As the Ninth Circuit has explained, “the ability to speak anonymously on the Internet promotes the robust exchange of ideas and allows individuals to express themselves freely without `fear of economic or official retaliation . . . [or] concern about social ostracism.’” Id.(quoting McIntyre, 514 U.S. at 341-42).

First Amendment protection of anonymous speech “is not unlimited, however, and the degree of scrutiny varies depending on the circumstances and the type of speech at issue.” Id. Political speech is considered to be “core” speech and is afforded the highest level of First Amendment protection. McIntyre, 514 U.S. at 346. Online messages such as the ones at issue here are also entitled to some level of First Amendment protection, even if the hurdle for overcoming that protection is less stringent than it is for political speech. See In re Anonymous Online Speakers, 661 F.3d 1168 at 1177; see also Highfields Capital Mgmt., L.P. v. Doe, 385 F. Supp. 2d 969 (N.D. Cal. 2005) (finding that identity of individual who anonymously posted derogatory comments about a company on an online message board was protected from disclosure under the First Amendment); Art of Living Foundation v. Does 1-10, No. 10-cv-5022 LHK, 2011 WL 5444622, at *5 (N.D. Cal. Nov. 9, 2011) (finding the standard articulated in Highfields applied to anonymously posted online commentary criticizing the plaintiff’s organization).

That the Assistant US Attoreny, Douglas Gardner, who signed off on the subpoena, either didn’t know this or didn’t care is hugely troubling and problematic. As Scott Greenfield colorfully summarizes of the federal agents involved in this case, looking at the details, “this situation is so utterly idiotic as to make one wonder how they can get out of bed without hurting themselves.”

Of course, for White and Lee, this is mostly amusing. For the other three, it’s likely that the DOJ will backdown, though it may cause them something of a headache in the meantime.

But the really crazy story is what’s going on with Justin Shafer, the security researcher at the heart of all of this. As we explained yesterday, Shafer had exposed some bad technology practices by various dental software companies — including fake encryption that resulted in an FTC fine — and a wide open FTP server revealing private info on customers. The latter resulted in the FBI raiding his home and taking all of his electronics. That, of course, set things off on the crazy course leading to the emoji subpoena, because Shafer got interested in finding out more about FBI Special Agent Nathan Hopp (who Shafer initially thought was Nathan “Hawk”). As mentioned yesterday, I don’t agree with Shafer’s decisions and actions in trying to track down Hopp, but to argue that it was, in anyway, criminal Cyber Stalking seemed nuts.

Dissent Doe, one of the anonymous users whose info was subpoenaed by the DOJ, and who has worked with Shafer in the past to (ethically) expose breaches has a longer post detailing just how totally fucked up the DOJ’s claims are against Shafer. It’s even worse that we initially thought. In the criminal complaint we posted yesterday, we didn’t even get into the earlier parts, where FBI Special Agent Ronnie Buentello tries to connect Shafer to a fairly well known black hat hacking group that deals in vulnerabilities and illegally accessed information, called The Dark Overlord. The Dark Overlord actually was in the press this week for accessing private info from a plastic surgeon who works with many famous people, and promising to release the info.

In the Buentello’s affidavit with the criminal complaint against Shafer, the FBI agent tries to connect Shafer to The Dark Overlord, claiming that the dental database he had discovered available online was also found in The Dark Overlord’s possession, and also presenting evidence of communications between Shafer and The Dark Overlord. It’s not at all clear what that has to do with with Shafer’s alleged “Cyber Harassment” of Nathan Hopp, but it’s certainly presented to the grand jury in a way to make Shafer out to be a bad dude:

On June 29, 2016, FBI Atlanta (NDGA) opened a criminal computer intrusion investigation on an individual using the online moniker, “TheDarkOverlord,” who claimed to have stolen 655,000 patient medical records and attempted to extort medical facilities he victimized. As part of their case, FBI Atlanta is investigating JUSTIN SHAFER as a co-conspirator of “TheDarkOverlord.” Subsequent media reports confirmed “TheDarkOverlord” had posted the records for sales where he was seeking 60 Bitcoins ($39,782.00) for a Farmington, Missouri database of 47,864 records, which was found on JUSTIN SHAFER’s computer during a search warrant executed on January 29, 2017; 170 Bitcoins ($112,200.00) for a Central/Midwest database containing 207,572 records; and 300 Bitcoins ($197,940.00) for a Blue Cross/Blue Shield (BC/BS) database containinng 396,458 records. Since his appearance in June 2016, “TheDarkOverlord” has claimed approximately 15 major computer breaches and the sale of one million customer PII records, and engaged in extortion of the victims across the United States, targeting medical providers, financial companies, large U.S corporations, and even a provider of cancer servcies in Indiana. In most cases, “TheDarkOverlord” extorted his victims with verbose, condescending, and abusive language, and taunted victim companies, their employees, and (in at least one case) the children of victim employees. “TheDarkOverlord” has carried out threats to release data when victims declined to pay, and has made implied threats to FBI Agents in Atlanta and New Orleans.

Collaboration between multiple FBI Divisions has subsequently identified significant links (IP addresses, emails, social media ccounts) between “TheDarkOverlord” and JUSTIN SHAFER. On January 29, 2017, FBI Dallas, FBI Atlanta, FBI Saint Louis, FBI New Orleans, and FBI Newark executed a search warrant at JUSTIN SHAFER’s residence, located in North Richland Hills, Texas. At time of entry, JUSTIN SHAFER was logged into at least two different workstations in his home office and garage. During the execution of the search warrant, the FBI seized approximately 29 evidence items, including desktops, laptops, hard drives, router, several cell phones, numerous universal serial bus (USB) drives, CD’s, and an Xbox game console. A chat session appearing to be with “TheDarkOverlord” was observed on a computer during the execution of the search warrant. In the months following the initial search warrant on May 25, 2016, several online media outlets published articles defending Shafer as a “security researcher” and admonished the FBI for executing a search warrant at his residence. SA Nathan Hopp was present for both search warrants that were executed on May 25, 2016 and on January 29, 2017.

Sounds pretty nefarious, right? Right. Except… as Dissent Doe points out, this leaves out a ridiculous amount of context that suggests that rather than collaborating with “TheDarkOverlord” (or maybe even being TheDarkOverlord as some might read the Buentello’s account to suggest, Shafer had a long history of trying to expose TheDarkOverlord — and, specifically to share the details of what he learned with the FBI.

What the FBI did not tell the court was that Shafer had emailed that very database to the FBI in July, 2016, telling the FBI that TheDarkOverlord gave it to him, unsolicited, duing a chat on Twitter.

So here’s “Exhibit A” for you: the email Justin Shafer sent on July 1, 2016 to this blogger and the Dallas FBI with the database the FBI would later claim supported a suspicion that he was a “co-conspirator:”

On July 1, 2016, Shafer emailed the Dallas FBI a copy of a database TheDarkOverlord had given him via Twitter. On March 31, 2017, the FBI claimed they found it during a raid of his home in January and never mentioned that he had provided it to them voluntarily in July, 2016.

Okay. But how about that supposed “chat session” that Shafer was having with The Dark Overlord when the FBI raided his house?

The affidavit referred to a chat session, but did not indicate whether it was a file copy of an old chat session or a new one in progress at the time of the raid. In fact, Shafer did have a number of private (DM) conversations on Twitter with TheDarkOverlord that Shafer logged. He often reviewed the logs afterwards, looking for additional clues in the material. Shafer generally shared his logs of the chats with this blogger and with others – including the FBI.

So now view “Exhibit B:” an email Shafer sent on July 3, 2016 to an NHS unit in the U.K. to warn them that they had been hacked by TheDarkOverlord. Shafer had been told about the hack in a private conversation with TheDarkOverlord and then tried to contact the NHS so that they could secure their data and warn patients. Shafer also cc:d Dallas FBI on that email, and included part of the chat log between him and TheDarkOverlord:

When Shafer learned that TheDarkOverlord hacked the NHS, he tried to notify the NHS and cc:d the Dallas FBI.
Part of the chat log between Shafer and TheDarkOverlord that was emailed to the Dallas FBI to alert them. The FBI would later suggest that finding chat logs on Shafer’s computers was somehow evidence that he was a co-conspirator.

As Doe points out, Shafer was even continuing to share information on The Dark Overlord with the FBi after the FBI had raided his house. Doe points out, a la Scott Greenfield’s observations, that these FBI and DOJ folks don’t seem to have the slightest clue what they’re doing:

It seems the FBI couldn’t tell a white hat from a black hat. Or perhaps the Dallas FBI failed to share the information he was providing to them with the Atlanta and Missouri regions of the FBI and other regions investigating TheDarkOverlord. Despite TheDarkOverlord’s bizarre attempts to implicate Shafer or tease him, Shafer had always helpfully provided information to the FBI. What co-conspirator does that?

And do note that Shafer offered this help to the Dallas FBI in July, 2016 – even after they had raided him in May, 2016 and upset his children and damaged his property (he claims). He was still being a whitehat. What a shame that the Dallas FBI did not respond to him that way.

Now consider “Exhibit C:” If Shafer was a co-conspirator, why was he running around the internet trying to get TheDarkOverlord patient data dumps removed? Here’s an email from in February, 2017 thanking Shafer for notifying them and saying they suspended TDO’s account. It was not the first time Shafer had contacted them. And once again, Dallas FBI was cc:d.

File-sharing site thanked Shafer for alerting them to a data dump of sensitive information.

So beginning in July, 2016 and thereafter, Dallas FBI received evidence that Shafer provided to try to help them catch TheDarkOverlord. Does any of the evidence above look like someone conspiring with TheDarkOverlord or does it look like someone trying to help law enforcement catch TheDarkOverlord?

As Doe further points out, the FBI has all of this evidence. It chose to selectively present it to a grand jury in a manner that totally misrepresents Shafer’s relationship to The Dark Overlord (and to the FBI, for that matter). It really looks as if the somewhat clueless FBI was just so focused on protecting one of its own — Special Agent Nathan Hopp — that it appears to have practically framed Shafer to the grand jury to lead to his eventual arrest and indictment.

And, on that note, in April of this year, Shafer was indicted (though, somewhat oddly, in a different district…) for the supposed Cyber Stalking of Hopp. The indictment, somewhat ridiculously, claims that Shafer “with intent to injure, harass, and cause substantial emotional distress” had “used and attempted to use, facilities in interstate and foreign commerce, including electronic mail and internet websites, to engage in a course of conduct that caused and attempted to cause substantial emotional distress to the victims.”

Again, I think that Shafer probably went overboard in venting his anger about Hopp and posting some publicly available info about Hopp and his family. He also did reach out to Hopp’s wife via Facebook — which, again, seems dumb. But to argue that his messages were harassing seems like a stretch. The conversation was Shafer asking Hopp’s wife to ask Hopp to return the videos of his kids that had been seized in an earlier raid. Again, this is a dumb thing to do, but it seems like a stretch to call it cyber stalking.

Meanwhile, another thing found in the original affidavit was a chat between Shafer and a friend of his, Darrell Pruitt, in which Pruitt responded “What an asshole” following Shafer’s sharing some info on Hopp. Pruitt commented on our story, noting that his involvement meant that the FBI showed up at his office:

As a friend of Justin, he shared with me his suspicion of FBI Special Agent Nathan Hopp’s (or Hawk’s) perceived vendetta as it was happening. I responded, “What an asshole.” And that was enough to warrant an unannounced visit to my dental office by two agents, whose questions indicated to me that they really didn’t have a clue about the case they were prosecuting. I think they were disappointed that I actually didn’t assist Justin in identifying Hopp, that I have nothing to do with TheDarkOverlord, and that no money had been exchanged between Justin and me… Thus went an hour of my life which I’ll never regain – Not to mention that my first patient waited in my dental chair for an hour while I was asked pointless questions. I was even warned by one of the agents that “‘I don’t know’ will only go so far.” But it is the damn truth.

This whole story is crazy and bizarre — but really raises serious questions about a DOJ and FBI totally out of control.

Filed Under: , , , , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “The DOJ's Bizarre Subpoena Over An Emoji Highlights Its Ridiculous Vendetta Against A Security Researcher”

Subscribe: RSS Leave a comment
Anonymous Coward says:

this is typical of all security services in the USA. if someone is wanted, regardless of whether that person has actually done anything or not, or been accused of doing something or not, their life is totally destroyed in any and every way possible! and when arrested, as they usually are, they are put into the position of having to take some sort of deal, even when innocent, or face years rather than months in prison, all for doing nothing except maybe their job! that and pissing off someone who has the power to bring a vendetta to fruition! how the hell these people get elected/promoted to these lofty positions is beyond me and is surely reminiscent of the tactics of certain other nations that are always condemned by so-called democratic countries, the USA being one of them.

That Anonymous Coward (profile) says:

Dear Keebler Elf,

How about you get off your gleeful lets go back to the 50’s campagin and take a look at how the countries resources are being wasted on some idiots vendetta.

Maybe you are unaware that when someone tried to help the FBI and in turn a single agent misleads a grand jury to indict them… more people aren’t going to willingly help you.

You have an agent wasting resources, taking valuable time away from the FBI creating terrorist plots to stop for headlines. You have an AUSA who seems to not know or care about the law he is pledged to uphold.

Maybe spend less time worried about us descending into the made up horrors of reefer madness & focus on how out of control these agencies have become.

Don’t tell me a few bad apples, this is clear harassment of someone dumb enough to assist the FBI in protecting citizens. An AUSA ignoring the law of the land because a person they are assisting in the harassment of tweeted a single emoji.

We don’t have much faith in the DoJ given how much you have failed in protecting citizens, maybe work on caring about citizens & prosecuting corporations.

No Love,

orbitalinsertion (profile) says:

The real problem with Shafer: He failed to be a hardcore criminal and did everything backwards. One is supposed to start out hurting or killing people, maybe trafficking drugs or something. Then they recruit you as an informant. Now you have impunity for pretty much anything, and get paid well for the next twenty years or so while you hand them useless or made up information when they come asking.

Duhhhh, Shafer. (facepalm)

That One Guy (profile) says:

See nothing, hear nothing, say nothing

Between attempting to prosecute people that try to report on ‘terrorists'(that happen to be undercover agents), using the fact that a company was willing to help them in other cases against the company, and now using the fact that a security researcher tried to help them against him, it’s a wonder anyone still tries to help government agencies, as it seems to have a tendency to backfire horribly on them.

From the looks of it Shafer would have been much better off if he’d simply blocked TDO after the first conversation and not said a word to the FBI/local police. Don’t try to look for clues to unmask them, don’t try to send that evidence to the FBI, don’t try to get the information removed, because if the FBI/DOJ decides to go after you they’ll use all of that against you.

Congrats DOJ/FBI for once more providing an excellent example of why it’s an insanely stupid move for a regular citizen to ever try to help you, and why people are much safer simply looking the other way.

Anonymous Anonymous Coward (profile) says:

Re: See nothing, hear nothing, say nothing

A problem comes to fore when nobody is willing to help Federal Agencies to do anything. Then, like now, everybody is suspect in the ‘eyes of the law’, the difference being that then there is nobody willing to help ‘them’.

Will there be much difference in the Federal Agencies behavior…probably not. Will there then be a difference in the populaces behavior, hopefully. Will there eventually be a change in the Federal Agencies…depends on how much the populace gets impacted by the nonsense expounded by those Federal and other agencies.

That One Guy (profile) says:

Re: Re: See nothing, hear nothing, say nothing

I was basing it on the first comment from that article, but reading the source material it looks like it might be a bit more tenuous than I portrayed it as.

The accused was ‘on tape’ as agreeing to a plan suggested by the plant to blow something up, yet a few days later called in to someone in the L.A. Council on American-Islamic Relations to report the conversation and the plant as a possible threat, which leads me to believe the ‘agreement’ was probably in the ‘okay, this dude is insane, just smile and nod until I can get away from him’ category rather than an actual agreement.

This of course didn’t stop him from being taken to court as a threat, despite the fact that he reported the person trying to ‘recruit’ him’.

Darrell Pruitt (profile) says:

They broke him

It has occurred to me that starting a couple of years ago, perhaps the Department of Justice came under extreme pressure to nail TheDarkOverlord, and Justin Shafer was the closest thing to a suspect they could lean on. Like Justin Shafer, I think the DOJ leadership made bad decisions out of desperation, including the using fruitless early morning raids of Shafer’s home as torture. Justin simply broke. As a husband and father, Justin’s desperate bad decision was to locate and appeal to an FBI Special Agent’s wife. While Justin’s relatively harmless mistake put him in jail on a charge of cyber-stalking, those who made even worse desperate decisions in the DOJ still enjoy being home with their families at night.

Justin was simply trying to make his life whole again – like it was before TheDarkOverlord framed him with innuendo about payments which never happened.

Had Justin’s home not been raided three times, Justin Shafer would have never been charged with cyber-stalking, his family would not have been deprived of husband and dad for months, and perhaps, just perhaps with Justin’s help, TheDarkOverlord would now be in custody instead of Justin.

Anonymous Anonymous Coward (profile) says:

Re: They broke him

Your assumption that Justin actually knows who the TheDarkOverloard actually causes a failure to the rest of your scenario.

The same failure that the DoJ is about to experience. Not that they will ever admit it, but they seem to be working on certain assumptions that may or may not actually be upheld in court.

In the meantime, Justin and his family are screwed, and there is likely no recourse, for him or his family. You can beat the charge, but not the ride, etc..

Thank you DoJ overreach and overbearing ‘authoritay’. They need to be brought back under control. My question is how best to do that? Politics is an answer, but not under our current system.

GEMont (profile) says:

perspective - fattens up a flat landscape

“This whole story is crazy and bizarre.”

Then lets look at it from a different angle…

Perhaps The Dark Overlord is an FBI, NSA, or CIA asset, and all of this apparent weirdness is just the result of an over-confident gang of taxpayer-paid assholes who are used to total protection, running about and trying to maintain the cover on something that would be extraordinarily embarrassing – and very likely lead to unemployment for many of those assholes – if exposed to the public by an uncontrolled source.

Such a discovery; that all of the Dark Overlord’s accomplishments/exploits were planned and sanctioned by the security state for fun and profit, would definitely be a game changer at this point in time and show the Fed Gov for what it really was – a corporate department.

Not so weird anymore eh. 🙂

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...